FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- Jail reference count underflow

Affected packages
15.1 <= FreeBSD-kernel < 15.1_1
15.0 <= FreeBSD-kernel < 15.0_11

Details

VuXML ID a65c31d1-74e0-11f1-958d-bc241121aa0a
Discovery 2026-06-30
Entry 2026-07-01

Problem Description:

When the JAIL_AT_DESC flag is specified, kern_jail_set() and kern_jail_get() released the reference to the caller's current prison before looking up the jail descriptor. If the descriptor lookup failed, error-handling paths released the same reference a second time.

Impact:

An unprivileged local user can trigger a prison reference count underflow, which may cause the prison structure to be freed while still in use. When this is done on the jail host, the bug will generally result in an immediate panic. However, if the user is running in a jail, then it may be possible to exploit the bug to elevate privileges.

References

CVE Name CVE-2026-49419
FreeBSD Advisory SA-26:38.jail