alt.hn

5/9/2026 at 8:31:21 PM

Local privilege escalation via execve()

 https://www.freebsd.org/security/advisories/FreeBSD-SA-26:13.exec.asc

by Deeg9rie9usi

5/10/2026 at 3:54:23 AM 

    -     args->endp - args->begin_argv + consume);
    +     args->endp - (args->begin_argv + consume));
tbh I've considered simply banning math-operator-precedence in projects I work on, and requiring all mixed-operator code to use parenthesis or split to multiple statements. I do that myself, at least.

I've seen so many mistakes from it, and seen people spend so much pointless and avoidable time deciphering and verifying it, it really doesn't seem worth it (in most code) for the extremely minor character savings.

by Groxx

5/10/2026 at 6:05:01 AM

I think I’d generalize that rule to require parentheses in any situation where adding parentheses could change the interpretation. I think that’d leave int addition and multiplication, and I don’t think there’s anything else offhand. Other than those, require parentheses.

  a - b - c
is order dependent, even if its deterministic and knowable. When I’m scanning the code to look for a pesky bug, I don’t wanna have to take extra seconds to convince myself that it’s doing what I expect. It steals time and my limited attention from more interesting sections of code.

by kstrauser

5/10/2026 at 6:43:38 AM

> I think that’d leave int addition and multiplication, and I don’t think there’s anything else offhand. Other than those, require parentheses.

At this point you just require every compound infix expression to be parenthesised, the terseness isn't worth the inconsistency. Especially as, as others have noted, these operations are only associative when working in some classes (notably not necessarily when dealing with floats).

And then you do automatic parens insertion in the LSP, so you write

    a - b - c
and when you save the lsp fixed it up to

    (a - b) - c

by masklinn

5/10/2026 at 5:50:03 PM

I've also grown somewhat sensitive to duplication, maybe to a painful level. But, the memmove-call from the AI writeup has duplication in there:

    memmove(args->begin_argv + extend,
            args->begin_argv + consume,
            args->endp - args->begin_argv + consume);   // ← bug
If both `args->begin_argv + consume` are supposed to be the same concept and thus the same value, I'd have a variable for it by now. Some people hate it with a passion, but something like this removes the precendence thinking, prevents modification of one and not the other and makes it easier to follow, for me at least:

    retained_tail_begin = args->begin_argv + consume
    memmove(args->begin_argv + extend,
            retained_tail_begin,
            args->endp - retained_tail_begin);
Though at that point one might also encode the entire intent (as far as I understand it) in variables as well:

    space_to_replace_end = args->begin_argv + extend
    retained_tail_begin = args->begin_argv + consume
    memmove(space_to_replace_end,
            retained_tail_begin,
            args->endp - retained_tail_begin);
Sure we can golf the names somewhat, but that code has my head spin a lot less about math and precedence.

by tetha

5/10/2026 at 6:33:22 PM

Yeah - sharing a variable there is a pretty strong signal that they are the same concept and can't be allowed to be different, not just "maybe the same value". That's useful to know.

If there's a ton of it in a dense bit of code, 1) it might be too complex, try making it clearer, and 2) it unfortunately makes for a lot of indirection and that can make it harder to follow, which is generally why I see people dislike it. In non-critical code I can kinda agree with inlining it. Pointer arithmetic is imo never non-trivial tho, paranoia is warranted. Especially in a kernel.

by Groxx

5/10/2026 at 4:07:31 AM

- and + operators have the same precedence. And a similar bug is possible if the operators were the same (both -). So I’m not sure it’s right to blame this on operator precedence or mixed operators. It’s just that, ultimately, the “consume” needs to be subtracted, not added.

by om2

5/10/2026 at 4:13:07 AM

Non-mixed always goes strictly left to right, regardless of the operator, which I haven't seen anywhere near as much struggling with.

But yes, I personally parenthesize `a-b-c` explicitly, because it's not worth it for me to read and wonder if parenthesizing order matters later. Costs less than a second to write, saves a second or ten each time I read it - that's an excellent tradeoff imo, and is a trivial pattern to follow.

(Associative operators are fine, obviously)

by Groxx

5/10/2026 at 4:39:43 AM

I agree with explicit parentheses but please be careful about assuming associativity! The risk when handling floating-point arithmetic in particular is that associativity breaks, and suddenly a + (b + c) does NOT equal (a + b) + c. Not only can these lead to unexpected and hard-to-trace failure patterns, but depending on the details, they also can introduce memory overflow/underflow vulnerabilities.

by simonreiff

5/10/2026 at 2:25:04 PM

If you're going for bit-for-bit equivalence of float values, then even with a single operation you're relying on compiler flags, architecture, the phase of the moon... I'm hard-pressed to think of any memory safety issues though.

by chuckadams

5/10/2026 at 5:04:40 PM

Yea, you're in a fairly special niche of programming if you're somewhere that truly matters, and you can't accept any valid order's output. In most general code, if that kind of precision matters, float is the wrong choice: use a bignum object and be exactly correct regardless of how you organized your code.

Which is a niche that exists, obviously. So it is absolutely true for some cases. But I would hope that any code that requires this is extremely clear about requiring it.

by Groxx

5/10/2026 at 4:22:18 AM

Didn't you just suffer from the same trap the parent was trying to avoid?

by genxy

5/10/2026 at 12:18:44 PM

I once had a job interview where they wanted to evaluate my C knowledge. They showed me a printout of some pointer arithmetic and said spot the bug. (It may actually have been the old puzzle where it turns out that /* is always a comment opener and never a division by the referent of a pointer).

I said "well first, this is a mess, I'm putting parentheses here, here, here and here". They said "well you've fixed the bug but can you tell us where it was?"

I gave them a hypothesis but I said my "real answer" was that it's not worth our brain cycles to figure it out, you just shouldn't write code that requires knowing operator precedence. It's just such desperately boring information that I can't hold it in my head.

Interviewing such an insufferable smartarse was probably quite annoying but they did give me the job and I do stand by the underlying principle!

by bjackman

5/10/2026 at 4:35:31 PM

> I gave them a hypothesis but I said my "real answer" was that it's not worth our brain cycles to figure it out, you just shouldn't write code that requires knowing operator precedence. It's just such desperately boring information that I can't hold it in my head.

this is exactly how I think. and it goes for a lot of stuff in general, we have limited bandwidth and wasting it on useless stuff like this has no real purpose.

yet sometimes I see people show off about how they know how to deal with it but I just don't see the point.

by r_lee

5/10/2026 at 9:22:38 PM

Your response was more correct in a professional sense than producing the piece of knowledge you've been asked for. I'd prefer to work with people who value everyone's time and write programs accordingly. If the interviewer was looking for a valuable expert, they were lucky to get you on board.

by oleganza

5/10/2026 at 3:42:13 PM

I've never had to write or read code in an interview. I wonder how common that is?

by SoftTalker

5/12/2026 at 8:37:07 AM

It's very common, I believe all the Big Tech firms have you write code.

I think the example from my story was the only one I've had where I had to _read_ code. (I have heard of people doing "code review interviews" though).

I've also had a job interviews with no code though. For startups or non-FAANG type companies.

by bjackman

5/13/2026 at 2:56:56 AM

Literally all of them, for at least the past decade, afaik. Obviously it'll vary a lot outside those though, the field employs all kinds in all kinds of ways.

by Groxx

5/10/2026 at 7:00:19 AM

Smalltalk didn't have math operator precedence, and I thought it was very annoying but I've come to believe it was a good idea.

by riffraff

5/10/2026 at 1:56:39 PM

A much older language that does not have operator precedence is APL.

This is the right choice for a language with a great number of operators.

In C they have tried to minimize the number of parentheses in expressions, but for this they have created far too many levels of precedence between operators, which had the opposite effect to that intended, since people now prefer to insert superfluous parentheses, to avoid having to remember all those levels of precedence.

by adrian_b

5/10/2026 at 9:15:32 AM

That's what pony did also. Operator preceding rules are too arcane, such as the need for manual memory management.

by rurban

5/10/2026 at 7:43:35 AM

IIRC several industry and government coding standards don't permit evaluations in arguments to functions, as the compiler can end up doing wonky things, to say nothing of the likely human error. These are the kind of standards we should be adapting into a software building code to avoid security holes like this one.

by 0xbadcafebee

5/10/2026 at 10:55:04 AM

These standards are that way because older languages (specifically C and C++) have unspecified evaluation orders for arguments, so multiple argument expressions with conflicting side-effects are non-portable.

Here the expressions are pure, OooE has nothing whatsoever to do with the issue.

by masklinn

5/10/2026 at 12:43:05 PM

Or just use a language with a sane (read: defined) argument evaluation order, which is to say, every language that isn't C or C++.

by kibwen

5/9/2026 at 9:58:06 PM

Nice to randomly encounter our own work here.

Check out our blog post for a fun walkthrough: https://blog.calif.io/p/cve-2026-7270-how-i-get-root-on-free...

AI-generated working exploit, write-up and prompts: https://github.com/califio/publications/tree/main/MADBugs/fr...

by cryptbe

5/10/2026 at 1:17:54 PM

Your bot's blog is above average bot level.

I am sure you have spend lots of time to make your bot works that great.

by j16sdiz

5/10/2026 at 3:10:22 PM

"our" is a stretch. Not only because you're giving an algorithm personhood, but because you didn't do any of the real work. So you could instead say that it's "nice to randomly encounter what I prompted an instance of [brand of artificially intelligent dowsing rod] to do". There's your chance to claim ownership; you can plainly state that you're the person who pressed the button.

by i-LINK

5/10/2026 at 3:59:28 PM

They are fixing bugs in open source projects. What are you doing? You're not even tapping that button.

by yunnpp

5/9/2026 at 10:02:12 PM

Calif is just killing it these past couple months. Reminder that Calif is Thai Duong's new firm.

by tptacek

5/9/2026 at 10:16:07 PM

You're always super kind to me :)

by cryptbe

5/10/2026 at 1:23:17 AM

Everyone's got a list of people they're proud to have worked with, you're on mine.

by tptacek

5/10/2026 at 5:08:54 AM

A CVE for exeCVE()

by dnw

5/10/2026 at 8:26:18 AM

Puttin' the CVE in execve.

by jeffrallen

5/10/2026 at 2:52:36 PM

Who would have thought.

by kkyktkrkekk

5/9/2026 at 9:06:41 PM

This is from April 28th, it was patched in 15.0R-p7.

by cyberpunk

5/9/2026 at 9:10:53 PM

-p8 is the current patch level for 15.0-RELEASE so if people have been keeping on top of patching this is already two reboots in the past.

by itsthefrank

5/9/2026 at 9:21:53 PM

[flagged]

by loeg

5/9/2026 at 9:36:33 PM

Or in other words, the response is well-coordinated so cperciva's bragging is justified, isn't it?

by broken-kebab

5/9/2026 at 10:49:51 PM

Indeed, I was thinking about this precise issue when I made the point that corresponding issues get handled much better in FreeBSD than in Linux.

by cperciva

5/9/2026 at 10:03:00 PM

He was talking about managing disclosure and patch flow, and you're just taking it as an opportunity to dunk on him.

by tptacek

5/9/2026 at 10:00:03 PM

I think cperciva may have been a touch overenthusiastic, but surely this is in fact proving his point? His claim was, as you note before trying to ignore it, about coordination. When one of the recent Linux LPEs broke, the fix wasn't in distro packages yet; there was a vulnerability that users couldn't practically do anything about. This is an LPE that is fixed in the binaries that have already shipped. If I was playing cheerleader, this is exactly the case I'd use to argue that FreeBSD being a single unified system is a win and that its approach to handing security problems is very on top of things.

by yjftsjthsd-h

5/9/2026 at 9:53:18 PM

A not-insignificant chunk of the userbase of the various BSDs is there because they were turned off of Linux after controversial things like Gnome 3, systemd being shoved down users' throats despite being a broken mess, wayland (though nobody was as arrogant about wayland as Poettering was about systemd), etc.

All that to say, the BSD userbase as a sizeable subset that are there for countercultural reasons, rather than technical. These are the people who buy into, say, OpenBSD's vaunted security reputation, or believe that "linux bad because reasons", so you're always going to get people in here bragging, because "not using linux" has become part of their identity.

I run a mix of FreeBSD and Linux on my personal devices. The ground truth is that FreeBSD is yet another unix-like OS written in C, and thus not immune from the types of bugs that stem from that lineage. None of the BSD distros are materially more secure or better than a properly-configured and patched Linux.

by stackghost

5/9/2026 at 9:58:08 PM

The person 'bragging' was not a countercultural user, but rather the FreeBSD engineering lead. They were, however, talking about FreeBSD's response to security vulnerabilities, in contrast to Linux's response.

> thus not immune from the types of bugs that stem from that lineage

They never claimed that FreeBSD didn't have vulnerabilities. I honestly have no idea why grandparent decided to bring up their comment when it exactly validates what the person they were criticising says. GP admits the response to the vulnerability was well-coordinated. The response to security vulnerabilities was the exact, and only, subject of the post they're calling out.

by applfanboysbgon

5/9/2026 at 10:11:15 PM

I wouldn't call it countercultural. And Wayland actually runs on freebsd these days.

I use Linux as well but I really like FreeBSD for a number of technical reasons. Like the ports collection, the jails, the first-class citizen ZFS.

And Gnome 3 doesn't really have anything to do with Linux. It is also available for FreeBSD if you want it (I don't, I hate the minimalist opinionated design style so I use KDE, also on Linux).

But I use Linux on servers where I run docker for example. It's not about "not using linux".

by wolvoleo

5/9/2026 at 11:19:08 PM

> And Gnome 3 doesn't really have anything to do with Linux.

There's a very hard push on getting Gnome 3 aligned to systemd. Gnome is actually my preferred DE on Linux when I choose to use one. But compatibility with Unix systems is becoming harder every day.

by skydhash

5/10/2026 at 12:14:57 AM

Yes even KDE recently introduced a new display manager that is completely tied to systemd. For that reason it's not supported on FreeBSD. But sddm still works of course. But it is a worrying precedent.

From the gnome team this was to be expected because they are beholden to RedHat/IBM and the other big distros who push systemd heavily. But from the KDE team I didn't.

I've stopped my monthly KDE donations for this reason. Just to send a message that this isn't ok.

by wolvoleo

5/9/2026 at 9:58:32 PM

I also use a mix. I moved to FreeBSD initially after a rough period w/Linux in the late 90's. Today, my FreeBSD machines are all VMs running on Linux hosts!

by icedchai

5/9/2026 at 10:04:07 PM

Hah I'm your mirror version -- my linux machines are all VMs running on FreeBSD hosts!

by cyberpunk

5/10/2026 at 2:16:36 AM

Is bhyve working well for you? Maybe I'll try that in my next rev of my home lab.

by icedchai

5/9/2026 at 10:12:15 PM

Oh you use bhyve?

I've tried to use it but I dound it pretty difficult for systems that need a GUI. Maybe I should revisit.

by wolvoleo

5/9/2026 at 10:19:57 PM

Yep, most of my linuxes are headless -- but I do have a VM which I pass a graphics card through to for games and ai stuff though -- works really well (as long as you don't reboot the VM, it has a hard time attaching to the gfx card the second time for some reason, not looked into it much)

sysutils/vm-bhyve makes it quite friendly.

I wouldn't use it for work, though, just personal. Work is all enterprisey kubernetes stuff.

Edit: there is a 'proxmox-like' for FreeBSD out [0] -- I did try it on a couple machines and couldn't get the network working, but consoles seemed to work.. Kinda.

0: https://sylve.io

by cyberpunk

5/9/2026 at 10:24:32 PM

Ah I don't really have a second GPU to dedicate to it though. A virtual console like in VMware or QEMU/KVM would be great. Thanks for the heads-up about sylve! I'll check it out.

For me it's all personal too. For work we still use VMWare a lot.

by wolvoleo

5/9/2026 at 9:40:47 PM

Its like rain on your wedding day - not actually ironic, just unfortunate.

by bch

5/9/2026 at 10:08:01 PM

Oof that's a pretty big one, I didn't realise but I had already updated anyway.

by wolvoleo

5/10/2026 at 12:35:20 AM 

  memmove(args->begin_argv + extend, args->begin_argv + consume,
      args->endp - args->begin_argv + consume);   // ← bug
C code like this is why we can't have nice things. Arithmetic operation in the arguments of a dangerous function call with no explicit bounds check.

by 0xbadcafebee

5/10/2026 at 1:04:09 AM

"I just don't write bugs"

Yeah.

by sethops1

5/10/2026 at 4:04:14 PM

[flagged]

by jahanzeb1018

5/9/2026 at 8:45:48 PM

> IV. Workaround

> No workaround is available.

Oh dear.

by rvz

5/9/2026 at 8:56:54 PM

> V. Solution

> Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system.

Not everyone can just freebsd-update and reboot, so yes, "Oh dear." is a good response to this.

by itsthefrank

5/9/2026 at 9:07:17 PM

Why can't they? Upgrading and rebooting is kinda the standard response for most security issues. So I would expect something like Ansible's playbooks for this exact scenario. You might also have it setup as a staggered rollout.

by skydhash

5/9/2026 at 9:01:48 PM

Anyone relying on a 30+ year old monolith kernel written in C to not have some exploitable LPEs lurking should stay in basket weaving and out of sysadmin.

by epcoa

5/9/2026 at 9:09:48 PM

Yep.

You should treat any system where non-admins regularly login as basically insecure/owned and rig your architecture appropriately.

TBH -- I don't have any of these kinds of boxes anymore. Who is really running anything like this in 2026 and for what purpose?

by cyberpunk

5/9/2026 at 10:00:23 PM

Not necessarily FreeBSD, but for Linux this applies to most universities with a CS program, I think.

The systems should be cut off from sensitive administrative data, but a malicious student would at the very least have access to the other students' data with an LPE.

by mrln

5/9/2026 at 9:47:39 PM

>> monolith kernel written in C

> Who is really running anything like this in 2026 and for what purpose?

Am I parsing your question correctly?

by bch

5/9/2026 at 9:53:12 PM

No, I worded it badly. See below.

by cyberpunk

5/9/2026 at 9:30:23 PM

Stability of ecosystem. No systemd. Native ZFS. Jails over Docker. Been using it for 20+ years and it’s my preferred server OS.

by jmspring

5/9/2026 at 9:41:29 PM

No, I mean do you run FreeBSD boxes where users who should not ever assume root access actually login to do tasks?

My point is that if you do, you probably shouldn't run, for e.g applications which need production db credential, or hold sensitive data on these boxes, or .. whatever.

Edit: I use FreeBSD extensively, for various things -- but shell access to them is restricted to the sysadmins..

by cyberpunk

5/10/2026 at 3:47:55 PM

No. And hosting providers I have used usually use VM isolation (QEMU/etc) for the VPS type instances they allocate to users. The VM is vulnerable if it happens to have a kernel compiled such that allows this vuln.

by jmspring

5/10/2026 at 3:49:48 PM

Also statements like this one - TBH -- I don't have any of these kinds of boxes anymore. Who is really running anything like this in 2026 and for what purpose?

Does not convey what your clarification attemps to state.

by jmspring

5/10/2026 at 2:58:13 PM

I mean, where I work we offer machines to external users where they have shell access to be able to do their science, but I don't want them to have root access. Other institutes we work with (like supercomputer networks, etc) give us/users non-root access.

When things like CVE-2026-31431 or the bug that this thread is about affect our systems it causes a big headache. Yeah, we firewall off what we _can_ by having different machines doing critical things versus the ones where science users have code execution, but we don't have the resources to give every user their own machine.

by KAMSPioneer

5/10/2026 at 5:20:47 AM

Hard to tell about FreeBSD, it's basically extincted, but think of webhosting servers, wordpress, cPanel/Plesk and alike.

often it's ssh'able with things like rbash and other restrictions and almost always you, well, can run something there (as you can edit php/other files right from web management ui).

Hordes of this (in Linux world).

by CoolCold

5/11/2026 at 7:31:05 PM

Extinct? Far from, just doesn’t draw the crowd/press Linux does. An OS used as a stable server OS workhorse with exceptional ZFS support and doesn’t have to push for the desktop market doesn’t mean it’s extinct.

I’ve run FreeBSD on stinkpads back in the early 2000s fine. I prefer MacOS these days as a daily driver - hardware quality.

But server OS is FreeBSD. Void when I need Cuda/docker/etc. (Yes, FreeBSD has docker support, but just use Linux if needing that.

by jmspring

5/9/2026 at 9:42:53 PM

Same. I've been using it since 1996. Initially, we used it at an early ISP for DNS, SMTP, and POP3 for roughly 8K users, and it stuck with me.

by icedchai

5/10/2026 at 3:34:20 AM

Free root for anyone for over 20 years too.

by tick_tock_tick

5/10/2026 at 2:04:42 PM

Nope.

The bug appears to have been introduced in some FreeBSD 13 version.

I run FreeBSD servers that do not have this bug. In my "kern_exec.c" there is no "consume" anywhere. There is also no "memmove" at all.

That file was last patched in 2024, but whatever changes had introduced that bug, they were not back-ported to older FreeBSD versions, so those are not affected.

by adrian_b

5/9/2026 at 9:08:34 PM

Not sure why the snark but if people are running FreeBSD then they should be...basket weaving instead of using it? Yes, the correct solution is to patch and reboot but not everyone is in a place to jump and do that which is why a temp workaround, if possible, would be welcome

by itsthefrank

5/9/2026 at 10:06:30 PM

I think good system should be prepared to do a reboot in a short notice. Even some long running jobs can have a pause mechanism.

by wswin

5/12/2026 at 5:19:12 PM

There was no snark. If you have something of importance running and the inevitable discovery of an LPE is something you don’t have defense for or can quickly mitigate you’re doing a bad job as a sysadmin. For all general purpose OS in common use today that usually means patch and reboot should be an NBD workaround.

by epcoa

5/9/2026 at 10:04:44 PM

...as opposed to what, exactly? Linux is a 34 y.o. monolithic kernel in C, the BSDs are all forked from the same base (386BSD) of around the same age, XNU is 29 years old (and also heavily based on BSD code while also throwing in mach code) in C and other languages,...

by yjftsjthsd-h

5/10/2026 at 2:34:37 AM

The 33 year old Windows NT kernel, duh.

by raddan

5/9/2026 at 10:11:29 PM

What prevents it?

by paulddraper

5/9/2026 at 10:03:58 PM

Does this vulnerability not rely on SUID binaries?

by tptacek

5/9/2026 at 10:46:50 PM

I don't think so? It's a buffer overflow in the system call.

by cperciva

5/9/2026 at 11:24:36 PM

I just read that it was spilling into argv or something and assumed the vector was somehow injecting arguments or something.

by tptacek

5/9/2026 at 11:53:07 PM

The exploit is injecting environment variables, but yes, close enough. You need someone to call execve as root in order to become root, but you don't need a setuid binary.

by cperciva

5/10/2026 at 7:51:13 PM

I am reading:

"When the timing aligns, the trigger's buggy memmove causes K+1 to self-overwrite, replacing sshd-session's real environment with the preseed payload. sshd-session's exec_copyout_strings copies LD_PRELOAD=/tmp/evil.so to the new process's stack, the runtime linker loads evil.so, and its constructor copies /bin/sh to /tmp/rootsh and sets it suid root. My human's unprivileged user runs /tmp/rootsh -p and gets a root shell."

... so at the very end of the exploit chain, is /tmp/rootsh required to be suid root before it is finally run to get the root shell ?

... or is the exploit already achieved and /tmp/rootsh is just an arbitrary indicator ?

by rsync

5/11/2026 at 2:20:58 AM

The exploit already succeeded at that point, creating the setuid /tmp/rootsh is just a way of making it permanent.

by cperciva

5/10/2026 at 9:18:55 PM

One of the authors is on this subthread correcting me. :)

by tptacek

5/10/2026 at 8:28:04 AM

IV. Workaround

Accept that everything is broken and terrible and yet somehow find a way to keep a sense of humor and smile about it.

by jeffrallen

5/10/2026 at 8:01:12 AM

I really am starting to think that the level of technical understanding on HN is so low that when readers see an exploit like this, they imagine basically the cult classic movie "Hackers" in their heads where some guy hacks into any machine of their choosing.

by ActorNightly

5/9/2026 at 10:12:35 PM

Why? Just update.

by wolvoleo

5/10/2026 at 7:54:51 AM

[flagged]

by andrew_kwak

5/9/2026 at 9:03:19 PM

Linux is on their second and FreeBSD is on their first. How many is Windows on?

by doublerabbit

5/9/2026 at 9:09:11 PM

If you think Linux is on their first or second, I'm not sure how or what you're counting.

by dwattttt

5/9/2026 at 9:24:46 PM

> I'm not sure how or what you're counting.

The recent two. FailCopy and DirtyFrag and FreeBSD with Execve.

2 - Linux 1 - FreeBSD.

Of course, all OS have had past-time exploits. Three now have made the news.

by doublerabbit

5/9/2026 at 9:46:34 PM

Your question was "how many high profile privilege escalations Windows has had recently" then? I can't think of any, 0?

by dwattttt

5/11/2026 at 8:31:52 AM

Windows vulnerability list is overflowing with lpes, hundreds of them. You should filter it per month, the list is too big to load in full.

by GoblinSlayer

5/9/2026 at 11:00:15 PM

It was a sarcastic joke, never mind.

by doublerabbit

5/9/2026 at 9:07:08 PM

Plenty, Microsoft has security teams whose job is to attack Windows.

Naturally they don't do blog posts about what they find.

by pjmlp

5/9/2026 at 9:53:46 PM

Local privilege escalation is largely irrelevant on Windows because basically no one uses it in a multi-user system, and application sandboxing is effectively nonexistent.

by murderfs

5/10/2026 at 12:21:39 AM

I get that multiple human users on a same machine is rare nowadays, and that per-app users were never a thing.

But windows still has a root and a lower privilege user. You typically need to click on "run as admin" to elevate privileges to, for example, alter system binaries.

by TZubiri

5/10/2026 at 12:34:09 AM

I know that Chrome on Windows tries to lower its privileges to mitigate exploits, and although it's not very popular, the MS Store app platform does try to do full isolation of apps. So actually, per-app separation of users kinda does happen, or is attempted on Windows.

by asveikau

5/10/2026 at 4:38:29 AM

Sure, but that's mostly academic: compromise of the user account is game over for any real user. Not actually being Administrator isn't much consolation when the regular user account can extract your cookie jar, record all of your keystrokes and mouse movements, record all desktop video (except for DRM-protected content, heh) etc.

by murderfs

5/9/2026 at 9:14:24 PM

You talk as if Windows is the only OS that has red teams attacking the system when clearly that isn’t even remotely true.

by hnlmorg

5/9/2026 at 11:01:03 PM

No, they're saying security work happens in the Windows world but not as much in the open, due to the closed source nature.

by asveikau

5/10/2026 at 5:19:18 AM

I talk about that because it is public, and the OP mentioned Windows.

It he talked about Android, I would have mentioned Project Zero.

Don't twist the meaning of posts.

by pjmlp