CVE-2026-49416
Received Received - Intake

Heap Out-of-Bounds Write in FreeBSD vt(4) Device

Publication date: 2026-06-27

Last updated on: 2026-06-27

Assigner: FreeBSD

Description
The CONS_HISTORY ioctl handler did not adequately validate the requested history size. A large value caused an integer overflow in the buffer size calculation, resulting in a heap allocation smaller than expected. Subsequent initialization of the buffer wrote beyond the end of the allocation. An unprivileged local user with access to a vt(4) device can trigger an out-of-bounds write in the kernel, potentially escalating privileges.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-27
Last Modified
2026-06-27
Generated
2026-06-27
AI Q&A
2026-06-27
EPSS Evaluated
N/A
NVD
CVE-2026-49416
EUVD
EUVD-2026-39960

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
freebsd freebsd From 14.3 (inc) to 15.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

This vulnerability can allow an unprivileged local user to perform an out-of-bounds write in kernel memory, which may lead to privilege escalation. This means an attacker with local access to the system could gain higher privileges than intended, potentially compromising system security and control.

Detection Guidance

There is no specific detection method or commands provided to identify exploitation or presence of this vulnerability on your network or system.

Executive Summary

This vulnerability, identified as CVE-2026-49416, exists in the vt(4) console driver of FreeBSD. It involves an integer overflow in the CONS_HISTORY ioctl handler when an unprivileged local user requests a very large history size. This overflow causes the system to allocate a smaller heap buffer than expected. Subsequent operations then write data beyond the allocated buffer, resulting in an out-of-bounds write in kernel memory.

Because this flaw allows writing beyond allocated memory in the kernel, it can potentially be exploited by an unprivileged local user with access to a vt(4) device to escalate their privileges.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your FreeBSD system to a patched version where the issue has been fixed.

  • Use pkg(8) if you have a base system installation to upgrade.
  • Use freebsd-update(8) for binary distributions.
  • Alternatively, apply the source code patches manually if preferred.

After upgrading or patching, reboot your system to ensure the fixes take effect.

No workaround exists other than upgrading to the corrected versions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49416. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart