FreeBSD Kernel CVE-2025-24934
MEDIUMCVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
Software which sets SO_REUSEPORT_LB on a socket and then connects it to a host will not directly observe any problems. However, due to its membership in a load-balancing group, that socket will receive packets originating from any host. This breaks the contract of the connect(2) and implied connect via sendto(2), and may leave the application vulnerable to spoofing attacks.
The kernel failed to check the connection state of sockets when adding them to load-balancing groups. Furthermore, when looking up the destination socket for an incoming packet, the kernel will match a socket belonging to a load-balancing group even if it is connected, in violation of the contract that connected sockets are only supposed to receive packets originating from the connected host.
AnalysisAI
FreeBSD kernel fails to properly validate socket connection state when adding sockets to SO_REUSEPORT_LB load-balancing groups, allowing connected sockets to receive packets from arbitrary hosts instead of only from their connected peer. This breaks the fundamental contract of the connect(2) system call and sendto(2), creating a spoofing vulnerability where applications believe they are receiving authenticated peer traffic but may actually receive unsolicited packets from any host. The vulnerability affects remote attackers with user-level privileges on systems running vulnerable FreeBSD versions.
Technical ContextAI
SO_REUSEPORT_LB is a FreeBSD socket option that enables load-balancing group membership, allowing multiple sockets to bind to the same address and port pair with incoming traffic distributed across group members. The vulnerability resides in the kernel's socket lookup mechanism for incoming UDP packets. When a socket is connected via connect(2), the kernel should enforce that only packets from the connected peer are delivered to that socket-a foundational security contract in network socket semantics. The bug occurs in two places: first, the kernel fails to validate connection state before permitting a socket's entry into a load-balancing group; second, during incoming packet destination lookup, the kernel matches against connected sockets in load-balancing groups even though they should only receive peer-originated traffic. This is a logic flaw (CWE-488: Data with Incorrect Access Control Attributes) where the kernel violates its own security model by breaking the mutual exclusivity between load-balancing group membership and connected-socket filtering rules. The affected technology is the FreeBSD UDP/IP stack and its socket multiplexing layer.
Affected ProductsAI
FreeBSD kernel across multiple versions prior to patching, as described in FreeBSD-SA-25:09.netinet advisory. The vulnerability affects any FreeBSD system where applications explicitly use the SO_REUSEPORT_LB socket option on UDP sockets. Specific vulnerable versions and patch availability are documented in the official FreeBSD security advisory (https://security.freebsd.org/advisories/FreeBSD-SA-25:09.netinet.asc).
RemediationAI
Apply the security patch released in FreeBSD-SA-25:09.netinet advisory immediately. The patch corrects the kernel socket lookup logic to properly reject load-balancing group membership for connected sockets and to enforce peer-only packet delivery for connected sockets even within load-balancing groups. For applications that cannot be patched immediately, implement application-level authentication mechanisms (cryptographic signing, MAC validation, or session tokens) to verify packet sources independently of kernel-layer socket connection state, rather than relying solely on connect(2) for peer authentication. Alternatively, if SO_REUSEPORT_LB is not required, disable its use and employ traditional socket binding and accept() patterns. Note that application-level authentication adds computational overhead and should be designed carefully to avoid introducing new vulnerabilities. See https://security.freebsd.org/advisories/FreeBSD-SA-25:09.netinet.asc for exact patch versions and detailed instructions.
Share
External POC / Exploit Code
Leaving vuln.today