CVE-2026-45259

sigqueue(2) was marked as permitted in capability mode with the introduction of Capsicum in 2011, but the implementation of kern_sigqueue did not include a capability mode check restricting signal delivery to the calling process's own PID. A process in capability mode can use sigqueue(2) to send signals to any process it could signal following standard Unix permissions, bypassing the Capsicum sandbox restriction. A compromised sandboxed process could interfere with other processes, for example by sending SIGKILL or SIGSTOP. This could be any process running as the same user, or any process, for a superuser sandboxed process.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.0 / Impact : 4.0

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://security.freebsd.org/advisories/FreeBSD-SA-26:28.capsicum.asc

Configurations

No configuration.

History

29 Jun 2026, 14:16

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5

27 Jun 2026, 09:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-06-27 09:16

Updated : 2026-06-29 18:48

NVD link : CVE-2026-45259

Mitre link : CVE-2026-45259

CVE.ORG link : CVE-2026-45259

JSON object : View

Products Affected

No product.

CWE

CWE-266

Incorrect Privilege Assignment

{"id": "CVE-2026-45259", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-45259", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-29T13:10:36.202760Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 4.0, "exploitabilityScore": 2.0}]}, "affected": [{"source": "secteam@freebsd.org", "affectedData": [{"vendor": "FreeBSD", "modules": ["capsicum"], "product": "FreeBSD", "versions": [{"status": "affected", "version": "15.0-RELEASE", "lessThan": "p10", "versionType": "release"}, {"status": "affected", "version": "14.4-RELEASE", "lessThan": "p6", "versionType": "release"}, {"status": "affected", "version": "14.3-RELEASE", "lessThan": "p15", "versionType": "release"}], "defaultStatus": "unknown"}]}], "published": "2026-06-27T09:16:22.963", "references": [{"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:28.capsicum.asc", "source": "secteam@freebsd.org"}], "vulnStatus": "Undergoing Analysis", "weaknesses": [{"type": "Secondary", "source": "secteam@freebsd.org", "description": [{"lang": "en", "value": "CWE-266"}]}], "descriptions": [{"lang": "en", "value": "sigqueue(2) was marked as permitted in capability mode with the introduction of Capsicum in 2011, but the implementation of kern_sigqueue did not include a capability mode check restricting signal delivery to the calling process's own PID.\n\nA process in capability mode can use sigqueue(2) to send signals to any process it could signal following standard Unix permissions, bypassing the Capsicum sandbox restriction. A compromised sandboxed process could interfere with other processes, for example by sending SIGKILL or SIGSTOP. This could be any process running as the same user, or any process, for a superuser sandboxed process."}], "lastModified": "2026-06-29T18:48:43.147", "sourceIdentifier": "secteam@freebsd.org"}