FatGid: FreeBSD 14.x kernel local privilege escalation
4 hours ago
- #FreeBSD
- #privilege escalation
- #kernel vulnerability
- Kernel stack buffer overflow in setcred(2) system call in FreeBSD 14.x, allowing unprivileged local user to trigger kernel panic or privilege escalation.
- Vulnerable versions: FreeBSD 14.4-RELEASE and stable/14. FreeBSD 15.0 vulnerable to panic only due to code differences.
- Root cause: sizeof(*groups) typo in kern_setcred_copyin_supp_groups() leads to 60-byte overflow before privilege checks.
- Exploits developed for amd64 kernels, including SMAP/SMEP-safe variant requiring zfs.ko module.
- Fix unintentionally applied in main branch (commit 000d5b5 on 2025, but not backported to stable/14 or releng/14.4.