Skip to main content

FreeBSD CVE-2026-49412

| EUVDEUVD-2026-39964 HIGH
Use After Free (CWE-416)
2026-06-27 freebsd
7.8
CVSS 3.1 · Vendor: freebsd
Share

Severity by source

Vendor (freebsd) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local low-priv account (AV:L/PR:L); AC:H because exploitation requires winning a kernel lock race; full kernel compromise yields C/I/A:H.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (freebsd).

CVSS VectorVendor: freebsd

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 29, 2026 - 14:27 vuln.today
CVSS changed
Jun 29, 2026 - 14:22 NVD
7.8 (None) 7.8 (HIGH)
CVE Published
Jun 27, 2026 - 09:02 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

The kernel handler for IPV6_MSFILTER dropped a serializing lock in order to copy the source-filter list from userspace, then reacquired the lock. During this window another thread could free the multicast filter structure, leaving the handler with a stale pointer to freed memory.

An unprivileged local user can exploit this use-after-free to escalate privileges.

AnalysisAI

Local privilege escalation in the FreeBSD kernel arises from a use-after-free in the IPv6 multicast source-filter handler (IPV6_MSFILTER), affecting FreeBSD 14.3, 14.4, and 15.0 releases before their respective patch levels. An unprivileged local user can win a race against the handler's dropped-then-reacquired serializing lock to free the multicast filter structure out from under the kernel, corrupting memory to gain root-level control. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local unprivileged shell
Delivery
Open IPv6 socket, call IPV6_MSFILTER
Exploit
Race concurrent thread to free filter struct
Execution
Trigger use-after-free on stale pointer
Impact
Corrupt kernel memory, escalate to root

Vulnerability AssessmentAI

Exploitation Exploitation requires a local unprivileged account on the FreeBSD host able to make IPv6 socket calls and invoke the IPV6_MSFILTER setsockopt option; the attacker must win the race in which the kernel handler drops and reacquires its serializing lock around the userspace copyin of the source-filter list, and concurrently free the multicast filter structure in that window. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are coherent and point to a serious-but-not-urgent issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A user with an unprivileged local shell account (or code running inside a jail/container) opens an IPv6 socket and repeatedly issues IPV6_MSFILTER setsockopt calls while a second thread concurrently frees the multicast filter structure during the handler's unlocked copyin window. By winning this race and grooming the freed kernel memory, the attacker forces the kernel to operate on a controlled stale pointer, corrupting kernel state to escalate to root. …
Remediation Apply the vendor-released patch by updating to the fixed patch level for your branch: FreeBSD 14.3-RELEASE-p15, 14.4-RELEASE-p6, or 15.0-RELEASE-p10 or later, using freebsd-update (binary update) or by recompiling the kernel from the patched source per FreeBSD-SA-26:29 (https://security.freebsd.org/advisories/FreeBSD-SA-26:29.ip6_multicast.asc); a reboot is required for the new kernel to take effect. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running FreeBSD 14.3, 14.4, or 15.0; audit local user accounts and disable those not operationally required; document current administrative access. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2025-14558 HIGH POC
7.2 Mar 09

The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement mess

CVE-2013-4854 HIGH POC
7.8 Jul 29

The RFC 5011 implementation in rdata.c in ISC BIND 9.7.x and 9.8.x before 9.8.5-P2, 9.8.6b1, 9.9.x before 9.9.3-P2, and

CVE-2024-6387 HIGH POC
8.1 Jul 01

Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to

CVE-2023-48795 MEDIUM POC
5.9 Dec 18

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot

CVE-2013-2171 MEDIUM POC
6.9 Jul 02

The vm_map_lookup function in sys/vm/vm_map.c in the mmap implementation in the kernel in FreeBSD 9.0 through 9.1-RELEAS

CVE-2016-5766 HIGH POC
8.8 Aug 07

Integer overflow in the _gd2GetHeader function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.3, as used

CVE-2016-1879 HIGH POC
7.5 Jan 29

The Stream Control Transmission Protocol (SCTP) module in FreeBSD 9.3 before p33, 10.1 before p26, and 10.2 before p9, w

CVE-2020-7457 HIGH POC
8.1 Jul 09

In FreeBSD 12.1-STABLE before r359565, 12.1-RELEASE before p7, 11.4-STABLE before r362975, 11.4-RELEASE before p1, and 1

CVE-2018-8897 HIGH POC
7.8 May 08

A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) wa

CVE-2012-3549 HIGH POC
7.8 Oct 09

The SCTP implementation in FreeBSD 8.2 allows remote attackers to cause a denial of service (NULL pointer dereference an

CVE-2024-29937 CRITICAL POC
9.8 Apr 11

NFS in a BSD derived codebase, as used in OpenBSD through 7.4 and FreeBSD through 14.0-RELEASE, allows remote attackers

Share

CVE-2026-49412 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy