FreeBSD-SA-26:13 (CVE-2026-7270): operator precedence bug in the kernel lets unprivileged users overwrite execve(2) argument buffers and gain root.
Key Takeaways
Root cause is an operator precedence mistake in kernel code causing a buffer overflow into adjacent execve(2) argument buffers.
All supported FreeBSD versions affected (13.x, 14.x, 15.x); no workaround exists, patch and reboot required.
Fix landed 2026-04-29; patched releases: 15.0-p7, 14.4-p3, 14.3-p12, 13.5-p13. Update via pkg, freebsd-update, or source patch.
Credited to Ryan of Calif.io; a working exploit and AI-assisted write-up are publicly available on GitHub.
Hacker News Comment Review
Calif.io (Thai Duong’s firm) published a blog walkthrough and GitHub repo with an AI-generated working exploit and prompts, giving attackers a ready-made path to root.
The patch is already two update cycles old for active 15.0-RELEASE users (current is -p8), but operators who cannot freely reboot remain exposed with no mitigation.
Discussion touched on whether SUID binaries are a prerequisite for exploitation, leaving the full attack surface slightly ambiguous pending the write-up details.
Notable Comments
@tptacek: Raises whether the vuln requires SUID binaries, a concrete scoping question not answered in the advisory.
