The FreeBSD project released advisory FreeBSD-SA-26:18.setcred to fix CVE-2026-45250, a memory-safety bug in the setcred(2) system call. It rates as high severity with a CVSS score of 7.8, and it is the kind of flaw that worries you precisely because of how mundane the root cause is: the kernel trusted a user-supplied value without checking its size before copying it.
What setcred(2) is and where it breaks
setcred(2) is a fairly recent FreeBSD syscall that lets a process adjust several credential fields at once (UID, GID, supplementary group list, and so on). One of those fields is a list of supplementary groups handed in from userspace.
The bug is in how the kernel handled that list. It copied the user-supplied groups into a fixed-size kernel stack buffer before validating the length. Since the bounds check happened after the write, a process could pass a list longer than the buffer can hold and overflow the kernel stack. That is the textbook stack buffer overflow, except here it happens in the most sensitive context there is.
Who is affected and why it matters
The flaw is present in every supported release: 14.3-RELEASE, 14.4-RELEASE and 15.0-RELEASE, plus the stable/14 and stable/15 branches. Any system running one of those kernels is vulnerable until the patch lands.
The attack model is what makes this serious. You don’t need privileges to call setcred(2), so an unprivileged local user can trigger the overflow. And because it fires inside the kernel, it doesn’t stop at crashing a process: a capable attacker can steer the stack to execute arbitrary code in kernel context and escalate to root. On shared servers, machines with untrusted accounts, or any multi-user setup, that means full control of the box starting from an ordinary login.
There was no known active exploitation at publication time, but a proof of concept for this class of bug isn’t hard to build, so don’t sit on it.
How to protect yourself
FreeBSD already shipped the patches. The stable branches were corrected on 6 January 2026 and the release branches on 20 May 2026. You have a few routes depending on how you manage the system:
- Base-system packages:
pkg upgrade -r FreeBSD-base, then reboot. freebsd-update:freebsd-update fetch && freebsd-update install, then reboot.- From source: download the patch from
https://security.FreeBSD.org/patches/SA-26:18/, verify the signature withgpg, apply it withpatch, and rebuild the kernel.
In all three cases the reboot is mandatory, because the fix lives in the kernel and won’t take effect until you boot the new one. If you run a fleet of FreeBSD hosts, prioritise the ones with untrusted users holding shell access: that’s where the risk is immediate.
If you want to look at other recent FreeBSD security issues, there’s the case of the descriptor leak in blocklistd.
Source
- Official advisory: FreeBSD-SA-26:18.setcred
- NVD detail: CVE-2026-45250