FreeBSD released advisory SA-26:30 on 9 June 2026, fixing a local privilege escalation in the Linuxulator, the compatibility layer that runs Linux binaries directly on the FreeBSD kernel. The flaw is tracked as CVE-2026-49413 and affects any system that loads the Linux compatibility module and has Linux binaries carrying the setuid or setgid bit.
The bug is in how the Linuxulator decides whether a process is running with elevated privileges during execve(2). To defend against injection, the Linux dynamic loader ignores variables like LD_PRELOAD when the binary is setuid or setgid. That decision hinges on the AT_SECURE value the kernel places in the auxiliary vector handed to the new program. When AT_SECURE is 1, the loader switches to secure mode and drops LD_PRELOAD.
That is where the mistake lived. The Linuxulator checked the P_SUGID process flag to set AT_SECURE, but that flag is not yet set at the point where the auxiliary vector is built inside the execve sequence. The check ran too early, so AT_SECURE ended up at zero even for a setuid binary. With the loader convinced the process was not privileged, LD_PRELOAD was honoured as usual.
From there the attack is straightforward. An unprivileged local user points LD_PRELOAD at their own shared library and launches a set-user-ID or set-group-ID Linux binary. The library loads into the process with the binary’s privileges, typically root, and the attacker’s code runs with those permissions. It is a classic local escalation: no remote access, but it turns an ordinary user account into full control of the host.
Who is affected
The advisory marks all supported versions as vulnerable across the stable/15, releng/15.1, releng/15.0, stable/14, releng/14.4 and releng/14.3 branches. Two conditions have to hold in practice: the Linuxulator module (linux.ko or linux64.ko) has to be loaded, and at least one Linux binary with setuid or setgid has to be present. A FreeBSD host without the Linux compatibility layer active, or without such binaries, is not exposed to this particular vector.
Severity is high within its class. It is neither remote nor a foothold on its own, but on multi-user systems, or systems running setuid Linux software under the Linuxulator, it offers a clean path to root.
Mitigation and patch
The fix delays reading the privilege state until P_SUGID is already set, so AT_SECURE correctly reflects that the binary is setuid and the loader drops LD_PRELOAD.
To apply the patch on systems built from official binaries:
freebsd-update fetch
freebsd-update installThen reboot so the patched kernel takes effect. If you build the kernel from source, apply the official SA-26:30 patch and recompile and install the kernel the usual way. As a temporary mitigation, unloading the Linuxulator module or removing the setuid/setgid bit from Linux binaries closes the path until you can patch.
If you run FreeBSD, it is worth reviewing the full set of advisories published that same 9 June, since the project shipped several patches at once. See the FreeBSD page for the rest of the system’s details.
Source
- Official advisory: FreeBSD-SA-26:30.linux
- CVE-2026-49413 on the NVD