21-Year-Old FreeBSD Vulnerability Enables Remote Code Execution, CVE-2026-42511 Revealed

Security researchers have disclosed a critical remote code execution vulnerability in FreeBSD that remained unpatched for 21 years before disclosure. The flaw, tracked as CVE-2026-42511, affects multiple versions of the open-source operating system and could allow unauthenticated attackers to execute arbitrary code remotely.

The vulnerability was discovered by researchers at Aisle, who identified the flaw in a core component of FreeBSD's networking stack. According to the technical analysis, the issue stems from a memory corruption flaw that has existed in the codebase since approximately 2004. Attackers can exploit the vulnerability without requiring any authentication, making it particularly dangerous in internet-facing deployments.

The exposure raises significant risk for organizations running FreeBSD-based systems, including web servers, network appliances, and embedded devices. The long-standing nature of the flaw suggests potential widespread compromise if left unpatched. FreeBSD has released patches addressing the vulnerability, and administrators are urged to update affected installations immediately. The disclosure highlights persistent challenges in auditing legacy code within widely deployed open-source infrastructure.