CVE-2026-6386
Published: 22 April 2026
Summary
CVE-2026-6386 is a medium-severity Improper Privilege Management (CWE-269) vulnerability in Freebsd Freebsd. Its CVSS base score is 6.2 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-6386 is a vulnerability in the FreeBSD kernel's pmap_pkru_update_range() subroutine on the amd64 architecture. The issue arises when applying a protection key to an address range, as the subroutine fails to account for 1GB largepage mappings created via the shm_create_largepage(3) interface. It incorrectly assumes that page directory page entries always point to another page table page, leading to improper handling of page table updates.
An unprivileged local user can exploit this flaw to cause pmap_pkru_update_range() to treat userspace memory as a page table page. This enables the attacker to overwrite memory regions that the application would otherwise lack access to, resulting in unauthorized memory modification. The vulnerability is scored at CVSS 6.2 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is associated with CWE-269 (Improper Privilege Management) and CWE-732 (Incorrect Permission Assignment for Critical Resource).
Mitigation details and patches are documented in the FreeBSD Security Advisory FreeBSD-SA-26:11.amd64, available at https://security.freebsd.org/advisories/FreeBSD-SA-26:11.amd64.asc.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-24592
Vulnerability details
In order to apply a particular protection key to an address range, the kernel must update the corresponding page table entries. The subroutine which handled this failed to take into account the presence of 1GB largepage mappings created using the…
more
shm_create_largepage(3) interface. In particular, it would always treat a page directory page entry as pointing to another page table page. The bug can be abused by an unprivileged user to cause pmap_pkru_update_range() to treat userspace memory as a page table page, and thus overwrite memory to which the application would otherwise not have access.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Kernel flaw in pmap_pkru_update_range allows unprivileged local user to perform unauthorized memory writes via mishandled largepage mappings, directly enabling local privilege escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces memory access policy on page-table updates; the flawed pmap_pkru_update_range path allowed an unprivileged process to overwrite otherwise-inaccessible memory.
Requires hardware-enforced memory protection mechanisms that would have prevented userspace memory from being misinterpreted and overwritten as a page-table page.
Mandates process isolation boundaries that the 1 GB large-page handling bug violated, allowing cross-region memory corruption.
Hardening callouts derived
Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).
Oracle Linux 8 (1 rule)
- V-248577 OL 8 must enable kernel parameters to enforce Discretionary Access Control (DAC) on symlinks. via CWE-732
Windows 10 (1 rule)
- V-220712 Only accounts responsible for the administration of a system must have Administrator rights on the system. via CWE-269
Windows 11 (1 rule)
- V-253269 Only accounts responsible for the administration of a system must have Administrator rights on the system. via CWE-269
Windows Server 2016 (3 rules)
- V-224972 Active Directory Group Policy objects must have proper access control permissions. via CWE-732
- V-225007 Only administrators responsible for the member server or standalone or nondomain-joined system must have Administrator rights on the system. via CWE-269
- V-224831 Local volumes must use a format that supports NTFS attributes. via CWE-732
Windows Server 2019 (3 rules)
- V-205663 Windows Server 2019 local volumes must use a format that supports NTFS attributes. via CWE-732
- V-205741 Windows Server 2019 Active Directory Group Policy objects must have proper access control permissions. via CWE-732
- V-205746 Windows Server 2019 must only allow Administrators responsible for the member server or standalone or nondomain-joined system to have Administrator rights on the system. via CWE-269
Windows Server 2022 (3 rules)
- V-254393 Windows Server 2022 Active Directory Group Policy objects must have proper access control permissions. via CWE-732
- V-254428 Windows Server 2022 must only allow administrators responsible for the member server or standalone or nondomain-joined system to have Administrator rights on the system. via CWE-269
- V-254250 Windows Server 2022 local volumes must use a format that supports NTFS attributes. via CWE-732