FreeBSD 14.4 LPE via setcred() buffer overflow: 60-byte overwrite gives root

A critical local privilege escalation vulnerability (CVE-2026-45250) has been discovered in FreeBSD 14.x's setcred(2) system call. The root cause is a type error in the function kern_setcred_copyin_supp_groups(): the expression sizeof(*groups) evaluates to 8 bytes (size of a pointer) instead of the intended 4 bytes (size of gid_t). This miscalculation affects both memory allocation and the copyin operation. For the stack path (when the number of supplementary groups is less than 16), the destination buffer is only 64 bytes (16 × 4), but the copyin writes up to 15 × 8 = 120 bytes, causing a 60-byte overflow of fully attacker-controlled data.

The overflow occurs before any privilege check, meaning any unprivileged local user can trigger it. Working exploits have been developed for FreeBSD 14.4-RELEASE amd64 GENERIC kernels, both with and without SMAP/SMEP enabled. The SMAP/SMEP-safe variant requires only that the ZFS kernel module is loaded (default on any ZFS system). The bug was silently fixed in the main branch on 2025-11-27 as part of a larger refactoring, but the fix has not been backported to stable/14 or releng/14.4. FreeBSD 15.0 still has the type error but the code structure differs enough that the current exploit does not produce a working LPE—only a kernel panic.