FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- Use-after-free in device pager page list

Affected packages
15.1 <= FreeBSD-kernel < 15.1_1
15.0 <= FreeBSD-kernel < 15.0_11
14.4 <= FreeBSD-kernel < 14.4_7
14.3 <= FreeBSD-kernel < 14.3_16

Details

VuXML ID 5a34b147-74e0-11f1-958d-bc241121aa0a
Discovery 2026-06-30
Entry 2026-07-01

Problem Description:

When msync(MS_INVALIDATE) is called on a mapping of an unmanaged device object, the physical pages in the mapping range are marked invalid but remain in the pager's page list. A subsequent page fault will cause the fault handler to re-insert the page into the object's list. This corrupts the list, and on object destruction the page is freed twice.

Impact:

An unprivileged local user with access to a device that provides memory-mapped I/O can trigger a use-after-free in the kernel, though this is limited to a pool of objects ("fictitious pages") that are never recycled for a different purpose. It may be possible to exploit this to escalate privileges.

References

CVE Name CVE-2026-49418
FreeBSD Advisory SA-26:37.vm