The FreeBSD security team published advisory FreeBSD-SA-26:13.exec on 29 April 2026, fixing a flaw deep in the system: the execve(2) system call, the one the kernel uses to load and run any program. It’s tracked as CVE-2026-7270 and carries a CVSS score of 7.8.
The root cause is the kind of mistake that stings because it’s so small. An operator precedence bug in the kernel code makes an expression evaluate in a different order than intended. The result is a buffer overflow: attacker-controlled data ends up overwriting the adjacent argument buffers that execve(2) prepares when launching an executable. From there, by carefully crafting the arguments passed to the call, an unprivileged user can corrupt kernel memory and end up with superuser privileges.
Who is affected
Every supported version of FreeBSD at the time of the advisory. Specifically the 13.5, 14.3, 14.4 and 15.0 branches, in both their RELEASE and STABLE flavours. This isn’t an obscure config or an optional service: execve(2) runs every time you start a binary, so the affected surface is the normal operation of the system.
It’s worth being precise about the real risk. The bug needs local access. An attacker has to be able to log in or run code on the machine with some account, even one with no permissions. It can’t be triggered remotely on its own. That said, on any multi-user server, on shared hosting, or on a box where a compromised service runs as an unprivileged user, this turns limited access into full control of the system. That’s why it rates as high severity.
How to protect yourself
There is no mitigation or workaround. The only fix is to apply the patch and reboot, because the correction lives in the kernel. The fixed versions, all released on 29 April 2026, are:
- 15.0-STABLE and 15.0-RELEASE-p7
- 14.4-STABLE and 14.4-RELEASE-p3
- 14.3-RELEASE-p12
- 13.5-STABLE and 13.5-RELEASE-p13
If you installed the base system with packages, update with pkg. If you run the usual binary distribution, the quickest path is:
freebsd-update fetch
freebsd-update install
rebootAnyone building from source needs to apply the relevant patch and recompile the kernel. In all three cases the reboot is mandatory: until the new kernel is running, the machine stays vulnerable.
If you manage appliances or third-party products built on FreeBSD, check the vendor advisories. Several providers that use FreeBSD as a base shipped their own updates for this CVE, and the patched kernel has to arrive through their channel, not through plain freebsd-update.
Source
- Official advisory: FreeBSD Security Advisory FreeBSD-SA-26:13.exec
- CVE detail: CVE-2026-7270 on NVD