CVE-2026-45257
Analyzed Analyzed - Analysis Complete

File-backed Memory Corruption in FreeBSD Kernel

Vulnerability report for CVE-2026-45257, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-26

Last updated on: 2026-06-27

Assigner: FreeBSD

Description

The KTLS receive path decrypted each record in place, assuming that the mbufs holding received data were anonymous and safe to modify. This assumption does not hold for data placed on a socket by sendfile(2), which can reference file-backed memory directly through non-anonymous M_EXTPG pages or EXT_SFBUF mbufs. When the sender transmits such data over a loopback connection without enabling KTLS on the transmit side, the file-backed mbufs reach the receiver's decryption path unchanged. Decrypting a record in place then overwrites the backing file's page cache instead of a private copy of the data. An unprivileged local user who can read a file can overwrite its contents with data of their choosing by sending the file over a loopback connection on which they have enabled KTLS receive. The write modifies the page cache directly, so it bypasses file flags such as schg and is written back to disk. By overwriting a setuid binary or other trusted file, a local user can escalate privileges, potentially gaining full control of the affected system.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-26
Last Modified
2026-06-27
Generated
2026-07-16
AI Q&A
2026-06-26
EPSS Evaluated
2026-07-15
NVD
EUVD

Affected Vendors & Products

Showing 33 associated CPEs
Vendor Product Version / Range
freebsd freebsd 15.0
freebsd freebsd 15.0
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 15.0
freebsd freebsd 14.4
freebsd freebsd 15.0
freebsd freebsd 14.3
freebsd freebsd 14.4
freebsd freebsd 15.0
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.4
freebsd freebsd 14.4
freebsd freebsd 15.0
freebsd freebsd 15.0
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.4
freebsd freebsd 14.4
freebsd freebsd 15.0
freebsd freebsd 15.0
freebsd freebsd 14.3
freebsd freebsd 14.4
freebsd freebsd 15.0
freebsd freebsd 15.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-123 Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-45257 is a vulnerability in FreeBSD's Kernel TLS (KTLS) receive path. The vulnerability arises because the KTLS receive path decrypts each record in place, assuming the data buffers (mbufs) holding received data are anonymous and safe to modify. However, when data is sent using sendfile(2), it can reference file-backed memory directly. This means that decrypting in place can overwrite the backing file's page cache instead of a private copy.

An unprivileged local user who can read a file can exploit this by sending the file over a loopback connection with KTLS receive enabled. This causes the file-backed memory to be overwritten with attacker-controlled data, bypassing file protections and flags. By overwriting critical files such as setuid binaries, the attacker can escalate privileges and potentially gain full control of the system.

Detection Guidance

Detection of this vulnerability involves checking if KTLS receive is enabled on your system, as the vulnerability arises when KTLS receive is active on loopback connections.

You can verify if KTLS receive is enabled by checking the sysctl setting:

  • sysctl kern.ipc.tls.enable

If the output is 1, KTLS is enabled, which means the system is potentially vulnerable if other conditions apply.

Additionally, monitoring for unusual local loopback TCP socket activity with KTLS enabled or attempts to send files over loopback connections with KTLS receive enabled could indicate exploitation attempts.

However, no specific detection commands or tools are provided in the available resources.

Impact Analysis

This vulnerability allows an unprivileged local user to overwrite arbitrary files they can read by exploiting the KTLS receive path. The overwrite bypasses file flags and permissions, including immutable flags like schg, and writes directly to the page cache which is then persisted to disk.

  • Local privilege escalation by modifying setuid binaries or other trusted files.
  • Potential full system compromise by gaining root access.
  • Persistent on-disk corruption of files, including critical system binaries.
  • Bypassing of file permissions, mount options, and immutable flags.
  • Risk to multi-tenant environments such as FreeBSD jails or hosting services.
Compliance Impact

This vulnerability allows an unprivileged local user to overwrite arbitrary files, including sensitive or trusted files such as setuid binaries, by exploiting the KTLS receive path in FreeBSD. Such unauthorized modification of files can lead to privilege escalation and full system compromise.

From a compliance perspective, this vulnerability poses significant risks to standards and regulations like GDPR and HIPAA, which require protection of data integrity, confidentiality, and system security. The ability to overwrite files and escalate privileges undermines these requirements by potentially exposing sensitive data and allowing unauthorized access or modification.

Organizations relying on affected FreeBSD systems must address this vulnerability promptly to maintain compliance, as exploitation could lead to data breaches, unauthorized data alteration, and failure to safeguard protected information.

Mitigation Strategies

The immediate mitigation step is to disable KTLS receive functionality to prevent exploitation.

  • Run the command: sysctl kern.ipc.tls.enable=0

This disables KTLS receive and stops the vulnerability from being exploitable until a proper patch can be applied.

For a permanent fix, upgrade to a patched version of FreeBSD or apply the source code patch provided in the FreeBSD-SA-26:26.ktls advisory, then reboot the system.

Following the advisory's instructions for updating via pkg, freebsd-update, or manual patching is recommended.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45257. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart