FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- unlinkat(2) ignores AT_RESOLVE_BENEATH flag

Affected packages
15.1 <= FreeBSD-kernel < 15.1_1
15.0 <= FreeBSD-kernel < 15.0_11
14.4 <= FreeBSD-kernel < 14.4_7
14.3 <= FreeBSD-kernel < 14.3_16

Details

VuXML ID 33fd66d1-74e2-11f1-958d-bc241121aa0a
Discovery 2026-06-30
Entry 2026-07-01

Problem Description:

The kernel function that implements unlinkat(2) and funlinkat(2) validated the AT_RESOLVE_BENEATH flag but failed to pass it through to the underlying path lookup. The flag was silently dropped, so path resolution was not actually restricted.

Impact:

A process that uses AT_RESOLVE_BENEATH with unlinkat(2) or funlinkat(2) to confine path resolution can in fact resolve paths above the starting directory. A caller relying on this flag for path containment may delete files outside the intended directory tree.

References

CVE Name CVE-2026-49421
FreeBSD Advisory SA-26:42.unlinkat