Cyber Resilience

CVE-2026-6386

MediumLPE

Published: 22 April 2026

Published
22 April 2026
Modified
01 May 2026
KEV Added
Patch
CVSS Score v3.1 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0016 5.8th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-6386 is a medium-severity Improper Privilege Management (CWE-269) vulnerability in Freebsd Freebsd. Its CVSS base score is 6.2 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-6386 is a vulnerability in the FreeBSD kernel's pmap_pkru_update_range() subroutine on the amd64 architecture. The issue arises when applying a protection key to an address range, as the subroutine fails to account for 1GB largepage mappings created via the shm_create_largepage(3) interface. It incorrectly assumes that page directory page entries always point to another page table page, leading to improper handling of page table updates.

An unprivileged local user can exploit this flaw to cause pmap_pkru_update_range() to treat userspace memory as a page table page. This enables the attacker to overwrite memory regions that the application would otherwise lack access to, resulting in unauthorized memory modification. The vulnerability is scored at CVSS 6.2 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is associated with CWE-269 (Improper Privilege Management) and CWE-732 (Incorrect Permission Assignment for Critical Resource).

Mitigation details and patches are documented in the FreeBSD Security Advisory FreeBSD-SA-26:11.amd64, available at https://security.freebsd.org/advisories/FreeBSD-SA-26:11.amd64.asc.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

In order to apply a particular protection key to an address range, the kernel must update the corresponding page table entries. The subroutine which handled this failed to take into account the presence of 1GB largepage mappings created using the…

more

shm_create_largepage(3) interface. In particular, it would always treat a page directory page entry as pointing to another page table page. The bug can be abused by an unprivileged user to cause pmap_pkru_update_range() to treat userspace memory as a page table page, and thus overwrite memory to which the application would otherwise not have access.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Kernel flaw in pmap_pkru_update_range allows unprivileged local user to perform unauthorized memory writes via mishandled largepage mappings, directly enabling local privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-45253Same product: Freebsd Freebsd
CVE-2026-7270Same product: Freebsd Freebsd
CVE-2026-39461Same product: Freebsd Freebsd
CVE-2026-5398Same product: Freebsd Freebsd
CVE-2026-39457Same product: Freebsd Freebsd
CVE-2025-15547Same product: Freebsd Freebsd
CVE-2026-45250Same product: Freebsd Freebsd
CVE-2026-45251Same product: Freebsd Freebsd
CVE-2025-15576Same product: Freebsd Freebsd
CVE-2023-5978Same product: Freebsd Freebsd

Affected Assets

freebsd
freebsd
13.5, 14.3, 14.4, 15.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces memory access policy on page-table updates; the flawed pmap_pkru_update_range path allowed an unprivileged process to overwrite otherwise-inaccessible memory.

prevent

Requires hardware-enforced memory protection mechanisms that would have prevented userspace memory from being misinterpreted and overwritten as a page-table page.

prevent

Mandates process isolation boundaries that the 1 GB large-page handling bug violated, allowing cross-region memory corruption.

Hardening callouts derived

Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).

Oracle Linux 8 (1 rule)
  • V-248577 OL 8 must enable kernel parameters to enforce Discretionary Access Control (DAC) on symlinks. via CWE-732
Windows 10 (1 rule)
  • V-220712 Only accounts responsible for the administration of a system must have Administrator rights on the system. via CWE-269
Windows 11 (1 rule)
  • V-253269 Only accounts responsible for the administration of a system must have Administrator rights on the system. via CWE-269
Windows Server 2016 (3 rules)
  • V-224972 Active Directory Group Policy objects must have proper access control permissions. via CWE-732
  • V-225007 Only administrators responsible for the member server or standalone or nondomain-joined system must have Administrator rights on the system. via CWE-269
  • V-224831 Local volumes must use a format that supports NTFS attributes. via CWE-732
Windows Server 2019 (3 rules)
  • V-205663 Windows Server 2019 local volumes must use a format that supports NTFS attributes. via CWE-732
  • V-205741 Windows Server 2019 Active Directory Group Policy objects must have proper access control permissions. via CWE-732
  • V-205746 Windows Server 2019 must only allow Administrators responsible for the member server or standalone or nondomain-joined system to have Administrator rights on the system. via CWE-269
Windows Server 2022 (3 rules)
  • V-254393 Windows Server 2022 Active Directory Group Policy objects must have proper access control permissions. via CWE-732
  • V-254428 Windows Server 2022 must only allow administrators responsible for the member server or standalone or nondomain-joined system to have Administrator rights on the system. via CWE-269
  • V-254250 Windows Server 2022 local volumes must use a format that supports NTFS attributes. via CWE-732

References