FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- Kernel use-after-free bug in the TIOCNOTTY handler

Affected packages
15.0 <= FreeBSD-kernel < 15.0_6
14.4 <= FreeBSD-kernel < 14.4_2
14.3 <= FreeBSD-kernel < 14.3_11
13.5 <= FreeBSD-kernel < 13.5_12

Details

VuXML ID 971b5528-3def-11f1-bb07-bc241121aa0a
Discovery 2026-04-21
Entry 2026-04-22

Problem Description:

The implementation of TIOCNOTTY failed to clear a back-pointer from the structure representing the controlling terminal to the calling process' session. If the invoking process then exits, the terminal structure may end up containing a pointer to freed memory.

Impact:

A malicious process can abuse the dangling pointer to grant itself root privileges.

References

CVE Name CVE-2026-5398
FreeBSD Advisory SA-26:10.tty

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.