CVE-2026-45253 PUBLISHED

Missing validation in ptrace(PT_SC_REMOTE)

Assigner: freebsd
Reserved: 11.05.2026 Published: 21.05.2026 Updated: 21.05.2026

ptrace(PT_SC_REMOTE) failed to properly validate parameters for the syscall(2) and __syscall(2) meta-system calls. As a result, a user with the ability to debug a process may trigger arbitrary code execution in the kernel, even if the target process has no special privileges.

The missing validation allows an unprivileged local user to escalate privileges, potentially gaining full control of the affected system.

Product Status

Vendor	FreeBSD
Product	FreeBSD
Versions	Default: unknown affected from 15.0-RELEASE to p9 (excl.) affected from 14.4-RELEASE to p5 (excl.) affected from 14.3-RELEASE to p14 (excl.)

Credits

Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai finder
Ryan at Calif.io finder

References

https://security.freebsd.org/advisories/FreeBSD-SA-26:21.ptrace.asc

Problem Types

CWE-787: Out-of-bounds Write CWE