The Linuxulator determined whether a binary was set-user-ID or set-group-ID by checking the P_SUGID process flag. During execve(2), this flag is not yet set at the point where the auxiliary vector is constructed, so AT_SECURE was incorrectly set to zero for set-user-ID and set-group-ID executables. An unprivileged local user can inject a shared library via LD_PRELOAD into a set-user-ID or set-group-ID Linux binary, gaining the privileges of that binary.
History

Mon, 29 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Sat, 27 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Freebsd
Freebsd freebsd
Vendors & Products Freebsd
Freebsd freebsd

Sat, 27 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description The Linuxulator determined whether a binary was set-user-ID or set-group-ID by checking the P_SUGID process flag. During execve(2), this flag is not yet set at the point where the auxiliary vector is constructed, so AT_SECURE was incorrectly set to zero for set-user-ID and set-group-ID executables. An unprivileged local user can inject a shared library via LD_PRELOAD into a set-user-ID or set-group-ID Linux binary, gaining the privileges of that binary.
Title Flaw in Linuxulator execution of setugid binaries
Weaknesses CWE-266
References

cve-icon MITRE

Status: PUBLISHED

Assigner: freebsd

Published: 2026-06-27T09:08:23.756Z

Updated: 2026-06-29T13:05:38.668Z

Reserved: 2026-05-29T20:24:28.615Z

Link: CVE-2026-49413

cve-icon Vulnrichment

Updated: 2026-06-29T13:05:27.585Z

cve-icon NVD

No data.

cve-icon Redhat

No data.