CVE-2026-45250

Stack buffer overflow via setcred(2)

CVSS 7.8 HIGHEPSS 0.4%CWE-121

Vexday Risk Score

41Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 7.8EPSS 0.4%KEV nãoPoC públicaNuclei —Metasploit —Patch referenciado

Lifecycle

21 May 2026Public PoC

21 May 2026Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

The setcred(2) system call is only available to privileged users. However, before the privilege level of the caller is checked, the user-supplied list of supplementary groups is copied into a fixed-size kernel stack buffer without first validating its length. If the supplied list exceeds the capacity of that buffer, a stack buffer overflow occurs. Because the bounds check on the supplementary groups list occurs after the kernel stack buffer has already been written, an unprivileged local user may trigger the overflow without holding any special privilege. Successful exploitation may allow an attacker to execute arbitrary code in the context of the kernel, allowing an unprivileged local user to gain elevated privileges on the affected system.

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products

FreeBSD · FreeBSD

public PoCs found — 1

githubgithub.com/venglin/setcred★ 22

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://security.freebsd.org/advisories/FreeBSD-SA-26:18.setcred.asc http://www.openwall.com/lists/oss-security/2026/05/21/18 http://www.openwall.com/lists/oss-security/2026/05/21/3 http://www.openwall.com/lists/oss-security/2026/05/22/5