FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- Flaw in Linuxulator execution of setugid binaries

Affected packages
15.0 <= FreeBSD-kernel < 15.0_10
14.4 <= FreeBSD-kernel < 14.4_6
14.3 <= FreeBSD-kernel < 14.3_15

Details

VuXML ID fa5289e4-6473-11f1-958d-bc241121aa0a
Discovery 2026-06-09
Entry 2026-06-10

Problem Description:

The Linuxulator determined whether a binary was set-user-ID or set-group-ID by checking the P_SUGID process flag. During execve(2), this flag is not yet set at the point where the auxiliary vector is constructed, so AT_SECURE was incorrectly set to zero for set-user-ID and set-group-ID executables.

Impact:

An unprivileged local user can inject a shared library via LD_PRELOAD into a set-user-ID or set-group-ID Linux binary, gaining the privileges of that binary.

References

CVE Name CVE-2026-49413
FreeBSD Advisory SA-26:30.linux

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.