CVE-2026-45257
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: FreeBSD

Description
The KTLS receive path decrypted each record in place, assuming that the mbufs holding received data were anonymous and safe to modify. This assumption does not hold for data placed on a socket by sendfile(2), which can reference file-backed memory directly through non-anonymous M_EXTPG pages or EXT_SFBUF mbufs. When the sender transmits such data over a loopback connection without enabling KTLS on the transmit side, the file-backed mbufs reach the receiver's decryption path unchanged. Decrypting a record in place then overwrites the backing file's page cache instead of a private copy of the data. An unprivileged local user who can read a file can overwrite its contents with data of their choosing by sending the file over a loopback connection on which they have enabled KTLS receive. The write modifies the page cache directly, so it bypasses file flags such as schg and is written back to disk. By overwriting a setuid binary or other trusted file, a local user can escalate privileges, potentially gaining full control of the affected system.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-45257
EUVD
EUVD-2026-39780
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
freebsd freebsd From 13.0 (inc) to 13.4 (inc)
freebsd freebsd From 14.0 (inc) to 14.2 (inc)
freebsd freebsd 14.3
freebsd freebsd 14.4
freebsd freebsd 15.0
freebsd freebsd 15.1
midnightbsd midnightbsd 4.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-123 Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows an unprivileged local user to overwrite arbitrary files, including sensitive or trusted files such as setuid binaries, by exploiting the KTLS receive path in FreeBSD. Such unauthorized modification of files can lead to privilege escalation and full system compromise.

From a compliance perspective, this vulnerability poses significant risks to standards and regulations like GDPR and HIPAA, which require protection of data integrity, confidentiality, and system security. The ability to overwrite files and escalate privileges undermines these requirements by potentially exposing sensitive data and allowing unauthorized access or modification.

Organizations relying on affected FreeBSD systems must address this vulnerability promptly to maintain compliance, as exploitation could lead to data breaches, unauthorized data alteration, and failure to safeguard protected information.

Executive Summary

CVE-2026-45257 is a vulnerability in FreeBSD's Kernel TLS (KTLS) receive path. The vulnerability arises because the KTLS receive path decrypts each record in place, assuming the data buffers (mbufs) holding received data are anonymous and safe to modify. However, when data is sent using sendfile(2), it can reference file-backed memory directly. This means that decrypting in place can overwrite the backing file's page cache instead of a private copy.

An unprivileged local user who can read a file can exploit this by sending the file over a loopback connection with KTLS receive enabled. This causes the file-backed memory to be overwritten with attacker-controlled data, bypassing file protections and flags. By overwriting critical files such as setuid binaries, the attacker can escalate privileges and potentially gain full control of the system.

Impact Analysis

This vulnerability allows an unprivileged local user to overwrite arbitrary files they can read by exploiting the KTLS receive path. The overwrite bypasses file flags and permissions, including immutable flags like schg, and writes directly to the page cache which is then persisted to disk.

  • Local privilege escalation by modifying setuid binaries or other trusted files.
  • Potential full system compromise by gaining root access.
  • Persistent on-disk corruption of files, including critical system binaries.
  • Bypassing of file permissions, mount options, and immutable flags.
  • Risk to multi-tenant environments such as FreeBSD jails or hosting services.
Detection Guidance

Detection of this vulnerability involves checking if KTLS receive is enabled on your system, as the vulnerability arises when KTLS receive is active on loopback connections.

You can verify if KTLS receive is enabled by checking the sysctl setting:

  • sysctl kern.ipc.tls.enable

If the output is 1, KTLS is enabled, which means the system is potentially vulnerable if other conditions apply.

Additionally, monitoring for unusual local loopback TCP socket activity with KTLS enabled or attempts to send files over loopback connections with KTLS receive enabled could indicate exploitation attempts.

However, no specific detection commands or tools are provided in the available resources.

Mitigation Strategies

The immediate mitigation step is to disable KTLS receive functionality to prevent exploitation.

  • Run the command: sysctl kern.ipc.tls.enable=0

This disables KTLS receive and stops the vulnerability from being exploitable until a proper patch can be applied.

For a permanent fix, upgrade to a patched version of FreeBSD or apply the source code patch provided in the FreeBSD-SA-26:26.ktls advisory, then reboot the system.

Following the advisory's instructions for updating via pkg, freebsd-update, or manual patching is recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45257. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart