| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2021-29626 |
416 |
|
|
2021-04-07 |
2022-05-27 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In FreeBSD 13.0-STABLE before n245117, 12.2-STABLE before r369551, 11.4-STABLE before r369559, 13.0-RC5 before p1, 12.2-RELEASE before p6, and 11.4-RELEASE before p9, copy-on-write logic failed to invalidate shared memory page mappings between multiple processes allowing an unprivileged process to maintain a mapping after it is freed, allowing the process to read private data belonging to other processes or the kernel. |
|
2 |
CVE-2020-13434 |
190 |
|
Overflow |
2020-05-24 |
2023-01-09 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
SQLite through 3.32.0 has an integer overflow in sqlite3_str_vappendf in printf.c. |
|
3 |
CVE-2020-7455 |
772 |
|
|
2020-05-13 |
2022-06-05 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In FreeBSD 12.1-STABLE before r360973, 12.1-RELEASE before p5, 11.4-STABLE before r360973, 11.4-BETA1 before p1 and 11.3-RELEASE before p9, the FTP packet handler in libalias incorrectly calculates some packet length allowing disclosure of small amounts of kernel (for kernel NAT) or natd process space (for userspace natd). |
|
4 |
CVE-2019-15877 |
20 |
|
|
2020-04-28 |
2021-07-21 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
In FreeBSD 12.1-STABLE before r356606 and 12.1-RELEASE before 12.1-RELEASE-p3, driver specific ioctl command handlers in the ixl network driver failed to check whether the caller has sufficient privileges allowing unprivileged users to trigger updates to the device's non-volatile memory. |
|
5 |
CVE-2019-15876 |
269 |
|
|
2020-04-28 |
2021-07-21 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
In FreeBSD 12.1-STABLE before r356089, 12.1-RELEASE before 12.1-RELEASE-p3, 11.3-STABLE before r356090, and 11.3-RELEASE before 11.3-RELEASE-p7, driver specific ioctl command handlers in the oce network driver failed to check whether the caller has sufficient privileges allowing unprivileged users to send passthrough commands to the device firmware. |
|
6 |
CVE-2019-15875 |
665 |
|
|
2020-02-18 |
2020-03-04 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In FreeBSD 12.1-STABLE before r354734, 12.1-RELEASE before 12.1-RELEASE-p2, 12.0-RELEASE before 12.0-RELEASE-p13, 11.3-STABLE before r354735, and 11.3-RELEASE before 11.3-RELEASE-p6, due to incorrect initialization of a stack data structure, core dump files may contain up to 20 bytes of kernel data previously stored on the stack. |
|
7 |
CVE-2019-5595 |
20 |
|
|
2019-02-12 |
2021-07-21 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In FreeBSD before 11.2-STABLE(r343782), 11.2-RELEASE-p9, 12.0-STABLE(r343781), and 12.0-RELEASE-p3, kernel callee-save registers are not properly sanitized before return from system calls, potentially allowing some kernel data used in the system call to be exposed. |
|
8 |
CVE-2018-17155 |
200 |
|
+Info |
2018-09-28 |
2018-11-23 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In FreeBSD before 11.2-STABLE(r338983), 11.2-RELEASE-p4, 11.1-RELEASE-p15, 10.4-STABLE(r338984), and 10.4-RELEASE-p13, due to insufficient initialization of memory copied to userland in the getcontext and swapcontext system calls, small amounts of kernel memory may be disclosed to userland processes. Unprivileged authenticated local users may be able to access small amounts privileged kernel data. |
|
9 |
CVE-2018-6921 |
200 |
|
+Info |
2018-05-08 |
2018-06-13 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In FreeBSD before 11.1-STABLE(r332066) and 11.1-RELEASE-p10, due to insufficient initialization of memory copied to userland in the network subsystem, small amounts of kernel memory may be disclosed to userland processes. Unprivileged authenticated local users may be able to access small amounts of privileged kernel data. |
|
10 |
CVE-2018-6920 |
200 |
|
+Info |
2018-05-08 |
2018-06-13 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In FreeBSD before 11.1-STABLE(r332303), 11.1-RELEASE-p10, 10.4-STABLE(r332321), and 10.4-RELEASE-p9, due to insufficient initialization of memory copied to userland in the Linux subsystem and Atheros wireless driver, small amounts of kernel memory may be disclosed to userland processes. Unprivileged authenticated local users may be able to access small amounts of privileged kernel data. |
|
11 |
CVE-2017-13088 |
330 |
|
|
2017-10-17 |
2019-10-03 |
2.9 |
None |
Local Network |
Medium |
Not required |
None |
Partial |
None |
|
Wi-Fi Protected Access (WPA and WPA2) that support 802.11v allows reinstallation of the Integrity Group Temporal Key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame, allowing an attacker within radio range to replay frames from access points to clients. |
|
12 |
CVE-2017-13087 |
330 |
|
|
2017-10-17 |
2019-10-03 |
2.9 |
None |
Local Network |
Medium |
Not required |
None |
Partial |
None |
|
Wi-Fi Protected Access (WPA and WPA2) that support 802.11v allows reinstallation of the Group Temporal Key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame, allowing an attacker within radio range to replay frames from access points to clients. |
|
13 |
CVE-2017-13081 |
330 |
|
|
2017-10-17 |
2019-10-03 |
2.9 |
None |
Local Network |
Medium |
Not required |
None |
Partial |
None |
|
Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allows reinstallation of the Integrity Group Temporal Key (IGTK) during the group key handshake, allowing an attacker within radio range to spoof frames from access points to clients. |
|
14 |
CVE-2017-13080 |
330 |
|
|
2017-10-17 |
2020-11-10 |
2.9 |
None |
Local Network |
Medium |
Not required |
None |
Partial |
None |
|
Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the group key handshake, allowing an attacker within radio range to replay frames from access points to clients. |
|
15 |
CVE-2017-13079 |
330 |
|
|
2017-10-17 |
2019-10-03 |
2.9 |
None |
Local Network |
Medium |
Not required |
None |
Partial |
None |
|
Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11w allows reinstallation of the Integrity Group Temporal Key (IGTK) during the four-way handshake, allowing an attacker within radio range to spoof frames from access points to clients. |
|
16 |
CVE-2017-13078 |
330 |
|
|
2017-10-17 |
2019-10-03 |
2.9 |
None |
Local Network |
Medium |
Not required |
None |
Partial |
None |
|
Wi-Fi Protected Access (WPA and WPA2) allows reinstallation of the Group Temporal Key (GTK) during the four-way handshake, allowing an attacker within radio range to replay frames from access points to clients. |
|
17 |
CVE-2017-1088 |
200 |
|
+Info |
2017-11-16 |
2017-12-02 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In FreeBSD before 11.1-STABLE, 11.1-RELEASE-p4, 11.0-RELEASE-p15, 10.4-STABLE, 10.4-RELEASE-p3, and 10.3-RELEASE-p24, the kernel does not properly clear the memory of the kld_file_stat structure before filling the data. Since the structure filled by the kernel is allocated on the kernel stack and copied to userspace, a leak of information from the kernel stack is possible. As a result, some bytes from the kernel stack can be observed in userspace. |
|
18 |
CVE-2017-1086 |
200 |
|
+Info |
2017-11-16 |
2017-12-02 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
In FreeBSD before 11.1-STABLE, 11.1-RELEASE-p4, 11.0-RELEASE-p15, 10.4-STABLE, 10.4-RELEASE-p3, and 10.3-RELEASE-p24, not all information in the struct ptrace_lwpinfo is relevant for the state of any thread, and the kernel does not fill the irrelevant bytes or short strings. Since the structure filled by the kernel is allocated on the kernel stack and copied to userspace, a leak of information of the kernel stack of the thread is possible from the debugger. As a result, some bytes from the kernel stack of the thread using ptrace (PT_LWPINFO) call can be observed in userspace. |
|
19 |
CVE-2015-5677 |
200 |
|
+Info |
2017-02-07 |
2017-09-10 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
bsnmpd, as used in FreeBSD 9.3, 10.1, and 10.2, uses world-readable permissions on the snmpd.config file, which allows local users to obtain the secret key for USM authentication by reading the file. |
|
20 |
CVE-2015-1415 |
200 |
|
+Info |
2015-04-10 |
2018-10-09 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The bsdinstall installer in FreeBSD 10.x before 10.1 p9, when configuring full disk encrypted ZFS, uses world-readable permissions for the GELI keyfile (/boot/encryption.key), which allows local users to obtain sensitive key information by reading the file. |
|
21 |
CVE-2014-8476 |
200 |
|
+Info |
2014-11-13 |
2014-11-14 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The setlogin function in FreeBSD 8.4 through 10.1-RC4 does not initialize the buffer used to store the login name, which allows local users to obtain sensitive information from kernel memory via a call to getlogin, which returns the entire buffer. |
|
22 |
CVE-2014-3873 |
20 |
|
+Info |
2014-06-10 |
2014-06-24 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The ktrace utility in the FreeBSD kernel 8.4 before p11, 9.1 before p14, 9.2 before p7, and 9.3-BETA1 before p1 uses an incorrect page fault kernel trace entry size, which allows local users to obtain sensitive information from kernel memory via a kernel process trace. |
|
23 |
CVE-2008-0216 |
264 |
|
|
2008-01-16 |
2017-08-08 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
The ptsname function in FreeBSD 6.0 through 7.0-PRERELEASE does not properly verify that a certain portion of a device name is associated with a pty of a user who is calling the pt_chown function, which might allow local users to read data from the pty from another user. |
|
24 |
CVE-2007-6150 |
200 |
|
Bypass +Info |
2007-11-30 |
2017-07-29 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The "internal state tracking" code for the random and urandom devices in FreeBSD 5.5, 6.1 through 6.3, and 7.0 beta 4 allows local users to obtain portions of previously-accessed random values, which could be leveraged to bypass protection mechanisms that rely on secrecy of those values. |
|
25 |
CVE-2007-3722 |
|
|
DoS |
2007-07-12 |
2008-11-15 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
The 4BSD process scheduler in the FreeBSD kernel performs scheduling based on CPU billing gathered from periodic process sampling ticks, which allows local users to cause a denial of service (CPU consumption) by performing voluntary nanosecond sleeps that result in the process not being active during a clock interrupt, as described in "Secretly Monopolizing the CPU Without Superuser Privileges." |
|
26 |
CVE-2007-3721 |
|
|
DoS |
2007-07-12 |
2008-11-15 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
The ULE process scheduler in the FreeBSD kernel gives preference to "interactive" processes that perform voluntary sleeps, which allows local users to cause a denial of service (CPU consumption), as described in "Secretly Monopolizing the CPU Without Superuser Privileges." |
|
27 |
CVE-2006-6013 |
|
|
Overflow |
2006-11-21 |
2018-10-17 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Integer signedness error in the fw_ioctl (FW_IOCTL) function in the FireWire (IEEE-1394) drivers (dev/firewire/fwdev.c) in various BSD kernels, including DragonFlyBSD, FreeBSD 5.5, MidnightBSD 0.1-CURRENT before 20061115, NetBSD-current before 20061116, NetBSD-4 before 20061203, and TrustedBSD, allows local users to read arbitrary memory contents via certain negative values of crom_buf->len in an FW_GCROM command. NOTE: this issue has been labeled as an integer overflow, but it is more like an integer signedness error. |
|
28 |
CVE-2006-5483 |
|
|
DoS |
2006-10-24 |
2008-09-05 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
p1003_1b.c in FreeBSD 6.1 allows local users to cause an unspecified denial of service by setting a scheduler policy, which should only be settable by root. |
|
29 |
CVE-2006-5482 |
|
|
DoS |
2006-10-24 |
2008-09-05 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
ufs_vnops.c in FreeBSD 6.1 allows local users to cause an unspecified denial of service by calling the ftruncate function on a file type that is not VREG, VLNK or VDIR, which is not defined in POSIX. |
|
30 |
CVE-2006-1056 |
310 |
|
+Info |
2006-04-20 |
2018-10-30 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The Linux kernel before 2.6.16.9 and the FreeBSD kernel, when running on AMD64 and other 7th and 8th generation AuthenticAMD processors, only save/restore the FOP, FIP, and FDP x87 registers in FXSAVE/FXRSTOR when an exception is pending, which allows one process to determine portions of the state of floating point instructions of other processes, which can be leveraged to obtain sensitive information such as cryptographic keys. NOTE: this is the documented behavior of AMD64 processors, but it is inconsistent with Intel processors in a security-relevant fashion that was not addressed by the kernels. |
|
31 |
CVE-2006-0380 |
|
|
|
2006-01-25 |
2017-07-20 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
A logic error in FreeBSD kernel 5.4-STABLE and 6.0 causes the kernel to calculate an incorrect buffer length, which causes more data to be copied to userland than intended, which could allow local users to read portions of kernel memory. |
|
32 |
CVE-2006-0379 |
|
|
|
2006-01-25 |
2017-07-20 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
FreeBSD kernel 5.4-STABLE and 6.0 does not completely initialize a buffer before making it available to userland, which could allow local users to read portions of kernel memory. |
|
33 |
CVE-2006-0055 |
|
|
|
2006-01-11 |
2017-07-20 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
The ispell_op function in ee on FreeBSD 4.10 to 6.0 uses predictable filenames and does not confirm which file is being written, which allows local users to overwrite arbitrary files via a symlink attack when ee invokes ispell. |
|
34 |
CVE-2005-1126 |
399 |
|
|
2005-04-15 |
2017-07-11 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The SIOCGIFCONF ioctl (ifconf function) in FreeBSD 4.x through 4.11 and 5.x through 5.4 does not properly clear a buffer before using it, which allows local users to obtain portions of sensitive kernel memory. |
|
35 |
CVE-2004-0618 |
|
|
DoS |
2004-12-06 |
2017-07-11 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
FreeBSD 5.1 for the Alpha processor allows local users to cause a denial of service (crash) via an execve system call with an unaligned memory address as an argument. |
|
36 |
CVE-2004-0602 |
|
|
+Priv |
2004-12-06 |
2017-07-11 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The binary compatibility mode for FreeBSD 4.x and 5.x does not properly handle certain Linux system calls, which could allow local users to access kernel memory to gain privileges or cause a system panic. |
|
37 |
CVE-2004-0370 |
|
|
|
2004-05-04 |
2017-07-11 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The setsockopt call in the KAME Project IPv6 implementation, as used in FreeBSD 5.2, does not properly handle certain IPv6 socket options, which could allow attackers to read kernel memory and cause a system panic. |
|
38 |
CVE-2003-1289 |
|
|
|
2003-12-31 |
2017-07-20 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The iBCS2 system call translator for statfs in NetBSD 1.5 through 1.5.3 and FreeBSD 4 up to 4.8-RELEASE-p2 and 5 up to 5.1-RELEASE-p1 allows local users to read portions of kernel memory (memory disclosure) via a large length parameter, which copies additional kernel memory into userland memory. |
|
39 |
CVE-2002-1915 |
|
|
DoS |
2002-12-31 |
2008-09-05 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
tip on multiple BSD-based operating systems allows local users to cause a denial of service (execution prevention) by using flock() to lock the /var/log/acculog file. |
|
40 |
CVE-2002-1669 |
|
|
|
2002-12-31 |
2017-07-11 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
pkg_add in FreeBSD 4.2 through 4.4 creates a temporary directory with world-searchable permissions, which may allow local users to modify world-writable parts of the package during installation. |
|
41 |
CVE-2002-1667 |
|
|
DoS |
2002-12-31 |
2017-07-11 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
The virtual memory management system in FreeBSD 4.5-RELEASE and earlier does not properly check the existence of a VM object during page invalidation, which allows local users to cause a denial of service (crash) by calling msync on an unaccessed memory map created with MAP_ANON and MAP_NOSYNC flags. |
|
42 |
CVE-2002-1125 |
|
|
|
2002-09-24 |
2016-10-18 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
FreeBSD port programs that use libkvm for FreeBSD 4.6.2-RELEASE and earlier, including (1) asmon, (2) ascpu, (3) bubblemon, (4) wmmon, and (5) wmnet2, leave open file descriptors for /dev/mem and /dev/kmem, which allows local users to read kernel memory. |
|
43 |
CVE-2002-0831 |
|
|
DoS |
2002-08-12 |
2016-10-18 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
The kqueue mechanism in FreeBSD 4.3 through 4.6 STABLE allows local users to cause a denial of service (kernel panic) via a pipe call in which one end is terminated and an EVFILT_WRITE filter is registered for the other end. |
|
44 |
CVE-2002-0795 |
|
|
|
2002-08-12 |
2008-09-05 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
The rc system startup script for FreeBSD 4 through 4.5 allows local users to delete arbitrary files via a symlink attack on X Windows lock files. |
|
45 |
CVE-2002-0701 |
|
|
+Info |
2002-07-23 |
2016-10-18 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
ktrace in BSD-based operating systems allows the owner of a process with special privileges to trace the process after its privileges have been lowered, which may allow the owner to obtain sensitive information that the process obtained while it was running with the extra privileges. |
|
46 |
CVE-2001-1029 |
|
|
Bypass |
2001-09-20 |
2017-10-10 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
libutil in OpenSSH on FreeBSD 4.4 and earlier does not drop privileges before verifying the capabilities for reading the copyright and welcome files, which allows local users to bypass the capabilities checks and read arbitrary files by specifying alternate copyright or welcome files. |
|
47 |
CVE-2001-0310 |
|
|
|
2001-06-02 |
2017-10-10 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
sort in FreeBSD 4.1.1 and earlier, and possibly other operating systems, uses predictable temporary file names and does not properly handle when the temporary file already exists, which causes sort to crash and possibly impacts security-sensitive scripts. |
|
48 |
CVE-2001-0062 |
|
|
DoS |
2001-02-12 |
2017-10-10 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
procfs in FreeBSD and possibly other operating systems allows local users to cause a denial of service by calling mmap on the process' own mem file, which causes the kernel to hang. |
|
49 |
CVE-2000-0729 |
|
|
DoS |
2000-10-20 |
2017-10-10 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
FreeBSD 5.x, 4.x, and 3.x allows local users to cause a denial of service by executing a program with a malformed ELF image header. |
|
50 |
CVE-2000-0489 |
|
|
DoS |
1999-09-05 |
2017-10-10 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
FreeBSD, NetBSD, and OpenBSD allow an attacker to cause a denial of service by creating a large number of socket pairs using the socketpair function, setting a large buffer size via setsockopt, then writing large buffers. |
