CVE-2026-5398
Published: 22 April 2026
Summary
CVE-2026-5398 is a high-severity Use After Free (CWE-416) vulnerability in Freebsd Freebsd. Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-39 (Process Isolation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the use-after-free vulnerability in TIOCNOTTY by requiring timely application of vendor patches as specified in the FreeBSD security advisory.
Implements memory protections such as ASLR and non-executable memory regions that hinder exploitation of the dangling pointer for arbitrary code execution or privilege escalation.
Process isolation capabilities prevent malicious processes from abusing shared kernel terminal structures containing the dangling back-pointer after process exit.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local use-after-free in TIOCNOTTY ioctl enables arbitrary code execution and root privilege escalation with no privileges required, directly mapping to T1068 Exploitation for Privilege Escalation.
NVD Description
The implementation of TIOCNOTTY failed to clear a back-pointer from the structure representing the controlling terminal to the calling process' session. If the invoking process then exits, the terminal structure may end up containing a pointer to freed memory. A…
more
malicious process can abuse the dangling pointer to grant itself root privileges.
Deeper analysisAI
CVE-2026-5398 is a use-after-free vulnerability (CWE-416) in the FreeBSD implementation of the TIOCNOTTY ioctl. This ioctl fails to clear a back-pointer from the structure representing the controlling terminal to the calling process's session. If the invoking process then exits, the terminal structure retains a pointer to freed memory, creating a dangling pointer that can be abused.
A local attacker requires no privileges (PR:N) and can exploit this with low complexity (AC:L) and no user interaction (UI:N). By invoking TIOCNOTTY in a malicious process and then exiting, the attacker can manipulate the dangling pointer in the terminal structure to achieve arbitrary code execution or privilege escalation to root, resulting in high impacts to confidentiality, integrity, and availability (CVSS:3.1 score of 8.4; AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
The FreeBSD security advisory (FreeBSD-SA-26:10.tty.asc) at https://security.freebsd.org/advisories/FreeBSD-SA-26:10.tty.asc provides details on the vulnerability and recommended mitigation steps, including applying the relevant patches.
Details
- CWE(s)