Full Report
FreeBSD security advisory (AV26-415)
Analysis Summary
# Vulnerability: Multiple Critical Flaws in FreeBSD (May 2026 Advisory Batch)
## CVE Details
- **CVE ID:** CVE-2026-35547, CVE-2026-7164, CVE-2026-7270, CVE-2026-42511
- **CVSS Score:** Varies by CVE (High to Critical expected for RCE/LPE)
- **CWE:**
- CWE-122 (Heap-based Buffer Overflow)
- CWE-121 (Stack-based Buffer Overflow)
- CWE-20 (Improper Input Validation)
## Affected Systems
- **Products:** FreeBSD Operating System
- **Versions:** All supported versions (including FreeBSD 13.x and 14.x branches)
- **Configurations:**
- Systems using `libnv`
- Systems with `pf` (Packet Filter) enabled processing SCTP traffic
- Systems utilizing `dhclient` for network configuration
## Vulnerability Description
This advisory covers four distinct security flaws identified within the FreeBSD base system:
1. **CVE-2026-35547 (libnv Heap Overflow):** A heap-based buffer overflow exists in the `libnv` library, which provides an API for name/value pairs.
2. **CVE-2026-7164 (pf SCTP Stack Overflow):** The `pf` firewall fails to properly validate crafted Stream Control Transmission Protocol (SCTP) packets, leading to a stack overflow during parsing.
3. **CVE-2026-7270 (execve() Privilege Escalation):** A logic flaw or memory corruption issue in the `execve()` system call allows a local user to escalate their privileges to root.
4. **CVE-2026-42511 (dhclient Remote Code Execution):** The DHCP client is vulnerable to RCE when processing malicious DHCP options sent by a rogue DHCP server or an attacker on the local network.
## Exploitation
- **Status:** Not exploited (No mention of active exploitation in the provided advisory)
- **Complexity:** Medium to High (Depending on the specific CVE)
- **Attack Vector:**
- **Network:** CVE-2026-7164 (via SCTP) and CVE-2026-42511 (via DHCP)
- **Local:** CVE-2026-7270 (Privilege escalation)
## Impact
- **Confidentiality:** High
- **Integrity:** High
- **Availability:** High
- **Overall Impact:** Full system compromise is possible via both local and remote vectors.
## Remediation
### Patches
FreeBSD has released the following Security Advisories (SAs) containing fix details and binary updates:
- **libnv:** FreeBSD-SA-26:17.libnv
- **pf:** FreeBSD-SA-26:14.pf
- **execve:** FreeBSD-SA-26:13.exec
- **dhclient:** FreeBSD-SA-26:12.dhclient
Users are advised to sync their source tree to the latest `releng` branch or use `freebsd-update` to apply binary patches.
### Workarounds
- **For pf:** Disable SCTP processing or block SCTP traffic at the network perimeter.
- **For dhclient:** Use static IP configurations where possible to avoid the use of the vulnerable DHCP client.
## Detection
- **Indicators of compromise:** Unexpected system crashes (Kernel Panics) associated with SCTP packet processing or unexpected UID transitions to 0 (root).
- **Detection methods and tools:** Audit system logs for `dhclient` anomalies and monitor for unauthorized use of `execve()` in sensitive contexts using security auditing tools (e.g., Auditpipe).
## References
- FreeBSD Security Advisories: hxxps[://]www[.]freebsd[.]org/security/advisories/
- CVE-2026-35547: hxxps[://]www[.]freebsd[.]org/security/advisories/FreeBSD-SA-26:17.libnv.asc
- CVE-2026-7164: hxxps[://]www[.]freebsd[.]org/security/advisories/FreeBSD-SA-26:14.pf.asc
- CVE-2026-7270: hxxps[://]www[.]freebsd[.]org/security/advisories/FreeBSD-SA-26:13.exec.asc
- CVE-2026-42511: hxxps[://]www[.]freebsd[.]org/security/advisories/FreeBSD-SA-26:12.dhclient.asc
- Canadian Centre for Cyber Security Advisory: hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/freebsd-security-advisory-av26-415