FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- Use-after-free bug in the IPV6_MSFILTER socket option handler

Affected packages
15.0 <= FreeBSD-kernel < 15.0_10
14.4 <= FreeBSD-kernel < 14.4_6
14.3 <= FreeBSD-kernel < 14.3_15

Details

VuXML ID c5b7ac13-6473-11f1-958d-bc241121aa0a
Discovery 2026-06-09
Entry 2026-06-10

Problem Description:

The kernel handler for IPV6_MSFILTER dropped a serializing lock in order to copy the source-filter list from userspace, then reacquired the lock. During this window another thread could free the multicast filter structure, leaving the handler with a stale pointer to freed memory.

Impact:

An unprivileged local user can exploit this use-after-free to escalate privileges.

References

CVE Name CVE-2026-49412
FreeBSD Advisory SA-26:28.ip6_multicast

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.