-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-26:30.linux Security Advisory
The FreeBSD Project
Topic: Flaw in Linuxulator execution of setugid binaries
Category: core
Module: linux
Announced: 2026-06-09
Credits: Minseong Kim of NSHC Red Alert Labs
Affects: All supported versions of FreeBSD
Corrected: 2026-06-09 19:17:33 UTC (stable/15, 15.1-STABLE)
2026-06-09 19:20:11 UTC (releng/15.1, 15.1-RC3-p1)
2026-06-09 19:19:48 UTC (releng/15.0, 15.0-RELEASE-p10)
2026-06-09 19:17:50 UTC (stable/14, 14.4-STABLE)
2026-06-09 19:19:11 UTC (releng/14.4, 14.4-RELEASE-p6)
2026-06-09 19:18:40 UTC (releng/14.3, 14.3-RELEASE-p15)
CVE Name: CVE-2026-49413
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
FreeBSD provides a Linux system call emulation layer through a loadable
kernel module, referred to as the Linuxulator. This allows users to run
unmodified Linux binaries on FreeBSD.
When the kernel executes a set-user-ID or set-group-ID Linux binary, it
passes the AT_SECURE flag in the ELF auxiliary vector to tell the runtime
linker (typically, glibc) to disable dangerous features such as
LD_PRELOAD. glibc's runtime linker relies on this setting and in
particular does not query the kernel to determine whether it is loading a
set-user-ID or set-group-ID executable.
II. Problem Description
The Linuxulator determined whether a binary was set-user-ID or
set-group-ID by checking the P_SUGID process flag. During execve(2), this
flag is not yet set at the point where the auxiliary vector is
constructed, so AT_SECURE was incorrectly set to zero for set-user-ID and
set-group-ID executables.
III. Impact
An unprivileged local user can inject a shared library via LD_PRELOAD into
a set-user-ID or set-group-ID Linux binary, gaining the privileges of that
binary.
IV. Workaround
No workaround is available. Systems that do not have either linux.ko or
linux64.ko loaded, or which do not have any Linux executables with the
set-uid or set-gid bits set, are not affected.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot the system.
Perform one of the following:
1) To update your vulnerable system installed from base system packages:
Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64
platforms, which were installed using base system packages, can be updated
via the pkg(8) utility:
# pkg upgrade -r FreeBSD-base
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system installed from binary distribution sets:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms
which were not installed using base system packages can be updated via the
freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-26:30/linux.patch
# fetch https://security.FreeBSD.org/patches/SA-26:30/linux.patch.asc
# gpg --verify linux.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
and reboot the
system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ 3ac9726c4269 stable/15-n283886
releng/15.1/ a4d36c975be0 releng/15.1-n283555
releng/15.0/ 0b18ec59972b releng/15.0-n281057
stable/14/ ff411cc40cd4 stable/14-n274315
releng/14.4/ 3fe092282025 releng/14.4-n273719
releng/14.3/ 0dcf9bba4b9f releng/14.3-n271519
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat
Or visit the following URL, replacing NNNNNN with the hash:
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
The latest revision of this advisory is available at
-----BEGIN PGP SIGNATURE-----
iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoolxUbFIAAAAAABAAO
bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv0MEQAI764nJgo/wT5iqrDJrx
F4G4LlMCqgxEB82jU48GEvy2/vbjp+nsB7hpQW/LnANWBmbbZzFUutXEqLcZKZp1
eE8ZoSoqTbCw82t7GJGcNrIt3+woBgW8IGb/onL4VxiVuFPEU/0GnJ8nwwOa9LGL
LjdtvRcXaKVnWWqIDUq25cuz6+yBu5UIDWTbSHFeWr8swVhKA5Vjt1wKTXekFJhy
qtEVWv8Jm5nb0C17eRYo8AY/nGh1DZv7LdJNc4dAZyy3H+QNDH7P7atYvyU06pvD
Q+YNH6HENqqkGvg0YAYqrol+5me82oIK/Sz66b3VBYiBLD4FX8LaJePOfhSoKof4
f9Tk6lvpouJOmOETwZX2sAYrGDh/LMd+l/Np7vDMhQSrow4+0CDNHSI3yur8Kfkf
I6pyEC3iCVi6x/xsQ2AjInMCz+Pw+YpKLKGJLyNT9hKqidQq2ebTBe86GMzPZtAM
OdJ7rRMIXt2QNJmovverYVMBVBd8rXBVn//gB8Uu5CyjHG3jN/f/Rc1BhADgBS3R
H1KOBxIOl3CzXU5GLxSEniI7czyeY2q9paWwddPR0BK0mqF6IP31OEekc0irRmjC
damqozUiNlFFP7rC2fj2eVbhrowrtVSpo4D4oEsI6EPkVB3A67+Pq0untDa096gc
X86EUvnyRijJsIl5JXb+OJoT
=4LUk
-----END PGP SIGNATURE-----