FreeBSD 15.0 Patch 6

Submit a proposal Propose CVE/GCVE/GHSA reference

Approved changes feed: RSS · Atom

cpe:2.3:o:freebsd:freebsd:15.0:p6:*:*:*:*:*:*

part: o version: 15.0 update: p6

VendorFreebsd (1e86ea60-a74f-5f45-ac35-3eb819c9e064)
ProductFreebsd (be9b20ed-2a20-5a94-a224-b1a6fdcacb17)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from NVD CPE 2.0 feed

PURL mappings

PURLSourceLast updated
pkg:github/freebsd/freebsd-src purl2cpe 2026-06-01 10:12:45.207109

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2026-7270 vulnerable 2026-06-08 08:08:56.781334 Local privilege escalation via execve()
An operator precedence bug in the kernel results in a scenario where a buffer overflow causes attacker-controlled data to overwrite adjacent execve(2) argument buffers. The bug may be exploitable by an unprivileged user to obtain superuser privileges.
Published: 2026-04-30T07:02:48.276Z
Updated: 2026-05-10T06:55:17.771Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-7164 vulnerable 2026-06-08 08:07:05.479150 pf can overflow the stack parsing crafted SCTP packets
Incorrect packet validation allowed unbounded recursion parsing SCTP chunk parameters. This can eventually result in a stack overflow and panic. Remote attackers can craft packets which cause affected systems to panic. This affects any system where pf is configured to process traffic, independent of the configured ruleset.
Published: 2026-04-30T07:23:52.601Z
Updated: 2026-04-30T13:09:07.760Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-42512 vulnerable 2026-06-08 08:03:16.435841 Remotely triggerable out-of-bounds heap write in dhclient
As dhclient is building an environment to pass to dhclient-script, it may need to resize the array of string pointers. The code which expands the array incorrectly calculates its new size when requesting memory, resulting in a heap buffer overrun. A specially crafted packet can cause dhclient to overrun its buffer of environment entries. This can result in a crash, but it may be possible to leverage this bug to achieve remote code execution.
Published: 2026-04-30T07:58:37.145Z
Updated: 2026-05-01T15:26:06.292Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-42511 vulnerable 2026-06-08 08:03:16.432809 Remote code execution via malicious DHCP options
The BOOTP file field is written to the lease file without escaping embedded double-quotes, allowing injection of arbitrary dhclient.conf directives. When the lease file is subsequently re-parsed by dhclient, e.g., after a system restart, an attacker-controlled field from the lease is passed to dhclient-script(8), which evaluates it. A rogue DHCP server may be able to execute arbirary code as root on a system running dhclient.
Published: 2026-04-30T06:56:36.929Z
Updated: 2026-05-01T15:25:37.800Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-39457 vulnerable 2026-06-08 08:01:16.548868 Stack overflow via select() file descriptor set overflow
When exchanging data over a socket, libnv uses select(2) to wait for data to arrive. However, it does not verify whether the provided socket descriptor fits in select(2)'s file descriptor set size limit of FD_SETSIZE (1024). An attacker who is able to force a libnv application to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, can trigger stack corruption. If the target application is setuid-root, then this could be used to elevate local privileges.
Published: 2026-04-30T08:01:49.015Z
Updated: 2026-05-01T03:55:51.194Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-35547 vulnerable 2026-06-08 07:59:14.125362 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.