CVE-2026-5398 PUBLISHED

Kernel use-after-free bug in the TIOCNOTTY handler

Assigner: freebsd
Reserved: 02.04.2026 Published: 22.04.2026 Updated: 22.04.2026

The implementation of TIOCNOTTY failed to clear a back-pointer from the structure representing the controlling terminal to the calling process' session. If the invoking process then exits, the terminal structure may end up containing a pointer to freed memory.

A malicious process can abuse the dangling pointer to grant itself root privileges.

Product Status

Vendor	FreeBSD
Product	FreeBSD
Versions	Default: unknown affected from 15.0-RELEASE to p6 (excl.) affected from 14.4-RELEASE to p2 (excl.) affected from 14.3-RELEASE to p11 (excl.) affected from 13.5-RELEASE to p12 (excl.)

Credits

Nicholas Carlini using Claude, Anthropic finder

References

https://security.freebsd.org/advisories/FreeBSD-SA-26:10.tty.asc

Problem Types

CWE-416: Use After Free CWE