Unprivileged memory overwrite via pmap_pkru_update_range in FreeBSD kernel
CVE-2026-6386 Published on April 22, 2026
Missing large page handling in pmap_pkru_update_range()
In order to apply a particular protection key to an address range, the kernel must update the corresponding page table entries. The subroutine which handled this failed to take into account the presence of 1GB largepage mappings created using the shm_create_largepage(3) interface. In particular, it would always treat a page directory page entry as pointing to another page table page.
The bug can be abused by an unprivileged user to cause pmap_pkru_update_range() to treat userspace memory as a page table page, and thus overwrite memory to which the application would otherwise not have access.
Weakness Types
Improper Privilege Management
The software does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Incorrect Permission Assignment for Critical Resource
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. When a resource is given a permissions setting that provides access to a wider range of actors than required, it could lead to the exposure of sensitive information, or the modification of that resource by unintended parties. This is especially dangerous when the resource is related to program configuration, execution or sensitive user data.
Products Associated with CVE-2026-6386
Want to know whenever a new CVE is published for FreeBSD? stack.watch will email you.
Affected Versions
FreeBSD:- Version 15.0-RELEASE and below p6 is affected.
- Version 14.4-RELEASE and below p2 is affected.
- Version 14.3-RELEASE and below p11 is affected.
- Version 13.5-RELEASE and below p12 is affected.