Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-49412

CVE-2026-49412: FreeBSD Use-After-Free Vulnerability

CVE-2026-49412 is a use-after-free flaw in FreeBSD's IPV6_MSFILTER kernel handler enabling privilege escalation. This article covers technical details, affected versions, security impact, and mitigation.

Published:

CVE-2026-49412 Overview

CVE-2026-49412 is a use-after-free vulnerability [CWE-416] in the FreeBSD kernel handler for the IPV6_MSFILTER socket option. The handler releases its serializing lock while copying the source-filter list from userspace and then reacquires the lock. During this window, another thread can free the multicast filter structure, leaving the handler with a stale pointer to freed memory.

An unprivileged local user can exploit this condition to escalate privileges on affected FreeBSD systems. The vulnerability affects FreeBSD 14.3, 14.4, and 15.0 across multiple patch levels.

Critical Impact

Local attackers with unprivileged shell access can trigger a race condition in the IPv6 multicast filter handler to corrupt kernel memory and gain root-level privileges.

Affected Products

  • FreeBSD 14.3 (all patch levels through p14)
  • FreeBSD 14.4 (all patch levels through p5)
  • FreeBSD 15.0 (all patch levels through p9)

Discovery Timeline

  • 2026-06-27 - CVE-2026-49412 published to NVD
  • 2026-07-01 - Last updated in NVD database

Technical Details for CVE-2026-49412

Vulnerability Analysis

The FreeBSD kernel exposes IPV6_MSFILTER as a socket option that allows applications to configure IPv6 source-filter lists for multicast group membership. Setting this option requires copying a variable-length source-address list from userspace into kernel memory.

To avoid holding a serializing lock across a potentially blocking copyin operation, the kernel handler drops the lock, performs the userspace copy, and reacquires the lock afterward. This drop-and-reacquire pattern creates a time-of-check to time-of-use (TOCTOU) window where the kernel state referenced before the copy may no longer be valid after reacquisition.

A concurrent thread operating on the same socket can free the multicast filter structure during this window. When the original handler resumes, it dereferences a stale pointer to freed kernel memory, resulting in use-after-free behavior that an attacker can shape into a privilege escalation primitive.

Root Cause

The root cause is improper synchronization around a blocking operation. The handler assumed the multicast filter structure would remain valid across the lock-drop window, but no reference counting or revalidation was performed after reacquiring the lock. This violates the invariant that pointers cached across lock releases must be re-verified.

Attack Vector

Exploitation requires local access with the ability to create sockets and issue setsockopt calls with IPV6_MSFILTER. An attacker races two threads on the same IPv6 socket: one thread invokes setsockopt(IPV6_MSFILTER) with a large source-filter list to trigger the lock-drop window, while a second thread frees or replaces the underlying multicast filter structure. Successful timing yields kernel memory corruption that can be leveraged to overwrite credentials or function pointers, escalating to root.

No authentication beyond a local user session is required, and no user interaction is needed.

Detection Methods for CVE-2026-49412

Indicators of Compromise

  • Unexpected kernel panics or page faults referencing IPv6 multicast filter functions such as ip6_setmoptions or in6_msource structures.
  • Unprivileged processes making repeated setsockopt calls with IPV6_MSFILTER at high frequency from multiple threads on the same socket.
  • Sudden privilege transitions where a non-root process gains UID 0 without invoking setuid binaries or authenticated privilege escalation paths.

Detection Strategies

  • Enable kernel address sanitizer (KASAN) or equivalent memory-safety instrumentation in test environments to catch use-after-free access on the multicast filter structure.
  • Audit process telemetry for local users creating IPv6 sockets and issuing high volumes of IPV6_MSFILTER operations concurrently across threads.
  • Correlate kernel crash dumps with process ancestry to identify unprivileged workloads triggering faults in IPv6 multicast code paths.

Monitoring Recommendations

  • Collect and centralize FreeBSD kernel crash logs and dmesg output for review of panics involving ip6_output or multicast subsystems.
  • Monitor for privilege escalation events where a non-root process spawns a root shell without traversing a known SUID path.
  • Track setsockopt syscall patterns via DTrace or audit frameworks to flag anomalous IPv6 multicast filter activity.

How to Mitigate CVE-2026-49412

Immediate Actions Required

  • Apply the FreeBSD security patch from the official FreeBSD Security Advisory FreeBSD-SA-26:29.ip6_multicast on all affected 14.3, 14.4, and 15.0 systems.
  • Restrict local shell access on multi-user FreeBSD hosts until patching is complete, since exploitation requires only a local unprivileged user account.
  • Reboot systems after patching to ensure the updated kernel is active.

Patch Information

FreeBSD has published the fix in FreeBSD-SA-26:29.ip6_multicast. Administrators should follow the advisory to apply the corrected kernel binaries or rebuild from patched sources using freebsd-update or the source patch procedure documented by the FreeBSD Project.

Workarounds

  • Disable IPv6 on hosts that do not require it by configuring ipv6_activate_all_interfaces="NO" and removing IPv6 addresses from interfaces in /etc/rc.conf.
  • Restrict socket creation for untrusted local users through mandatory access control frameworks such as MAC or jail-based isolation.
  • Limit interactive logins to trusted administrators on systems that cannot be patched immediately.
bash
# Configuration example
# Update FreeBSD to the latest patched release
freebsd-update fetch
freebsd-update install
shutdown -r now

# Optional: disable IPv6 as a temporary mitigation
sysrc ipv6_activate_all_interfaces="NO"
service netif restart

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.