MNBSD-2026-25: ASLR bypass for setuid executables via procctl(2)

Severity: Unknown

Affected Package: kernel

Summary: ASLR bypass for setuid executables via procctl(2)

Description

The ELF image activator cleared per-process ASLR preference flags for setuid binaries only after computing the PIE base address. An unprivileged user could call procctl(PROC_ASLR_CTL, PROC_ASLR_FORCE_DISABLE) before execve(2) to disable ASLR for a setuid PIE binary, easing exploitation of memory-corruption bugs in that binary. Fixed by clearing the credential setid ASLR flags before the load base is chosen. Ports FreeBSD-SA-26:32.elf.

Affected Versions

kernel

Recommendations

No specific recommendations provided.

References

Additional Information

Aliases: CVE-2026-49414

Published: June 11, 2026
Last Modified: June 11, 2026