CVE-2026-5398

High

Published: 22 April 2026

Published

22 April 2026

Modified

01 May 2026

KEV Added

—

Patch

—

CVSS Score 8.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0002 4.3th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

The implementation of TIOCNOTTY failed to clear a back-pointer from the structure representing the controlling terminal to the calling process' session. If the invoking process then exits, the terminal structure may end up containing a pointer to freed memory. A…

malicious process can abuse the dangling pointer to grant itself root privileges.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the use-after-free vulnerability in TIOCNOTTY by requiring timely application of vendor patches as specified in the FreeBSD security advisory.

SI-16 Memory Protection partial match

prevent

Implements memory protections such as ASLR and non-executable memory regions that hinder exploitation of the dangling pointer for arbitrary code execution or privilege escalation.

SC-39 Process Isolation partial match

prevent

Process isolation capabilities prevent malicious processes from abusing shared kernel terminal structures containing the dangling back-pointer after process exit.

Security SummaryAI

CVE-2026-5398 is a use-after-free vulnerability (CWE-416) in the FreeBSD implementation of the TIOCNOTTY ioctl. This ioctl fails to clear a back-pointer from the structure representing the controlling terminal to the calling process's session. If the invoking process then exits, the terminal structure retains a pointer to freed memory, creating a dangling pointer that can be abused.

A local attacker requires no privileges (PR:N) and can exploit this with low complexity (AC:L) and no user interaction (UI:N). By invoking TIOCNOTTY in a malicious process and then exiting, the attacker can manipulate the dangling pointer in the terminal structure to achieve arbitrary code execution or privilege escalation to root, resulting in high impacts to confidentiality, integrity, and availability (CVSS:3.1 score of 8.4; AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

The FreeBSD security advisory (FreeBSD-SA-26:10.tty.asc) at https://security.freebsd.org/advisories/FreeBSD-SA-26:10.tty.asc provides details on the vulnerability and recommended mitigation steps, including applying the relevant patches.

Details

CWE(s): CWE-416

Affected Products

freebsd

13.5, 14.3, 14.4, 15.0

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Local use-after-free in TIOCNOTTY ioctl enables arbitrary code execution and root privilege escalation with no privileges required, directly mapping to T1068 Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://security.freebsd.org/advisories/FreeBSD-SA-26:10.tty.asc
Vendor Advisory · secteam@freebsd.org