CVE-2008-5736

FreeBSD 6-7 - Privilege Escalation via Uninitialized Function Pointers

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2008-5736. PoCs published by Don Bailey, zx2c4.

AI-analyzed exploit summary This exploit targets a FreeBSD kernel vulnerability (CVE-2008-4946) in the protosw structure to overwrite the credential structure, granting root privileges (euid=0) to the attacker's process. It uses memory mapping and a crafted payload to achieve local privilege escalation.

Description

Multiple unspecified vulnerabilities in FreeBSD 6 before 6.4-STABLE, 6.3 before 6.3-RELEASE-p7, 6.4 before 6.4-RELEASE-p1, 7.0 before 7.0-RELEASE-p7, 7.1 before 7.1-RC2, and 7 before 7.1-PRERELEASE allow local users to gain privileges via unknown attack vectors related to function pointers that are "not properly initialized" for (1) netgraph sockets and (2) bluetooth sockets.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Don Bailey · clocalfreebsd
https://www.exploit-db.com/exploits/7581

This exploit targets a FreeBSD kernel vulnerability (CVE-2008-4946) in the protosw structure to overwrite the credential structure, granting root privileges (euid=0) to the attacker's process. It uses memory mapping and a crafted payload to achieve local privilege escalation.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: FreeBSD (versions affected by FreeBSD-SA-08:13.protosw)
No auth needed
Prerequisites: Local access to a vulnerable FreeBSD system · Knowledge of the 'allproc' kernel address
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by zx2c4 · clocalbsd
https://www.exploit-db.com/exploits/16951

This exploit leverages a null pointer dereference in FreeBSD's Netgraph implementation (CVE-2008-5736) to achieve local privilege escalation. It maps the null page, injects a jump to shellcode, and triggers the vulnerability via a netgraph socket to gain root privileges.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Moderate
Reliability
Reliable
Target: FreeBSD <= 6.4-RELEASE
No auth needed
Prerequisites: Local access to a vulnerable FreeBSD system · Ability to execute arbitrary code
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (9)

Core 9
Core References
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/7581
Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/8124
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/16951
Vendor Advisory vendor-advisory x_refsource_freebsd
http://security.freebsd.org/advisories/FreeBSD-SA-08:13.protosw.asc
Broken Link vdb-entry x_refsource_osvdb
http://osvdb.org/50936
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1021491
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/32976
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/33209

Scores

EPSS 0.0120
EPSS Percentile 63.9%

Details

CWE
CWE-264
Status published
Products (5)
freebsd/freebsd 6.0
freebsd/freebsd 6.3 (7 CPE variants)
freebsd/freebsd 6.4
freebsd/freebsd 7.0 (6 CPE variants)
freebsd/freebsd 7.1 (2 CPE variants)
Published Dec 26, 2008
Tracked Since Feb 18, 2026