CVEFinder.io

CVE-2026-45250

⚠️ high
🔍 Scan for this CVE
Summary

The setcred(2) system call is only available to privileged users. However, before the privilege level of the caller is checked, the user-supplied list of supplementary groups is copied into a fixed-size kernel stack buffer without first validating its length. If the supplied list exceeds the capacity of that buffer, a stack buffer overflow occurs. Because the bounds check on the supplementary groups list occurs after the kernel stack buffer has already been written, an unprivileged local user

Description

The setcred(2) system call is only available to privileged users. However, before the privilege level of the caller is checked, the user-supplied list of supplementary groups is copied into a fixed-size kernel stack buffer without first validating its length. If the supplied list exceeds the capacity of that buffer, a stack buffer overflow occurs.

Because the bounds check on the supplementary groups list occurs after the kernel stack buffer has already been written, an unprivileged local user may trigger the overflow without holding any special privilege. Successful exploitation may allow an attacker to execute arbitrary code in the context of the kernel, allowing an unprivileged local user to gain elevated privileges on the affected system.

CVSS Score
7.8
High
EPSS Score
0.0
Exploit Probability
Published Date
2026-05-21
First Seen: 2026-05-22
📊 Relative Risk Intelligence

This CVE is Moderate Risk - more severe than 69.6% of all 328,009 vulnerabilities in our database.

#99,625
Above average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: May 21, 2026
🔍 Exploitation Status
None
No known exploits
⚙️ Automatable
NO
Requires human interaction
💥 Technical Impact
Total
Complete system compromise possible
🏆 Discovered By
Ryan of Calif.io Przemyslaw Frasunek
SSVC data provided by CISA
Last Modified 2026-05-22
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE IDs (Weakness Types)
CWE-121

📦 Affected Products 3

Vendor Product Status Affected Versions
freebsd freebsd Affected
v14.3
freebsd freebsd Affected
v14.4
freebsd freebsd Affected
v15.0

🔗 References 4

https://security.freebsd.org/advisories/FreeBSD-SA-2...
Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/05/2...
http://www.openwall.com/lists/oss-security/2026/05/21/3
http://www.openwall.com/lists/oss-security/2026/05/22/5

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-39461 ⚠️ high 8.8 0.0 libcasper(3) communicates with helper processes via UNIX domain sockets, and uses the select(2) system call to wait for ... 2026-05-21
CVE-2026-45251 ⚠️ high 7.8 0.0 A file descriptor can be closed while a thread is blocked in a poll(2) or select(2) call waiting for that descriptor. B... 2026-05-21
CVE-2026-45252 🔶 medium 5.5 0.1 When a fusefs file system implements extended attributes, the kernel may send a FUSE_LISTXATTR message to the userspace ... 2026-05-21
CVE-2026-45253 ⚠️ high 8.4 0.0 ptrace(PT_SC_REMOTE) failed to properly validate parameters for the syscall(2) and __syscall(2) meta-system calls. As a... 2026-05-21
CVE-2026-45254 🔶 medium 6.5 0.0 In the case of the cap_net service, when a key present in the old limit was omitted from the new limit, the missing key ... 2026-05-21
CVE-2026-45255 ⚠️ high 7.5 0.0 When bsdinstall or bsdconfig are prompted to scan for nearby Wi-Fi networks, they build up a list of network names and u... 2026-05-21
These CVEs affect the same products