CVE-2026-6386
Published: 22 April 2026
Description
In order to apply a particular protection key to an address range, the kernel must update the corresponding page table entries. The subroutine which handled this failed to take into account the presence of 1GB largepage mappings created using the…
more
shm_create_largepage(3) interface. In particular, it would always treat a page directory page entry as pointing to another page table page. The bug can be abused by an unprivileged user to cause pmap_pkru_update_range() to treat userspace memory as a page table page, and thus overwrite memory to which the application would otherwise not have access.
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Policy addresses roles, responsibilities, and privilege management to prevent improper privilege assignments.
Implements core proper privilege management by restricting to only required rights.
Policy requires training on privilege management and least privilege, making it harder to exploit improper privilege management weaknesses.
Training covers proper privilege management practices, making incorrect privilege assignments less likely.
The control mandates review of privilege assignments to ensure they are appropriate and minimal.
Baseline configuration documents and controls privilege assignments, making improper privilege management harder to introduce or sustain.
Manages privileges for change control activities and provides oversight to prevent improper privilege use in configuration updates.
Reviewing changes for security impacts prevents introduction of improper privilege assignments or escalations.
Security SummaryAI
CVE-2026-6386 is a vulnerability in the FreeBSD kernel's pmap_pkru_update_range() subroutine on the amd64 architecture. The issue arises when applying a protection key to an address range, as the subroutine fails to account for 1GB largepage mappings created via the shm_create_largepage(3) interface. It incorrectly assumes that page directory page entries always point to another page table page, leading to improper handling of page table updates.
An unprivileged local user can exploit this flaw to cause pmap_pkru_update_range() to treat userspace memory as a page table page. This enables the attacker to overwrite memory regions that the application would otherwise lack access to, resulting in unauthorized memory modification. The vulnerability is scored at CVSS 6.2 (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is associated with CWE-269 (Improper Privilege Management) and CWE-732 (Incorrect Permission Assignment for Critical Resource).
Mitigation details and patches are documented in the FreeBSD Security Advisory FreeBSD-SA-26:11.amd64, available at https://security.freebsd.org/advisories/FreeBSD-SA-26:11.amd64.asc.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Kernel flaw in pmap_pkru_update_range allows unprivileged local user to perform unauthorized memory writes via mishandled largepage mappings, directly enabling local privilege escalation.