CVE-2026-45256
MediumCVSS 5.5Exploitation Probability (EPSS)
Low risk1th percentile — higher than 1% of all known CVEs
Summary
A vulnerability in the thr_kill2(2) function of FreeBSD allows sending a signal to any process without checking permissions. The missing verification of the p_cansignal() result enables an unprivileged user to send signals to processes owned by other users or root, as well as across jail boundaries.
Risk Assessment
An attacker can stop or terminate arbitrary processes, including critical system daemons, leading to a Denial of Service (DoS). Thread IDs are allocated globally and sequentially, making them guessable via brute force.
Recommendation
Apply the security patch provided by the FreeBSD vendor immediately. Until the update is applied, restrict access to the system for untrusted users and monitor for signal sending attempts.
Original NVD description (English source)
When used to deliver a signal to a specific thread, thr_kill2(2) called p_cansignal() to determine whether the operation was permitted but did not check the result before delivering the signal. The signal was sent even when the permission check failed. The system call returned the resulting error to the caller, but by then the signal had already been delivered. The missing check allows an unprivileged local user who knows or can guess a target's process and thread IDs to send any signal to a process they would not normally be permitted to signal, including processes owned by other users or by root. The same check enforces jail boundaries, so a jailed process can signal processes on the host or in other jails. Thread IDs are allocated globally and sequentially, and so can be discovered by brute force with no visibility into the target. An attacker can stop or terminate arbitrary processes, including critical system daemons, resulting in a Denial of Service (DoS).

