CVE-2026-49413
Received Received - Intake

Linuxulator LD_PRELOAD Privilege Escalation in FreeBSD

Publication date: 2026-06-27

Last updated on: 2026-06-27

Assigner: FreeBSD

Description
The Linuxulator determined whether a binary was set-user-ID or set-group-ID by checking the P_SUGID process flag. During execve(2), this flag is not yet set at the point where the auxiliary vector is constructed, so AT_SECURE was incorrectly set to zero for set-user-ID and set-group-ID executables. An unprivileged local user can inject a shared library via LD_PRELOAD into a set-user-ID or set-group-ID Linux binary, gaining the privileges of that binary.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-27
Last Modified
2026-06-27
Generated
2026-06-27
AI Q&A
2026-06-27
EPSS Evaluated
N/A
NVD
CVE-2026-49413
EUVD
EUVD-2026-39965

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
freebsd freebsd From 2026-06-09 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in the Linuxulator, a FreeBSD kernel module that runs unmodified Linux binaries. It incorrectly handles set-user-ID (setuid) and set-group-ID (setgid) Linux binaries during execution. Specifically, the Linuxulator checks the P_SUGID process flag too early during the execve(2) system call, before the flag is set, causing the AT_SECURE flag to be incorrectly set to zero.

Normally, the AT_SECURE flag prevents features like LD_PRELOAD from being used with setuid or setgid binaries to avoid privilege escalation. Because AT_SECURE is incorrectly set to zero, an unprivileged local user can inject a shared library via LD_PRELOAD into these privileged binaries, gaining their elevated privileges.

Impact Analysis

This vulnerability allows an unprivileged local user to escalate their privileges by injecting a shared library into set-user-ID or set-group-ID Linux binaries via LD_PRELOAD. As a result, the attacker can gain the elevated privileges of those binaries, potentially leading to unauthorized access or control over the system.

Detection Guidance

This vulnerability affects FreeBSD systems running the Linuxulator kernel modules (linux.ko or linux64.ko) and executing set-user-ID or set-group-ID Linux binaries.

To detect if your system is vulnerable, you can check if the Linuxulator modules are loaded and if there are any setuid or setgid Linux binaries present.

  • Check if the Linuxulator modules are loaded: run `kldstat | grep linux`
  • Find set-user-ID or set-group-ID Linux binaries: run `find /compat/linux -perm /6000 -type f` (assuming Linux binaries are under /compat/linux)
  • Verify if your system is running vulnerable FreeBSD versions by checking the FreeBSD version: `freebsd-version`
Mitigation Strategies

There is no workaround for this vulnerability.

Immediate mitigation steps include upgrading your FreeBSD system to the patched stable or release branches dated June 9, 2026 or later.

After upgrading, reboot your system to ensure the patches take effect.

If your system does not load the linux.ko or linux64.ko modules or does not run setuid/setgid Linux executables, it is not affected.

Use the pkg or freebsd-update utilities to perform binary updates.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49413. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart