CVE Catalog

CVE-2026-45256

MediumCVSS 5.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.09%

1th percentile — higher than 1% of all known CVEs

Summary

A vulnerability in the thr_kill2(2) function of FreeBSD allows sending a signal to any process without checking permissions. The missing verification of the p_cansignal() result enables an unprivileged user to send signals to processes owned by other users or root, as well as across jail boundaries.

Risk Assessment

An attacker can stop or terminate arbitrary processes, including critical system daemons, leading to a Denial of Service (DoS). Thread IDs are allocated globally and sequentially, making them guessable via brute force.

Recommendation

Apply the security patch provided by the FreeBSD vendor immediately. Until the update is applied, restrict access to the system for untrusted users and monitor for signal sending attempts.

Original NVD description (English source)

When used to deliver a signal to a specific thread, thr_kill2(2) called p_cansignal() to determine whether the operation was permitted but did not check the result before delivering the signal. The signal was sent even when the permission check failed. The system call returned the resulting error to the caller, but by then the signal had already been delivered. The missing check allows an unprivileged local user who knows or can guess a target's process and thread IDs to send any signal to a process they would not normally be permitted to signal, including processes owned by other users or by root. The same check enforces jail boundaries, so a jailed process can signal processes on the host or in other jails. Thread IDs are allocated globally and sequentially, and so can be discovered by brute force with no visibility into the target. An attacker can stop or terminate arbitrary processes, including critical system daemons, resulting in a Denial of Service (DoS).

Vulnerability data from NVD (NIST) · CISA KEV · EPSS