HN
Today

FatGid: FreeBSD 14.x kernel local privilege escalation

A critical kernel buffer overflow vulnerability dubbed 'FatGid' has been disclosed in FreeBSD 14.x, allowing unprivileged local users to achieve full root privileges. The bug, a sizeof type error in setcred(2), enables exploiters to bypass modern security mitigations like SMAP/SMEP, making it a significant security concern for FreeBSD deployments. This detailed technical report provides a deep dive into the exploit mechanisms, illustrating the sophisticated techniques used to achieve privilege escalation.

4
Score
0
Comments
#7
Highest Rank
3h
on Front Page
First Seen
May 21, 1:00 PM
Last Seen
May 21, 3:00 PM
Rank Over Time
2178

The Lowdown

A severe local privilege escalation (LPE) vulnerability, named 'FatGid', has been identified and detailed for FreeBSD 14.x. The flaw stems from a kernel stack buffer overflow within the setcred(2) system call, specifically in the kern_setcred_copyin_supp_groups() function. This bug can be triggered by any unprivileged local user before any privilege checks are performed, allowing for arbitrary kernel behavior from a simple panic to full root access.

  • Vulnerability Cause: A sizeof type error where sizeof(*groups) incorrectly evaluates to sizeof(gid_t *) (8 bytes) instead of sizeof(gid_t) (4 bytes). This leads to a 60-byte overflow when copying data into a 60-byte stack buffer (smallgroups[]).
  • Affected Systems: FreeBSD 14.4-RELEASE and the stable/14 branch are fully vulnerable and exploitable for LPE. FreeBSD 15.0 contains the same typo but only results in a kernel panic due to differing surrounding code. FreeBSD 13.x and earlier are not affected as setcred(2) is absent.
  • Exploit Techniques: The researchers developed two LPE exploits:
    • No SMAP/SMEP: This technique corrupts callee-saved registers in user_setcred() to hijack control flow via amd64_syscall+0x155, ultimately executing user-space shellcode to modify credentials to root.
    • With SMAP/SMEP: This more sophisticated method leverages a gadget within the zfs.ko kernel module (ZSTD_initCStream_advanced) to overwrite the current thread's credential pointer (td->td_ucred) with a fake credential structure. This fake structure is planted in a controlled kernel memory region (specifically, a pargs UMA slab allocated by setproctitle(2)).
  • Exploitation Prerequisites: The SMAP/SMEP-safe exploit only requires zfs.ko to be loaded, which is typical for FreeBSD installations with ZFS pools. Kernel symbols are resolved at runtime using unprivileged interfaces (kldnext(2), kldsym(2)).
  • Fix Status: The bug was inadvertently fixed in the main branch on 2025-11-27 (commit 000d5b5) as a side effect of code refactoring, without explicit mention of the vulnerability. This fix has not been backported to stable/14 or releng/14.4. A security advisory (FreeBSD-SA-26:18.setcred) and CVE (CVE-2026-45250) have been issued.
  • Mitigation: Users running vulnerable versions are advised to cherry-pick commit 000d5b5 into their local kernel tree and rebuild, as there is no clean userland mitigation.

This detailed report provides a full breakdown of the vulnerability, including proof-of-concept code and specific techniques to achieve root access, highlighting the critical need for patching vulnerable FreeBSD systems.