Researchers at threat intelligence company Norse have identified a serious vulnerability in FreeBSD, the popular Unix-like operating system that’s used on servers, desktop computers and embedded platforms.
The issue is a buffer overflow vulnerability (CVE-2014-8611) affecting the “__sflush()” function in the operating system’s standard I/O library (stdio). The flaw can be leveraged to cause a heap buffer overflow, which could lead to data corruption or arbitrary code execution with the privileges of the calling program.
“The standard I/O library provides a simple and efficient buffered stream I/O interface. The library writes buffered data when it is full or when the application explicitly request so by calling the fflush(3) function,” the FreeBSD Project wrote in a security advisory. “A programming error in the standard I/O library’s __sflush() function could erroneously adjust the buffered stream’s internal state even when no write actually occurred in the case when write(2) system call returns an error.”
Adrian Chadd, senior kernel engineer at Norse, and Alfred Perlstein, director of appliance and kernel at Norse, discovered the security hole during the development process of the company’s product line. Chadd and Perlstein also created a patch for the bug, which they sent to the FreeBSD community.
No workaround is available for the vulnerability so FreeBSD users are advised to apply the patch. They can do so by updating the operating system, or through a binary or source code patch.
“Norse appreciates the diligence of our development team, and the assistance of the FreeBSD security team with this process of responsible disclosure,” said Tim O’Brien, director of security threat intelligence for Norse. “Norse is committed to responsible disclosure, and supporting open source software. This is a great example of developers working with and improving an open source project, with full support of their employer. This directly influences our common objective of a safer Internet for everyone.”
FreeBSD was one of the many Unix-like operating systems affected by a vulnerability in the tnftp FTP client that could have been exploited to execute arbitrary commands. The existence of the flaw was reported in late October and FreeBSD released a patch a few days later.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
- Verizon 2023 DBIR: Human Error Involved in Many Breaches, Ransomware Cost Surges
- Google Patches Third Chrome Zero-Day of 2023
- Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
- Cybersecurity M&A Roundup: 36 Deals Announced in May 2023
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
Latest News
- Sysdig Introduces CNAPP With Realtime CDR
- Stay Focused on What’s Important
- VMware Plugs Critical Flaws in Network Monitoring Product
- Hackers Issue ‘Ultimatum’ Over Payroll Data Breach
- US, Israel Provide Guidance on Securing Remote Access Software
- OWASP’s 2023 API Security Top 10 Refines View of API Risks
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
