CVE-2026-49413 in FreeBSD
Summary
by MITRE • 06/27/2026
The Linuxulator determined whether a binary was set-user-ID or set-group-ID by checking the P_SUGID process flag. During execve(2), this flag is not yet set at the point where the auxiliary vector is constructed, so AT_SECURE was incorrectly set to zero for set-user-ID and set-group-ID executables.
An unprivileged local user can inject a shared library via LD_PRELOAD into a set-user-ID or set-group-ID Linux binary, gaining the privileges of that binary.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/27/2026
This vulnerability resides within the Linuxulator component of FreeBSD's compatibility layer that enables execution of linux binaries on FreeBSD systems. The core issue stems from improper handling of privilege escalation detection during the execve system call process where the P_SUGID flag is checked to determine if a binary should be considered set-user-ID or set-group-ID. During the critical phase of auxiliary vector construction within execve, the P_SUGID flag has not yet been established, leading to incorrect AT_SECURE flag setting which should indicate to the program that it is running with elevated privileges.
The technical flaw represents a privilege escalation vulnerability that directly violates the principle of least privilege and proper access control enforcement. When the AT_SECURE flag is incorrectly set to zero for set-user-ID binaries, it allows dynamic linker to permit LD_PRELOAD injection, bypassing the intended security restrictions. This misconfiguration creates an exploitable condition where unprivileged users can inject malicious shared libraries into processes that should normally operate with elevated privileges. The vulnerability specifically affects binaries that have the set-user-ID or set-group-ID bits set, which are designed to run with the permissions of the file owner rather than the executing user.
The operational impact of this vulnerability is significant as it allows local privilege escalation from unprivileged users to the privileges of set-user-ID binaries, potentially enabling attackers to gain access to sensitive system resources or escalate their privileges to root level. The attack vector requires local access and involves crafting a malicious shared library that gets loaded via LD_PRELOAD mechanism when the vulnerable binary executes. This creates a persistent threat where any set-user-ID binary on the system could become compromised, including critical system utilities like passwd, su, or other privileged programs that have set-user-ID bits enabled.
The vulnerability maps to CWE-276 which addresses improper privilege management and improper file permissions, while also relating to ATT&CK technique T1068 which covers local privilege escalation through the exploitation of system vulnerabilities. The flaw demonstrates a critical failure in the security model implementation where the system fails to properly validate whether a process should be considered secure against injection attacks based on its privilege level. Mitigation strategies should include immediate patching of FreeBSD systems, disabling LD_PRELOAD functionality for set-user-ID binaries, or implementing additional checks that properly verify the P_SUGID flag before setting AT_SECURE. System administrators should also audit and monitor set-user-ID binaries to identify potentially vulnerable applications while considering the implementation of mandatory access controls or privilege separation mechanisms to limit the impact of such vulnerabilities.