Vulnerability in Linux Binaries Affects FreeBSD's Linuxulator
CVE-2026-49413

Currently unrated

Key Information:

Vendor: FreeBSD
Status: FreeBSD
Vendor: CVE Published:; 27 June 2026

What is CVE-2026-49413?

The Linuxulator in FreeBSD contains a vulnerability that allows an unprivileged local user to exploit binaries marked as set-user-ID or set-group-ID. Due to a flaw in the handling of the P_SUGID process flag during the execve() call, the AT_SECURE variable can be mistakenly set to zero. This misconfiguration permits the injection of a shared library utilizing LD_PRELOAD, enabling the attacker to execute code with the elevated privileges of the compromised binary.

Affected Version(s)

FreeBSD 15.0-RELEASE

FreeBSD 14.4-RELEASE

FreeBSD 14.3-RELEASE

References

https://security.freebsd.org/advisories/FreeBSD-SA-26:30....

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 27, 2026
Vulnerability Reserved
May 29, 2026

Credit

Minseong Kim of NSHC Red Alert Labs

CVE-2026-49413 Data

JSON