explaingit

venglin/setcred

19CAudience · researcherComplexity · 4/5Setup · hard

TLDR

A security research disclosure for CVE-2026-45250, a FreeBSD 14.x kernel bug that lets any logged-in user gain full root access, with proof-of-concept exploit code and a detailed technical write-up.

Mindmap

mindmap
  root((repo))
    Vulnerability
      CVE-2026-45250
      FreeBSD 14.x kernel
      Local privilege escalation
      No network access needed
    Root Cause
      Wrong copy size
      Kernel stack overwrite
      No permission check
    Exploits
      Kernel panic PoC
      No-protection exploit
      SMAP+SMEP safe exploit
    Affected Versions
      FreeBSD 14.4-RELEASE
      stable/14 branch
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Read the technical write-up to understand how a wrong buffer-copy size in a FreeBSD kernel function leads to a full local privilege escalation.

USE CASE 2

Run the denial-of-service proof-of-concept in a lab environment to verify that CVE-2026-45250 is present on a FreeBSD 14.x system.

USE CASE 3

Study the SMAP/SMEP-bypassing exploit to learn how a ZFS kernel module gadget can be used to achieve privilege escalation without an information leak.

USE CASE 4

Use the disclosure as a reference when patching or auditing FreeBSD systems to confirm whether the fix has been backported to the stable/14 branch.

Tech stack

C

Getting it running

Difficulty · hard Time to first run · 1h+

Requires a vulnerable FreeBSD 14.x system, testing should only be done in an isolated lab environment with appropriate authorization.

In plain English

This repository is a security research disclosure for CVE-2026-45250, a vulnerability in FreeBSD 14.x that allows any unprivileged user on the system to gain full root access. The technical term for this class of flaw is a local privilege escalation, meaning it does not require remote network access: someone already logged into the machine can run the exploit and become the system administrator. The underlying bug lives in a FreeBSD kernel function called kern_setcred_copyin_supp_groups(). It uses the wrong size when copying user-supplied data into a fixed-size buffer on the kernel stack, writing eight bytes per entry instead of four. Because the function runs before any permission check, any user can trigger it without special privileges. The repository includes a write-up that walks through the flaw in detail. The repository ships three exploit programs written in C. The first is a minimal denial-of-service proof-of-concept that any user can run to crash (panic) the kernel, demonstrating the flaw is real. The second is a full privilege-escalation exploit for systems where two CPU security features (SMAP and SMEP) are turned off. The third targets systems where those protections are enabled, using a code gadget found inside the ZFS filesystem module that ships as a standard component on typical FreeBSD server installs. The third exploit is noted as requiring no information leak to work. As of the report date, FreeBSD 14.4-RELEASE and the stable/14 branch were still affected. A fix reached the development branch in November 2025 as a side effect of an unrelated code change but had not been backported to the stable release at the time of publication. The repository also includes build scripts and a secondary write-up focused on the SMAP/SMEP-safe exploit path.

Copy-paste prompts

Prompt 1
Walk me through the CVE-2026-45250 vulnerability in FreeBSD, what is kern_setcred_copyin_supp_groups, why does the wrong copy size cause a stack overwrite, and why can any user trigger it?
Prompt 2
How does the setcred SMAP/SMEP-safe exploit use a ZFS module gadget to escalate privileges without needing an information leak? Explain the technique step by step.
Prompt 3
I'm running FreeBSD 14.4-RELEASE in a lab. How do I build and run the setcred denial-of-service PoC to confirm my system is vulnerable to CVE-2026-45250?
Prompt 4
What mitigations does enabling SMAP and SMEP provide against the basic setcred exploit, and why do they not fully stop the third exploit variant?
Prompt 5
How do I check whether the CVE-2026-45250 patch has been backported to my FreeBSD stable/14 system and what kernel revision number should I look for?
Open on GitHub → Explain another repo

← venglin on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.