| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2019-5601 |
200 |
|
+Info |
2019-07-03 |
2019-07-15 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
In FreeBSD 12.0-STABLE before r347474, 12.0-RELEASE before 12.0-RELEASE-p7, 11.2-STABLE before r347475, and 11.2-RELEASE before 11.2-RELEASE-p11, a bug in the FFS implementation causes up to three bytes of kernel stack memory to be written to disk as uninitialized directory entry padding. |
|
2 |
CVE-2018-17156 |
787 |
|
|
2018-11-28 |
2019-10-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
In FreeBSD before 11.2-STABLE(r340268) and 11.2-RELEASE-p5, due to incorrectly accounting for padding on 64-bit platforms, a buffer underwrite could occur when constructing an ICMP reply packet when using a non-standard value for the net.inet.icmp.quotelen sysctl. |
|
3 |
CVE-2018-17154 |
476 |
|
DoS |
2018-09-28 |
2018-11-23 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
In FreeBSD before 11.2-STABLE(r338987), 11.2-RELEASE-p4, and 11.1-RELEASE-p15, due to insufficient memory checking in the freebsd4_getfsstat system call, a NULL pointer dereference can occur. Unprivileged authenticated local users may be able to cause a denial of service. |
|
4 |
CVE-2018-6925 |
476 |
|
|
2018-09-28 |
2018-11-30 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
In FreeBSD before 11.2-STABLE(r338986), 11.2-RELEASE-p4, 11.1-RELEASE-p15, 10.4-STABLE(r338985), and 10.4-RELEASE-p13, due to improper maintenance of IPv6 protocol control block flags through various failure paths, an unprivileged authenticated local user may be able to cause a NULL pointer dereference causing the kernel to crash. |
|
5 |
CVE-2018-3665 |
200 |
|
+Info |
2018-06-21 |
2019-05-14 |
4.7 |
None |
Local |
Medium |
Not required |
Complete |
None |
None |
|
System software utilizing Lazy FP state restore technique on systems using Intel Core-based microprocessors may potentially allow a local process to infer data from another process through a speculative execution side channel. |
|
6 |
CVE-2017-1087 |
22 |
|
DoS Dir. Trav. |
2017-11-16 |
2019-10-02 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
In FreeBSD 10.x before 10.4-STABLE, 10.4-RELEASE-p3, and 10.3-RELEASE-p24 named paths are globally scoped, meaning a process located in one jail can read and modify the content of POSIX shared memory objects created by a process in another jail or the host system. As a result, a malicious user that has access to a jailed system is able to abuse shared memory by injecting malicious content in the shared memory region. This memory region might be executed by applications trusting the shared memory, like Squid. This issue could lead to a Denial of Service or local privilege escalation. |
|
7 |
CVE-2016-9042 |
20 |
|
DoS |
2018-06-04 |
2018-08-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
An exploitable denial of service vulnerability exists in the origin timestamp check functionality of ntpd 4.2.8p9. A specially crafted unauthenticated network packet can be used to reset the expected origin timestamp for target peers. Legitimate replies from targeted peers will fail the origin timestamp check (TEST2) causing the reply to be dropped and creating a denial of service condition. |
|
8 |
CVE-2016-1885 |
119 |
|
DoS Overflow |
2016-04-11 |
2018-10-09 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Integer signedness error in the amd64_set_ldt function in sys/amd64/amd64/sys_machdep.c in FreeBSD 9.3 before p39, 10.1 before p31, and 10.2 before p14 allows local users to cause a denial of service (kernel panic) via an i386_set_ldt system call, which triggers a heap-based buffer overflow. |
|
9 |
CVE-2015-5674 |
20 |
|
DoS |
2018-02-05 |
2018-03-14 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
|
The routed daemon in FreeBSD 9.3 before 9.3-RELEASE-p22, 10.2-RC2 before 10.2-RC2-p1, 10.2-RC1 before 10.2-RC1-p2, 10.2 before 10.2-BETA2-p3, and 10.1 before 10.1-RELEASE-p17 allows remote authenticated users to cause a denial of service (assertion failure and daemon exit) via a query from a network that is not directly connected. |
|
10 |
CVE-2014-8612 |
264 |
|
+Priv |
2015-02-02 |
2018-10-09 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple array index errors in the Stream Control Transmission Protocol (SCTP) module in FreeBSD 10.1 before p5, 10.0 before p17, 9.3 before p9, and 8.4 before p23 allow local users to (1) gain privileges via the stream id to the setsockopt function, when setting the SCTIP_SS_VALUE option, or (2) read arbitrary kernel memory via the stream id to the getsockopt function, when getting the SCTP_SS_PRIORITY option. |
|
11 |
CVE-2014-8475 |
17 |
|
DoS |
2014-11-18 |
2017-09-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
FreeBSD 9.1, 9.2, and 10.0, when compiling OpenSSH with Kerberos support, uses incorrect library ordering when linking sshd, which causes symbols to be resolved incorrectly and allows remote attackers to cause a denial of service (sshd deadlock and prevention of new connections) by ending multiple connections before authentication is completed. |
|
12 |
CVE-2014-3953 |
119 |
|
Overflow +Info |
2014-07-15 |
2014-11-18 |
4.9 |
None |
Local |
Low |
Not required |
Complete |
None |
None |
|
FreeBSD 8.4 before p14, 9.1 before p17, 9.2 before p10, and 10.0 before p7 does not properly initialize certain data structures, which allows local users to obtain sensitive information from kernel memory via a (1) SCTP_SNDRCV, (2) SCTP_EXTRCV, or (3) SCTP_RCVINFO SCTP cmsg or a (4) SCTP_PEER_ADDR_CHANGE, (5) SCTP_REMOTE_ERROR, or (6) SCTP_AUTHENTICATION_EVENT notification. |
|
13 |
CVE-2014-3952 |
119 |
|
Overflow +Info |
2014-07-15 |
2017-08-28 |
4.9 |
None |
Local |
Low |
Not required |
Complete |
None |
None |
|
FreeBSD 8.4 before p14, 9.1 before p17, 9.2 before p10, and 10.0 before p7 does not properly initialize the buffer between the header and data of a control message, which allows local users to obtain sensitive information from kernel memory via unspecified vectors. |
|
14 |
CVE-2014-3880 |
20 |
|
DoS |
2014-06-10 |
2014-06-21 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The (1) execve and (2) fexecve system calls in the FreeBSD kernel 8.4 before p11, 9.1 before p14, 9.2 before p7, and 10.0 before p4 destroys the virtual memory address space and mappings for a process before all threads have terminated, which allows local users to cause a denial of service (triple-fault and system reboot) via a crafted system call, which triggers an invalid page table pointer dereference. |
|
15 |
CVE-2014-1453 |
399 |
|
DoS |
2014-04-16 |
2014-06-21 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
|
The NFS server (nfsserver) in FreeBSD 8.3 through 10.0 does not acquire locks in the proper order when converting a directory file handle to a vnode, which allows remote authenticated users to cause a denial of service (deadlock) via vectors involving a thread that uses the correct locking order. |
|
16 |
CVE-2013-6834 |
20 |
|
+Info |
2013-11-20 |
2014-03-04 |
4.9 |
None |
Local |
Low |
Not required |
Complete |
None |
None |
|
The ql_eioctl function in sys/dev/qlxgbe/ql_ioctl.c in the kernel in FreeBSD 10 and earlier does not validate a certain size parameter, which allows local users to obtain sensitive information from kernel memory via a crafted ioctl call. |
|
17 |
CVE-2013-6833 |
20 |
|
+Info |
2013-11-20 |
2013-11-24 |
4.9 |
None |
Local |
Low |
Not required |
Complete |
None |
None |
|
The qls_eioctl function in sys/dev/qlxge/qls_ioctl.c in the kernel in FreeBSD 10 and earlier does not validate a certain size parameter, which allows local users to obtain sensitive information from kernel memory via a crafted ioctl call. |
|
18 |
CVE-2013-6832 |
200 |
|
+Info |
2013-11-20 |
2013-11-24 |
4.9 |
None |
Local |
Low |
Not required |
Complete |
None |
None |
|
The nand_ioctl function in sys/dev/nand/nand_geom.c in the nand driver in the kernel in FreeBSD 10 and earlier does not properly initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via a crafted ioctl call. |
|
19 |
CVE-2013-5666 |
200 |
|
+Info |
2013-09-23 |
2013-09-25 |
4.7 |
None |
Local |
Medium |
Not required |
Complete |
None |
None |
|
The sendfile system-call implementation in sys/kern/uipc_syscalls.c in the kernel in FreeBSD 9.2-RC1 and 9.2-RC2 does not properly pad transmissions, which allows local users to obtain sensitive information (kernel memory) via a length greater than the length of the file. |
|
20 |
CVE-2012-2143 |
310 |
|
|
2012-07-05 |
2016-12-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The crypt_des (aka DES-based crypt) function in FreeBSD before 9.0-RELEASE-p2, as used in PHP, PostgreSQL, and other products, does not process the complete cleartext password if this password contains a 0x80 character, which makes it easier for context-dependent attackers to obtain access via an authentication attempt with an initial substring of the intended password, as demonstrated by a Unicode password. |
|
21 |
CVE-2011-1739 |
20 |
|
Bypass |
2011-05-03 |
2017-08-16 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The makemask function in mountd.c in mountd in FreeBSD 7.4 through 8.2 does not properly handle a -network field specifying a CIDR block with a prefix length that is not an integer multiple of 8, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances via an NFS mount request. |
|
22 |
CVE-2011-0419 |
399 |
|
DoS |
2011-05-16 |
2018-01-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Stack consumption vulnerability in the fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library before 1.4.3 and the Apache HTTP Server before 2.2.18, and in fnmatch.c in libc in NetBSD 5.1, OpenBSD 4.8, FreeBSD, Apple Mac OS X 10.6, Oracle Solaris 10, and Android, allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via *? sequences in the first argument, as demonstrated by attacks against mod_autoindex in httpd. |
|
23 |
CVE-2010-4755 |
399 |
|
DoS |
2011-03-02 |
2014-08-08 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
|
The (1) remote_glob function in sftp-glob.c and the (2) process_put function in sftp.c in OpenSSH 5.8 and earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, OpenBSD 4.7, and other products, allow remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in SSH_FXP_STAT requests to an sftp daemon, a different vulnerability than CVE-2010-2632. |
|
24 |
CVE-2010-4754 |
399 |
|
DoS |
2011-03-02 |
2011-09-21 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
|
The glob implementation in libc in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, and OpenBSD 4.7, and Libsystem in Apple Mac OS X before 10.6.8, allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632. |
|
25 |
CVE-2010-2530 |
189 |
|
DoS |
2010-09-29 |
2010-09-30 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Multiple integer signedness errors in smb_subr.c in the netsmb module in the kernel in NetBSD 5.0.2 and earlier, FreeBSD, and Apple Mac OS X allow local users to cause a denial of service (panic) via a negative size value in a /dev/nsmb ioctl operation, as demonstrated by a (1) SMBIOC_LOOKUP or (2) SMBIOC_OPENSESSION ioctl call. |
|
26 |
CVE-2009-4358 |
264 |
|
|
2009-12-19 |
2009-12-21 |
4.7 |
None |
Local |
Medium |
Not required |
Complete |
None |
None |
|
freebsd-update in FreeBSD 8.0, 7.2, 7.1, 6.4, and 6.3 uses insecure permissions in its working directory (/var/db/freebsd-update by default), which allows local users to read copies of sensitive files after a (1) freebsd-update fetch (fetch) or (2) freebsd-update upgrade (upgrade) operation. |
|
27 |
CVE-2009-2649 |
264 |
|
DoS |
2009-07-30 |
2017-10-18 |
4.7 |
None |
Local |
Medium |
Not required |
None |
None |
Complete |
|
The IATA (ata) driver in FreeBSD 6.0 and 8.0, when read access to /dev is available, allows local users to cause a denial of service (kernel panic) via a certain IOCTL request with a large count, which triggers a malloc call with a large value. |
|
28 |
CVE-2009-1935 |
189 |
|
Overflow Bypass |
2009-06-18 |
2017-08-16 |
4.9 |
None |
Local |
Low |
Not required |
Complete |
None |
None |
|
Integer overflow in the pipe_build_write_buffer function (sys/kern/sys_pipe.c) in the direct write optimization feature in the pipe implementation in FreeBSD 7.1 through 7.2 and 6.3 through 6.4 allows local users to bypass virtual-to-physical address lookups and read sensitive information in memory pages via unspecified vectors. |
|
29 |
CVE-2009-1436 |
20 |
|
+Info |
2009-04-27 |
2016-11-28 |
4.9 |
None |
Local |
Low |
Not required |
Complete |
None |
None |
|
The db interface in libc in FreeBSD 6.3, 6.4, 7.0, 7.1, and 7.2-PRERELEASE does not properly initialize memory for Berkeley DB 1.85 database structures, which allows local users to obtain sensitive information by reading a database file. |
|
30 |
CVE-2008-1215 |
264 |
|
Overflow +Priv |
2008-03-08 |
2017-08-07 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Stack-based buffer overflow in the command_Expand_Interpret function in command.c in ppp (aka user-ppp), as distributed in FreeBSD 6.3 and 7.0, OpenBSD 4.1 and 4.2, and the net/userppp package for NetBSD, allows local users to gain privileges via long commands containing "~" characters. |
|
31 |
CVE-2008-0777 |
264 |
|
|
2008-02-14 |
2008-09-05 |
4.9 |
None |
Local |
Low |
Not required |
Complete |
None |
None |
|
The sendfile system call in FreeBSD 5.5 through 7.0 does not check the access flags of the file descriptor used for sending a file, which allows local users to read the contents of write-only files. |
|
32 |
CVE-2007-3645 |
|
|
DoS |
2007-07-15 |
2017-07-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
archive_read_support_format_tar.c in libarchive before 2.2.4 allows user-assisted remote attackers to cause a denial of service (crash) via (1) an end-of-file condition within a tar header that follows a pax extension header or (2) a malformed pax extension header in an (a) PAX or a (b) TAR archive, which results in a NULL pointer dereference, a different issue than CVE-2007-3644. |
|
33 |
CVE-2007-3644 |
|
|
DoS |
2007-07-13 |
2017-07-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
archive_read_support_format_tar.c in libarchive before 2.2.4 allows user-assisted remote attackers to cause a denial of service (infinite loop) via (1) an end-of-file condition within a pax extension header or (2) a malformed pax extension header in an (a) PAX or a (b) TAR archive. |
|
34 |
CVE-2006-6397 |
|
|
Overflow |
2006-12-07 |
2018-10-17 |
4.4 |
User |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
** DISPUTED ** Integer overflow in banner/banner.c in FreeBSD, NetBSD, and OpenBSD might allow local users to modify memory via a long banner. NOTE: CVE and multiple third parties dispute this issue. Since banner is not setuid, an exploit would not cross privilege boundaries in normal operations. This issue is not a vulnerability. |
|
35 |
CVE-2006-5824 |
|
|
DoS Overflow |
2006-11-09 |
2017-07-19 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Integer overflow in the ffs_rdextattr function in FreeBSD 6.1 allows local users to cause a denial of service (kernel panic) and trigger a heap-based buffer overflow via a crafted UFS filesystem, a different vulnerability than CVE-2006-5679. NOTE: a third party states that this issue does not cross privilege boundaries in FreeBSD because only root may mount a filesystem. |
|
36 |
CVE-2006-5679 |
189 |
|
DoS Exec Code Overflow |
2006-11-03 |
2011-10-11 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Integer overflow in the ffs_mountfs function in FreeBSD 6.1 allows local users to cause a denial of service (panic) and possibly execute arbitrary code via a crafted UFS filesystem that causes invalid or large size parameters to be provided to the kmem_alloc function. NOTE: a third party states that this issue does not cross privilege boundaries in FreeBSD because only root may mount a filesystem. |
|
37 |
CVE-2006-5550 |
|
|
DoS |
2006-10-26 |
2008-09-05 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The kernel in FreeBSD 6.1 and OpenBSD 4.0 allows local users to cause a denial of service via unspecified vectors involving certain ioctl requests to /dev/crypto. |
|
38 |
CVE-2006-4516 |
|
|
DoS Mem. Corr. |
2006-10-11 |
2017-07-19 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Integer signedness error in FreeBSD 6.0-RELEASE allows local users to cause a denial of service (memory corruption and kernel panic) via a PT_LWPINFO ptrace command with a large negative data value that satisfies a signed maximum value check but is used in an unsigned copyout function call. |
|
39 |
CVE-2006-4178 |
|
|
DoS |
2006-09-25 |
2018-10-17 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Integer signedness error in the i386_set_ldt call in FreeBSD 5.5, and possibly earlier versions down to 5.2, allows local users to cause a denial of service (crash) via unspecified arguments that use negative signed integers to cause the bzero function to be called with a large length parameter, a different vulnerability than CVE-2006-4172. |
|
40 |
CVE-2005-4351 |
|
|
Bypass |
2005-12-31 |
2017-07-19 |
4.3 |
None |
Local |
Low |
Single system |
Partial |
Partial |
Partial |
|
The securelevels implementation in FreeBSD 7.0 and earlier, OpenBSD up to 3.8, DragonFly up to 1.2, and Linux up to 2.6.15 allows root users to bypass immutable settings for files by mounting another filesystem that masks the immutable files while the system is running. |
|
41 |
CVE-2005-1406 |
|
|
|
2005-05-06 |
2008-09-05 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
The kernel in FreeBSD 4.x to 4.11 and 5.x to 5.4 does not properly clear certain fixed-length buffers when copying variable-length data for use by applications, which could allow those applications to read previously used sensitive memory. |
|
42 |
CVE-2005-1400 |
|
|
|
2005-05-06 |
2008-09-05 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
The i386_get_ldt system call in FreeBSD 4.7 to 4.11 and 5.x to 5.4 allows local users to access sensitive kernel memory via arguments with negative or very large values. |
|
43 |
CVE-2005-1399 |
|
|
|
2005-05-06 |
2008-09-05 |
4.6 |
User |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
FreeBSD 4.6 to 4.11 and 5.x to 5.4 uses insecure default permissions for the /dev/iir device, which allows local users to execute restricted ioctl calls to read or modify data on hardware that is controlled by the iir driver. |
|
44 |
CVE-2005-0109 |
|
|
+Info |
2005-03-05 |
2018-10-16 |
4.7 |
None |
Local |
Medium |
Not required |
Complete |
None |
None |
|
Hyper-Threading technology, as used in FreeBSD and other operating systems that are run on Intel Pentium and other processors, allows local users to use a malicious thread to create covert channels, monitor the execution of other threads, and obtain sensitive information such as cryptographic keys, via a timing attack on memory cache misses. |
|
45 |
CVE-2004-0919 |
|
|
|
2004-12-31 |
2017-07-10 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
The syscons CONS_SCRSHOT ioctl in FreeBSD 5.x allows local users to read arbitrary kernel memory via (1) negative coordinates or (2) large coordinates. |
|
46 |
CVE-2004-0126 |
|
|
+Priv |
2004-03-29 |
2017-10-09 |
4.6 |
User |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
The jail_attach system call in FreeBSD 5.1 and 5.2 changes the directory of a calling process even if the process doesn't have permission to change directory, which allows local users to gain read/write privileges to files and directories within another jail. |
|
47 |
CVE-2004-0114 |
|
|
+Priv |
2004-03-03 |
2017-10-09 |
4.6 |
User |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
The shmat system call in the System V Shared Memory interface for FreeBSD 5.2 and earlier, NetBSD 1.3 and earlier, and OpenBSD 2.6 and earlier, does not properly decrement a shared memory segment's reference count when the vm_map_find function fails, which could allow local users to gain read or write access to a portion of kernel memory and gain privileges. |
|
48 |
CVE-2004-0099 |
|
|
Bypass |
2004-03-03 |
2017-10-09 |
4.6 |
User |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
mksnap_ffs in FreeBSD 5.1 and 5.2 only sets the snapshot flag when creating a snapshot for a file system, which causes default values for other flags to be used, possibly disabling security-critical settings and allowing a local user to bypass intended access restrictions. |
|
49 |
CVE-2003-0914 |
|
|
|
2003-12-15 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
ISC BIND 8.3.x before 8.3.7, and 8.4.x before 8.4.3, allows remote attackers to poison the cache via a malicious name server that returns negative responses with a large TTL (time-to-live) value. |
|
50 |
CVE-2002-2199 |
|
|
Bypass |
2002-12-31 |
2008-09-05 |
4.6 |
User |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
The default aide.conf file in Advanced Intrusion Detection Environment (AIDE) before 0.7_1 on FreeBSD before 2002-08-28 does not properly check subdirectories, which could allow local users to bypass detection. |
