CVE-2026-5398

UNKNOWN 0.0

Kernel use-after-free bug in the TIOCNOTTY handler

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

The implementation of TIOCNOTTY failed to clear a back-pointer from the structure representing the controlling terminal to the calling process' session. If the invoking process then exits, the terminal structure may end up containing a pointer to freed memory. A malicious process can abuse the dangling pointer to grant itself root privileges.

CWE	CWE-416
Vendor	freebsd
Product	freebsd
Published	Apr 22, 2026

Stay Ahead of the Next One

Get instant alerts for freebsd freebsd

Be the first to know when new unknown vulnerabilities affecting freebsd freebsd are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

FreeBSD / FreeBSD

15.0-RELEASE < p6 14.4-RELEASE < p2 14.3-RELEASE < p11 13.5-RELEASE < p12

References

NVD ↗ CVE.org ↗ EPSS Data ↗

security.freebsd.org: https://security.freebsd.org/advisories/FreeBSD-SA-26:10.tty.asc

Credits

Nicholas Carlini using Claude, Anthropic