Vulnerabilities (CVE)

Filtered by vendor Freebsd Subscribe
Filtered by product Freebsd
Total 536 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-1999-1214 5 Bsd, Freebsd, Netbsd and 2 more 5 Bsd, Freebsd, Netbsd and 2 more 2025-04-03 2.1 LOW N/A
The asynchronous I/O facility in 4.4 BSD kernel does not check user credentials when setting the recipient of I/O notification, which allows local users to cause a denial of service by using certain ioctl and fcntl calls to cause the signal to be sent to an arbitrary process ID.
CVE-1999-1339 2 Freebsd, Linux 2 Freebsd, Linux Kernel 2025-04-03 5.0 MEDIUM N/A
Vulnerability when Network Address Translation (NAT) is enabled in Linux 2.2.10 and earlier with ipchains, or FreeBSD 3.2 with ipfw, allows remote attackers to cause a denial of service (kernel panic) via a ping -R (record route) command.
CVE-1999-0863 1 Freebsd 1 Freebsd 2025-04-03 4.6 MEDIUM N/A
Buffer overflow in FreeBSD seyon via HOME environmental variable, -emulator argument, -modems argument, or the GUI.
CVE-2004-0370 1 Freebsd 1 Freebsd 2025-04-03 2.1 LOW N/A
The setsockopt call in the KAME Project IPv6 implementation, as used in FreeBSD 5.2, does not properly handle certain IPv6 socket options, which could allow attackers to read kernel memory and cause a system panic.
CVE-2001-1155 1 Freebsd 1 Freebsd 2025-04-03 7.5 HIGH 9.8 CRITICAL
TCP Wrappers (tcp_wrappers) in FreeBSD 4.1.1 through 4.3 with the PARANOID ACL option enabled does not properly check the result of a reverse DNS lookup, which could allow remote attackers to bypass intended access restrictions via DNS spoofing.
CVE-1999-1402 2 Freebsd, Sun 3 Freebsd, Solaris, Sunos 2025-04-03 2.1 LOW N/A
The access permissions for a UNIX domain socket are ignored in Solaris 2.x and SunOS 4.x, and other BSD-based operating systems before 4.4, which could allow local users to connect to the socket and possibly disrupt or control the operations of the program using that socket.
CVE-2001-0439 5 Conectiva, Freebsd, Licq and 2 more 6 Linux, Freebsd, Licq and 3 more 2025-04-03 7.5 HIGH N/A
licq before 1.0.3 allows remote attackers to execute arbitrary commands via shell metacharacters in a URL.
CVE-2000-0998 1 Freebsd 1 Freebsd 2025-04-03 7.2 HIGH N/A
Format string vulnerability in top program allows local attackers to gain root privileges via the "kill" or "renice" function.
CVE-2022-23087 1 Freebsd 1 Freebsd 2025-03-27 N/A 8.8 HIGH
The e1000 network adapters permit a variety of modifications to an Ethernet packet when it is being transmitted. These include the insertion of IP and TCP checksums, insertion of an Ethernet VLAN header, and TCP segmentation offload ("TSO"). The e1000 device model uses an on-stack buffer to generate the modified packet header when simulating these modifications on transmitted packets. When checksum offload is requested for a transmitted packet, the e1000 device model used a guest-provided value to specify the checksum offset in the on-stack buffer. The offset was not validated for certain packet types. A misbehaving bhyve guest could overwrite memory in the bhyve process on the host, possibly leading to code execution in the host context. The bhyve process runs in a Capsicum sandbox, which (depending on the FreeBSD version and bhyve configuration) limits the impact of exploiting this issue.
CVE-2023-0751 1 Freebsd 1 Freebsd 2025-03-25 N/A 6.5 MEDIUM
When GELI reads a key file from standard input, it does not reuse the key file to initialize multiple providers at once resulting in the second and subsequent devices silently using a NULL key as the user key file. If a user only uses a key file without a user passphrase, the master key is encrypted with an empty key file allowing trivial recovery of the master key.
CVE-2023-4809 1 Freebsd 1 Freebsd 2025-02-13 N/A 7.5 HIGH
In pf packet processing with a 'scrub fragment reassemble' rule, a packet containing multiple IPv6 fragment headers would be reassembled, and then immediately processed. That is, a packet with multiple fragment extension headers would not be recognized as the correct ultimate payload. Instead a packet with multiple IPv6 fragment headers would unexpectedly be interpreted as a fragmented packet, rather than as whatever the real payload is. As a result, IPv6 fragments may bypass pf firewall rules written on the assumption all fragments have been reassembled and, as a result, be forwarded or processed by the host.
CVE-2023-3494 1 Freebsd 1 Freebsd 2025-02-13 N/A 8.8 HIGH
The fwctl driver implements a state machine which is executed when a bhyve guest accesses certain x86 I/O ports. The interface lets the guest copy a string into a buffer resident in the bhyve process' memory. A bug in the state machine implementation can result in a buffer overflowing when copying this string. Malicious, privileged software running in a guest VM can exploit the buffer overflow to achieve code execution on the host in the bhyve userspace process, which typically runs as root, mitigated by the capabilities assigned through the Capsicum sandbox available to the bhyve process.
CVE-2023-3107 2 Freebsd, Netapp 2 Freebsd, Clustered Data Ontap 2025-02-13 N/A 7.5 HIGH
A set of carefully crafted ipv6 packets can trigger an integer overflow in the calculation of a fragment reassembled packet's payload length field. This allows an attacker to trigger a kernel panic, resulting in a denial of service.
CVE-2022-23086 1 Freebsd 1 Freebsd 2024-12-09 N/A 7.8 HIGH
Handlers for *_CFG_PAGE read / write ioctls in the mpr, mps, and mpt drivers allocated a buffer of a caller-specified size, but copied to it a fixed size header. Other heap content would be overwritten if the specified size was too small. Users with access to the mpr, mps or mpt device node may overwrite heap data, potentially resulting in privilege escalation. Note that the device node is only accessible to root and members of the operator group.
CVE-2022-23084 1 Freebsd 1 Freebsd 2024-12-09 N/A 7.5 HIGH
The total size of the user-provided nmreq to nmreq_copyin() was first computed and then trusted during the copyin. This time-of-check to time-of-use bug could lead to kernel memory corruption. On systems configured to include netmap in their devfs_ruleset, a privileged process running in a jail can affect the host environment.
CVE-2022-23085 1 Freebsd 1 Freebsd 2024-12-09 N/A 8.2 HIGH
A user-provided integer option was passed to nmreq_copyin() without checking if it would overflow. This insufficient bounds checking could lead to kernel memory corruption. On systems configured to include netmap in their devfs_ruleset, a privileged process running in a jail can affect the host environment.
CVE-2024-7589 1 Freebsd 1 Freebsd 2024-11-21 N/A 8.1 HIGH
A signal handler in sshd(8) may call a logging function that is not async-signal-safe. The signal handler is invoked when a client does not authenticate within the LoginGraceTime seconds (120 by default). This signal handler executes in the context of the sshd(8)'s privileged code, which is not sandboxed and runs with full root privileges. This issue is another instance of the problem in CVE-2024-6387 addressed by FreeBSD-SA-24:04.openssh. The faulty code in this case is from the integration of blacklistd in OpenSSH in FreeBSD. As a result of calling functions that are not async-signal-safe in the privileged sshd(8) context, a race condition exists that a determined attacker may be able to exploit to allow an unauthenticated remote code execution as root.
CVE-2024-6760 1 Freebsd 1 Freebsd 2024-11-21 N/A 7.5 HIGH
A logic bug in the code which disables kernel tracing for setuid programs meant that tracing was not disabled when it should have, allowing unprivileged users to trace and inspect the behavior of setuid programs. The bug may be used by an unprivileged user to read the contents of files to which they would not otherwise have access, such as the local password database.
CVE-2024-6759 1 Freebsd 1 Freebsd 2024-11-21 N/A 5.3 MEDIUM
When mounting a remote filesystem using NFS, the kernel did not sanitize remotely provided filenames for the path separator character, "/". This allows readdir(3) and related functions to return filesystem entries with names containing additional path components. The lack of validation described above gives rise to a confused deputy problem. For example, a program copying files from an NFS mount could be tricked into copying from outside the intended source directory, and/or to a location outside the intended destination directory.
CVE-2024-45287 1 Freebsd 1 Freebsd 2024-11-21 N/A 7.5 HIGH
A malicious value of size in a structure of packed libnv can cause an integer overflow, leading to the allocation of a smaller buffer than required for the parsed data.