CVE-2019-5602

HIGH

FreeBSD Out-of-bounds Write in cdrom Driver

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-5602. PoCs published by test-one9.

AI-analyzed exploit summary This exploit targets a FreeBSD kernel vulnerability (CVE-2019-5602) by spraying memory with ucred structures and manipulating the CDIOCREADSUBCHANNEL_SYSSPACE ioctl to achieve local privilege escalation (LPE). The PoC forks multiple processes to create ucred structures and then triggers the vulnerability to overwrite kernel memory, potentially escalating privileges to root.

Description

In FreeBSD 12.0-STABLE before r349628, 12.0-RELEASE before 12.0-RELEASE-p7, 11.3-PRERELEASE before r349629, 11.3-RC3 before 11.3-RC3-p1, and 11.2-RELEASE before 11.2-RELEASE-p11, a bug in the cdrom driver allows users with read access to the cdrom device to arbitrarily overwrite kernel memory when media is present thereby allowing a malicious user in the operator group to gain root privileges.

Exploits (1)

nomisec WORKING POC

by test-one9 · poc

https://github.com/test-one9/CVE-2019-5602-poc

View Code ZIP pw:eip

This exploit targets a FreeBSD kernel vulnerability (CVE-2019-5602) by spraying memory with ucred structures and manipulating the CDIOCREADSUBCHANNEL_SYSSPACE ioctl to achieve local privilege escalation (LPE). The PoC forks multiple processes to create ucred structures and then triggers the vulnerability to overwrite kernel memory, potentially escalating privileges to root.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: FreeBSD kernel (versions affected by CVE-2019-5602)

Auth required

Prerequisites: Access to a vulnerable FreeBSD system · User must be in the 'operator' group to access /dev/cd0 · Kernel memory layout must match the hardcoded address (0xfffff8002e751e08)

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory vendor-advisory x_refsource_freebsd

https://security.FreeBSD.org/advisories/FreeBSD-SA-19:11.cd_ioctl.asc

Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/153522/FreeBSD-Security-Advisory-FreeBSD-SA-19-11.cd_ioctl.html

Scores

CVSS v3 8.8

EPSS 0.0409

EPSS Percentile 89.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-787 CWE-863

Status published

Products (3)

freebsd/freebsd 11.2 (10 CPE variants)

freebsd/freebsd 11.3 rc3

freebsd/freebsd 12.0 (7 CPE variants)

Published Jul 03, 2019

Tracked Since Feb 18, 2026