-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-26:18.setcred Security Advisory
The FreeBSD Project
Topic: Stack buffer overflow via setcred(2)
Category: core
Module: setcred
Announced: 2026-05-20
Credits: Ryan of Calif.io
Credits: Przemyslaw Frasunek
Affects: All supported versions of FreeBSD.
Corrected: 2026-01-06 13:34:30 UTC (stable/15, 15.0-STABLE)
2026-05-20 19:39:28 UTC (releng/15.0, 15.0-RELEASE-p9)
2026-05-20 19:37:54 UTC (stable/14, 14.4-STABLE)
2026-05-20 19:39:54 UTC (releng/14.4, 14.4-RELEASE-p5)
2026-05-20 19:40:32 UTC (releng/14.3, 14.3-RELEASE-p14)
CVE Name: CVE-2026-45250
This vulnerability was independently reported by multiple parties prior to
publication.
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
System calls are the programmatic interface through which user-space
processes request services from the operating system kernel, providing a
controlled boundary between unprivileged application code and privileged
kernel operations.
setcred(2) is a system call which enables a privileged process to atomically
set its full credential set, including the real, effective, and saved user
and group identifiers, as well as the list of supplementary groups. It is
intended for use by programs such as login(1) and PAM(3)-aware authentication
frameworks that must transition a process into a target user context in a
single, race-free operation, replacing the need for multiple discrete calls
to setuid(2), setgid(2), and setgroups(2).
II. Problem Description
The setcred(2) system call is only available to privileged users. However,
before the privilege level of the caller is checked, the user-supplied list
of supplementary groups is copied into a fixed-size kernel stack buffer
without first validating its length. If the supplied list exceeds the
capacity of that buffer, a stack buffer overflow occurs.
III. Impact
Because the bounds check on the supplementary groups list occurs after the
kernel stack buffer has already been written, an unprivileged local user may
trigger the overflow without holding any special privilege. Successful
exploitation may allow an attacker to execute arbitrary code in the context
of the kernel, allowing an unprivileged local user to gain elevated
privileges on the affected system.
IV. Workaround
No workaround is available.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot the system.
Perform one of the following:
1) To update your vulnerable system installed from base system packages:
Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64
platforms, which were installed using base system packages, can be updated
via the pkg(8) utility:
# pkg upgrade -r FreeBSD-base
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system installed from binary distribution sets:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms
which were not installed using base system packages can be updated via the
freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 15.x]
# fetch https://security.FreeBSD.org/patches/SA-26:18/setcred-15.patch
# fetch https://security.FreeBSD.org/patches/SA-26:18/setcred-15.patch.asc
# gpg --verify setcred-15.patch.asc
[FreeBSD 14.x]
# fetch https://security.FreeBSD.org/patches/SA-26:18/setcred-14.patch
# fetch https://security.FreeBSD.org/patches/SA-26:18/setcred-14.patch.asc
# gpg --verify setcred-14.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
and reboot the
system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ b6cba9028457 stable/15-n281743
releng/15.0/ d98c0a494a42 releng/15.0-n281038
stable/14/ 8eb0bbbd2e46 stable/14-n274162
releng/14.4/ 34da5845b8d4 releng/14.4-n273702
releng/14.3/ bfff5c180193 releng/14.3-n271502
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat
Or visit the following URL, replacing NNNNNN with the hash:
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
The latest revision of this advisory is available at
-----BEGIN PGP SIGNATURE-----
iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKGobFIAAAAAABAAO
bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvSpsP/38o7yHdNEMNMPPOBtKZ
2dn/vmcOo1srkhUx0kl2EVBzirSDsTVkWfUq1Txg5JA7/pG3On/YiaAmUMi9jHqy
q0tgkyO/scKGWNDYmFIA9QAXAwwSUZnT+eEwt3IawOzquezD/qr++CCimntSUzsu
IP3oMFYaw9JvMF6Z6tTfcYYA02CF7nRrtIJtrxfWkgyDoMoikHsNW4o2LXJTz4bV
2uk7BuQKbDc3gxoEBYd0bulXBa9DHsrfS59eEnbb8txrBjt21aQGjBY8SJSoFyYh
yZixmadpZ9J4oTBc03hOO2Z2BN5f/QficGIU4t0wj0A8EcsrspFMDRj2xd/5zi86
VLqiQf6WJbgVyytUe5aYbBPC6eH2TRnMWaOERbocNS6xQKcYpZYqwnVZ77n6tPb4
wKQd+qKYM74lf0BPCBc60h7yo9e6Qd8puGolyL05qdZVB+c3m0qB000gsyNFytFs
kQSovaXFf4r0DCEuBixE/Ic5ADwl7A4pCIxqwWwJlnrj77XCobNEQJtajkrapXsU
MSLQ20RuRiVNesgyjP9dZCk8enuOl96TwrvdkyqvSJgb0Gw3XEeyCWT4dAE+Fh3A
n8RhQeY6YWWk+DOiuw5Q5v2PyoBNoV8jV2AjeXzhIOQsyWGeSYQ2GeFu6PW3UyzQ
olNjUPjprNwteRkUuGHmE3zQ
=6aG+
-----END PGP SIGNATURE-----