CVE-2026-49416
HighCVSS 7.8Exploitation Probability (EPSS)
Low risk1th percentile — higher than 1% of all known CVEs
Summary
A vulnerability in the FreeBSD kernel in the CONS_HISTORY ioctl handler allows an unprivileged local user to perform an out-of-bounds write. A large history size causes an integer overflow in buffer size calculation, resulting in a heap allocation smaller than expected and subsequent write beyond the allocation.
Risk Assessment
An attacker can exploit this vulnerability to escalate privileges, potentially gaining unauthorized access to kernel data or taking control of the system.
Recommendation
Immediately update the FreeBSD kernel to a version containing the fix for CVE-2026-49416. Restricting access to vt(4) devices for unprivileged users may reduce the risk.
Original NVD description (English source)
The CONS_HISTORY ioctl handler did not adequately validate the requested history size. A large value caused an integer overflow in the buffer size calculation, resulting in a heap allocation smaller than expected. Subsequent initialization of the buffer wrote beyond the end of the allocation. An unprivileged local user with access to a vt(4) device can trigger an out-of-bounds write in the kernel, potentially escalating privileges.

