CVE-2026-5398

Summary

The implementation of TIOCNOTTY failed to clear a back-pointer from the structure representing the controlling terminal to the calling process' session. If the invoking process then exits, the terminal structure may end up containing a pointer to freed memory.

A malicious process can abuse the dangling pointer to grant itself root privileges.

Affected Software

VendorProductVersion RangeStatus
FreeBSDFreeBSD15.0-RELEASE < p6affected
FreeBSDFreeBSD14.4-RELEASE < p2affected
FreeBSDFreeBSD14.3-RELEASE < p11affected
FreeBSDFreeBSD13.5-RELEASE < p12affected

Weaknesses

  • CWE-416: CWE-416: Use After Free

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References