Cyber Resilience

CVE-2026-5398

High

Published: 22 April 2026

Published
22 April 2026
Modified
01 May 2026
KEV Added
Patch
CVSS Score v3.1 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0016 6.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-5398 is a high-severity Use After Free (CWE-416) vulnerability in Freebsd Freebsd. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-39 (Process Isolation).

Deeper analysis

CVE-2026-5398 is a use-after-free vulnerability (CWE-416) in the FreeBSD implementation of the TIOCNOTTY ioctl. This ioctl fails to clear a back-pointer from the structure representing the controlling terminal to the calling process's session. If the invoking process then exits, the terminal structure retains a pointer to freed memory, creating a dangling pointer that can be abused.

A local attacker requires no privileges (PR:N) and can exploit this with low complexity (AC:L) and no user interaction (UI:N). By invoking TIOCNOTTY in a malicious process and then exiting, the attacker can manipulate the dangling pointer in the terminal structure to achieve arbitrary code execution or privilege escalation to root, resulting in high impacts to confidentiality, integrity, and availability (CVSS:3.1 score of 8.4; AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

The FreeBSD security advisory (FreeBSD-SA-26:10.tty.asc) at https://security.freebsd.org/advisories/FreeBSD-SA-26:10.tty.asc provides details on the vulnerability and recommended mitigation steps, including applying the relevant patches.

EU & UK References

Vulnerability details

The implementation of TIOCNOTTY failed to clear a back-pointer from the structure representing the controlling terminal to the calling process' session. If the invoking process then exits, the terminal structure may end up containing a pointer to freed memory. A…

more

malicious process can abuse the dangling pointer to grant itself root privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local use-after-free in TIOCNOTTY ioctl enables arbitrary code execution and root privilege escalation with no privileges required, directly mapping to T1068 Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-45251Same product: Freebsd Freebsd
CVE-2026-45253Same product: Freebsd Freebsd
CVE-2024-45063Same product: Freebsd Freebsd
CVE-2026-7270Same product: Freebsd Freebsd
CVE-2026-39461Same product: Freebsd Freebsd
CVE-2022-23090Same product: Freebsd Freebsd
CVE-2026-6386Same product: Freebsd Freebsd
CVE-2026-39457Same product: Freebsd Freebsd
CVE-2026-45250Same product: Freebsd Freebsd
CVE-2026-4747Same product: Freebsd Freebsd

Affected Assets

freebsd
freebsd
13.5, 14.3, 14.4, 15.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the use-after-free vulnerability in TIOCNOTTY by requiring timely application of vendor patches as specified in the FreeBSD security advisory.

prevent

Implements memory protections such as ASLR and non-executable memory regions that hinder exploitation of the dangling pointer for arbitrary code execution or privilege escalation.

prevent

Process isolation capabilities prevent malicious processes from abusing shared kernel terminal structures containing the dangling back-pointer after process exit.

Hardening callouts derived

Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).

Oracle Linux 8 (1 rule)
  • V-248592 OL 8 must clear memory when it is freed to prevent use-after-free attacks. via CWE-416
RHEL 8 (1 rule)
  • V-230279 RHEL 8 must clear memory when it is freed to prevent use-after-free attacks. via CWE-416
RHEL 9 (1 rule)
  • V-257794 RHEL 9 must clear memory when it is freed to prevent use-after-free attacks. via CWE-416

References