{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6386", "assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109", "state": "PUBLISHED", "assignerShortName": "freebsd", "dateReserved": "2026-04-15T19:18:20.083Z", "datePublished": "2026-04-22T02:33:24.846Z", "dateUpdated": "2026-04-22T14:32:53.989Z"}, "containers": {"cna": {"datePublic": "2026-04-21T18:00:00.000Z", "title": "Missing large page handling in pmap_pkru_update_range()", "references": [{"tags": ["vendor-advisory"], "url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:11.amd64.asc"}], "affected": [{"defaultStatus": "unknown", "modules": ["amd64"], "product": "FreeBSD", "vendor": "FreeBSD", "versions": [{"status": "affected", "versionType": "release", "version": "15.0-RELEASE", "lessThan": "p6"}, {"status": "affected", "versionType": "release", "version": "14.4-RELEASE", "lessThan": "p2"}, {"status": "affected", "versionType": "release", "version": "14.3-RELEASE", "lessThan": "p11"}, {"status": "affected", "versionType": "release", "version": "13.5-RELEASE", "lessThan": "p12"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nicholas Carlini using Claude, Anthropic"}], "descriptions": [{"lang": "en", "value": "In order to apply a particular protection key to an address range, the kernel must update the corresponding page table entries. The subroutine which handled this failed to take into account the presence of 1GB largepage mappings created using the shm_create_largepage(3) interface. In particular, it would always treat a page directory page entry as pointing to another page table page.\n\nThe bug can be abused by an unprivileged user to cause pmap_pkru_update_range() to treat userspace memory as a page table page, and thus overwrite memory to which the application would otherwise not have access."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management", "lang": "en", "type": "CWE"}, {"cweId": "CWE-732", "description": "CWE-732 Incorrect Permission Assignment for Critical Resource", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109", "shortName": "freebsd", "dateUpdated": "2026-04-22T02:33:24.846Z"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T14:26:42.409167Z", "id": "CVE-2026-6386", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T14:32:53.989Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-6386", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T14:26:42.409167Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T14:29:06.911Z"}}], "cna": {"title": "Missing large page handling in pmap_pkru_update_range()", "credits": [{"lang": "en", "type": "finder", "value": "Nicholas Carlini using Claude, Anthropic"}], "affected": [{"vendor": "FreeBSD", "modules": ["amd64"], "product": "FreeBSD", "versions": [{"status": "affected", "version": "15.0-RELEASE", "lessThan": "p6", "versionType": "release"}, {"status": "affected", "version": "14.4-RELEASE", "lessThan": "p2", "versionType": "release"}, {"status": "affected", "version": "14.3-RELEASE", "lessThan": "p11", "versionType": "release"}, {"status": "affected", "version": "13.5-RELEASE", "lessThan": "p12", "versionType": "release"}], "defaultStatus": "unknown"}], "datePublic": "2026-04-21T18:00:00.000Z", "references": [{"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:11.amd64.asc", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en", "value": "In order to apply a particular protection key to an address range, the kernel must update the corresponding page table entries. The subroutine which handled this failed to take into account the presence of 1GB largepage mappings created using the shm_create_largepage(3) interface. In particular, it would always treat a page directory page entry as pointing to another page table page.\n\nThe bug can be abused by an unprivileged user to cause pmap_pkru_update_range() to treat userspace memory as a page table page, and thus overwrite memory to which the application would otherwise not have access."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management"}, {"lang": "en", "type": "CWE", "cweId": "CWE-732", "description": "CWE-732 Incorrect Permission Assignment for Critical Resource"}]}], "providerMetadata": {"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109", "shortName": "freebsd", "dateUpdated": "2026-04-22T02:33:24.846Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6386", "state": "PUBLISHED", "dateUpdated": "2026-04-22T14:32:53.989Z", "dateReserved": "2026-04-15T19:18:20.083Z", "assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109", "datePublished": "2026-04-22T02:33:24.846Z", "assignerShortName": "freebsd"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In order to apply a particular protection key to an address range, the kernel must update the corresponding page table entries. The subroutine which handled this failed to take into account the presence of 1GB largepage mappings created using the shm_create_largepage(3) interface. In particular, it would always treat a page directory page entry as pointing to another page table page.\n\nThe bug can be abused by an unprivileged user to cause pmap_pkru_update_range() to treat userspace memory as a page table page, and thus overwrite memory to which the application would otherwise not have access."}], "id": "CVE-2026-6386", "lastModified": "2026-04-22T21:23:52.620", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-22T03:16:01.313", "references": [{"source": "secteam@freebsd.org", "url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:11.amd64.asc"}], "sourceIdentifier": "secteam@freebsd.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}, {"lang": "en", "value": "CWE-732"}], "source": "secteam@freebsd.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[15.0-RELEASE, p6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[14.4-RELEASE, p2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[14.3-RELEASE, p11)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[13.5-RELEASE, p12)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "FreeBSD", "source": "cna", "vendor": "FreeBSD"}, "product": "freebsd", "vendor": "freebsd"}], "analysis": {"en": {"generated_at": "2026-04-22T06:08:09.685989+00:00", "value": {"mitigation_remediation": ["Upgrade to a FreeBSD release that includes the pmap_pkru_update_range() patch referenced in the FreeBSD-SA-26:11 advisory", "If an upgrade is not immediately possible, avoid using shm_create_largepage() in applications with untrusted users, or disable large page allocation for those users", "As a temporary measure, disable or restrict the use of PKRU for lower\u2011privileged processes until the kernel fix is applied"], "summary": {"action": "Immediate Patch", "impact": "Unprivileged memory overwrite leading to elevation of privilege"}, "threat_synthesis": {"affected_systems": "The affected product is FreeBSD. No specific version range is listed, suggesting that any FreeBSD kernel containing the unpatched pmap_pkru_update_range() routine is vulnerable. Until the fix noted in the FreeBSD-SA-26:11 advisory is applied, all FreeBSD installations that allow large pages and PKRU usage remain at risk.", "description_and_impact": "The pmap_pkru_update_range() routine, which applies protection keys to address ranges, fails to handle 1\u202fGB largepage mappings created via shm_create_largepage(3). This oversight causes the routine to treat regular user\u2011space memory as a page table, allowing an attacker to overwrite arbitrary memory that should otherwise be protected. This is a privilege escalation flaw identified as CWE\u2011269 (Improper Authorization) and CWE\u2011732 (Incorrect Access Control). The vulnerability permits an unprivileged local user to manipulate data in a way that can compromise process integrity or trigger arbitrary code execution.", "risk_and_exploitability": "The EPSS score is not available, and the vulnerability is not in the CISA KEV catalog, so known exploitation activity is unclear. However, the flaw is exploitable by an unprivileged local user who can request large page creation. The attack requires only local access and the ability to invoke shm_create_largepage(3), a common interface. Given the lack of a public exploit yet, the risk is moderate to high, especially for systems that run untrusted code with large page support enabled."}}}}, "created": "2026-04-22T03:30:06.535520+00:00", "updated": "2026-04-22T06:15:10.412427+00:00", "vendors": ["freebsd", "freebsd$PRODUCT$freebsd"]}