CVE-2026-45257 in FreeBSD
Summary
by MITRE • 06/26/2026
The KTLS receive path decrypted each record in place, assuming that the mbufs holding received data were anonymous and safe to modify. This assumption does not hold for data placed on a socket by sendfile(2), which can reference file-backed memory directly through non-anonymous M_EXTPG pages or EXT_SFBUF mbufs. When the sender transmits such data over a loopback connection without enabling KTLS on the transmit side, the file-backed mbufs reach the receiver's decryption path unchanged. Decrypting a record in place then overwrites the backing file's page cache instead of a private copy of the data.
An unprivileged local user who can read a file can overwrite its contents with data of their choosing by sending the file over a loopback connection on which they have enabled KTLS receive. The write modifies the page cache directly, so it bypasses file flags such as schg and is written back to disk. By overwriting a setuid binary or other trusted file, a local user can escalate privileges, potentially gaining full control of the affected system.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/26/2026
The vulnerability described represents a critical security flaw in the Kernel TLS implementation affecting systems that utilize KTLS for secure communication. This weakness resides in how the KTLS receive path handles decrypted data processing within the kernel's networking stack. The fundamental issue stems from an incorrect assumption made by the KTLS subsystem during packet decryption operations, where it presumes that all incoming mbufs containing network data are anonymous memory regions that can be safely modified in-place. This assumption becomes problematic when dealing with data that originates from file-backed sources through the sendfile system call mechanism.
The technical flaw manifests specifically when data is transmitted over loopback connections using sendfile operations without enabling KTLS on the sending side. In such scenarios, the receiving end's KTLS decryption process encounters mbufs that reference file-backed memory pages through non-anonymous M_EXTPG pages or EXT_SFBUF mbuf types. These memory regions are directly mapped to file content rather than containing independent copies of the data. When the decryption operation proceeds in-place on these file-backed mbufs, the original file page cache entries get overwritten with decrypted data instead of being written to temporary memory locations. This direct modification of file-backed memory bypasses normal filesystem protection mechanisms and access controls.
The operational impact of this vulnerability is severe and particularly dangerous for local privilege escalation attacks. An unprivileged user who has read access to a target file can exploit this weakness by establishing a KTLS receive connection on a loopback interface and transmitting the targeted file's contents through that channel. The decryption process then directly modifies the underlying page cache entries, effectively overwriting the original file content with arbitrary data provided by the attacker. This modification bypasses standard file protection flags such as schg (system immutable flag) and other filesystem-level restrictions because the write operation occurs directly against the page cache rather than through normal file I/O operations that would respect these protections.
The privilege escalation potential arises when attackers target critical system files such as setuid binaries, configuration files, or other trusted executables. By overwriting these files with malicious content, an attacker can gain unauthorized access to privileged system functions and potentially achieve complete system compromise. This vulnerability directly relates to CWE-787 (Out-of-bounds Write) and CWE-248 (Uncaught Exception) categories, as it involves writing beyond intended memory boundaries and failing to properly handle file-backed memory regions. From an ATT&CK framework perspective, this represents a local privilege escalation technique using kernel-level memory corruption and abuse of system call interfaces. The vulnerability demonstrates how improper memory management in kernel space can create pathways for attackers to bypass security controls that normally protect against unauthorized modifications to critical system files.