CVE-2026-49412 in FreeBSDinfo

Summary

by MITRE • 06/27/2026

The kernel handler for IPV6_MSFILTER dropped a serializing lock in order to copy the source-filter list from userspace, then reacquired the lock. During this window another thread could free the multicast filter structure, leaving the handler with a stale pointer to freed memory.

An unprivileged local user can exploit this use-after-free to escalate privileges.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 06/28/2026

This vulnerability represents a critical use-after-free condition in the linux kernel's ipv6 multicast filtering implementation that can be exploited by unprivileged local users to achieve privilege escalation. The flaw exists within the kernel's handling of IPV6_MSFILTER socket option operations where the system drops a serialization lock to perform memory copy operations from userspace, creating a temporal window for race conditions to occur. The specific kernel subsystem affected is the ipv6 multicast filtering mechanism that manages source-filter lists for multicast group memberships.

The technical implementation involves the kernel's multicast filter structure management where a thread holding a lock performs a copy_from_user operation to retrieve source-filter data from user space, temporarily releasing the lock during this potentially blocking operation. During this brief window between lock release and reacquisition, another concurrent thread may execute code that frees the multicast filter structure while the first thread is still processing. When the first thread reacquires the lock and continues execution, it attempts to access the previously freed memory location through a stale pointer reference, resulting in undefined behavior that can be exploited for privilege escalation.

This vulnerability directly maps to CWE-416 which describes use-after-free conditions where software continues to use a pointer after it has been freed, and aligns with ATT&CK technique T1068 which covers local privilege escalation through kernel exploits. The operational impact is severe as any unprivileged user can leverage this flaw to execute arbitrary code with kernel privileges, effectively bypassing system security boundaries. The race condition window is typically very small but sufficient for exploitation, making it particularly dangerous in multi-threaded environments where concurrent operations are common.

The exploitability requires local system access and leverages the inherent timing weakness in the kernel's locking mechanism during userspace data transfer operations. Mitigation strategies include applying kernel patches that fix the race condition by maintaining lock acquisition throughout the entire copy operation or implementing proper reference counting for multicast filter structures to prevent premature deallocation. System administrators should prioritize patching affected kernel versions and consider monitoring for unusual local process behavior that might indicate exploitation attempts. Additional defensive measures include restricting local user access where possible and implementing proper kernel hardening configurations such as enabling stack canaries and address space layout randomization to complicate exploitation attempts.

Responsible

Freebsd

Reservation

05/29/2026

Disclosure

06/27/2026

Moderation

accepted

CPE

ready

EPSS

0.00104

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!