A critical local privilege escalation vulnerability exists in FreeBSD 14.x kernels due to a stack buffer overflow in the setcred(2) system call. The overflow occurs before privilege checks, allowing any unprivileged local user to trigger arbitrary behavior ranging from kernel panics to full root compromise. Working exploits have been developed against both protected and unprotected kernels, creating significant security risks for FreeBSD systems worldwide.

The root cause is a simple sizeof type error in kern_setcred_copyin_supp_groups() where sizeof(*groups) evaluates to 8 bytes instead of the intended 4. This causes a 60-byte stack overflow when copying data, corrupting register values and enabling control flow hijacking. The bug was silently fixed in the main branch on 2025-11-27 as a side effect of broader function refactoring but not backported to stable releases.

FreeBSD 14.4-RELEASE remains vulnerable and exploitable, while FreeBSD 15.0 contains the same typo but only triggers a kernel panic rather than full privilege escalation. Systems running FreeBSD 13.x or earlier are not affected as they lack the problematic setcred(2) system call. The vulnerability requires only that zfs.ko be loaded, which is present on every FreeBSD installation with a ZFS pool, making most systems potentially affected.