CVE-2026-49412

Severity CVSS v4.0:
Pending analysis
Type:
CWE-416 Use After Free
Publication date:
27/06/2026
Last modified:
01/07/2026

Description

The kernel handler for IPV6_MSFILTER dropped a serializing lock in order to copy the source-filter list from userspace, then reacquired the lock. During this window another thread could free the multicast filter structure, leaving the handler with a stale pointer to freed memory.<br /> <br /> An unprivileged local user can exploit this use-after-free to escalate privileges.

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:freebsd:freebsd:14.3:-:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p1:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p10:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p11:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p12:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p13:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p14:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p2:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p3:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p4:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p5:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p6:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p7:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p8:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p9:*:*:*:*:*:*