FreeBSD: Local privilege escalation via execve()
FreeBSD: Local privilege escalation via execve()
FreeBSD:通过 execve() 进行本地权限提升
FreeBSD-SA-26:13.exec Security Advisory FreeBSD-SA-26:13.exec 安全公告
Topic: Local privilege escalation via execve() 主题: 通过 execve() 进行本地权限提升
Category: core 分类: 核心 (core)
Module: execve(2) 模块: execve(2)
Announced: 2026-04-29 发布日期: 2026-04-29
Credits: Ryan of Calif.io 致谢: Ryan of Calif.io
Affects: All supported versions of FreeBSD. 影响范围: 所有受支持的 FreeBSD 版本。
Corrected: 2026-04-29 14:47:46 UTC (stable/15, 15.0-STABLE) … (and subsequent versions) 修复时间: 2026-04-29 14:47:46 UTC (stable/15, 15.0-STABLE) 等(及后续版本)
CVE Name: CVE-2026-7270 CVE 名称: CVE-2026-7270
I. Background
I. 背景
execve(2) is a system call is used to launch an executable image, including scripts prefixed with a path to the interpreter. The system call takes a path to the image as a parameter, followed by extra arguments and environment variables to be passed to the new image. execve(2) 是一个用于启动可执行映像的系统调用,包括以解释器路径为前缀的脚本。该系统调用将映像路径作为参数,随后是传递给新映像的额外参数和环境变量。
II. Problem Description
II. 问题描述
An operator precedence bug in the kernel results in a scenario where a buffer overflow causes attacker-controlled data to overwrite adjacent execve(2) argument buffers. 内核中的一个运算符优先级错误导致了一种情况:缓冲区溢出使得攻击者控制的数据能够覆盖相邻的 execve(2) 参数缓冲区。
III. Impact
III. 影响
The bug may be exploitable by an unprivileged user to obtain superuser privileges. 该漏洞可能被非特权用户利用,从而获取超级用户权限。
IV. Workaround
IV. 规避措施
No workaround is available. 目前没有可用的规避措施。
V. Solution
V. 解决方案
Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. 请将受影响的系统升级到修复日期之后受支持的 FreeBSD stable 或 release/security 分支 (releng),并重启系统。
(Note: The original text provides specific instructions for updating via pkg(8), freebsd-update(8), or source code patches. Please refer to the official FreeBSD documentation for your specific installation method.)
(注:原文提供了通过 pkg(8)、freebsd-update(8) 或源代码补丁进行更新的具体说明。请根据您的具体安装方式参考 FreeBSD 官方文档。)
VI. Correction details
VI. 修复详情
This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: 此问题已在以下 stable 和 release 分支的对应 Git 提交哈希中得到修复:
| Branch/path | Hash | Revision |
|---|---|---|
| stable/15/ | c3e943e78e06 | stable/15-n283376 |
| releng/15.0/ | 934b48683c4f | releng/15.0-n281028 |
| stable/14/ | ae00a52921ca | stable/14-n274075 |
| releng/14.4/ | 943aa64ba91a | releng/14.4-n273690 |
| releng/14.3/ | f04c40607b8f | releng/14.3-n271491 |
| stable/13/ | d619e3a3c0ec | stable/13-n259858 |
| releng/13.5/ | 7c5c37ac8f8f | releng/13.5-n259214 |
VII. References
VII. 参考资料
The latest revision of this advisory is available at [FreeBSD Security Advisories]. 本公告的最新修订版本可在 [FreeBSD 安全公告] 页面获取。