Description
Software which sets SO_REUSEPORT_LB on a socket and then connects it to a host will not directly observe any problems. However, due to its membership in a load-balancing group, that socket will receive packets originating from any host. This breaks the contract of the connect(2) and implied connect via sendto(2), and may leave the application vulnerable to spoofing attacks.




The kernel failed to check the connection state of sockets when adding them to load-balancing groups. Furthermore, when looking up the destination socket for an incoming packet, the kernel will match a socket belonging to a load-balancing group even if it is connected, in violation of the contract that connected sockets are only supposed to receive packets originating from the connected host.
Published: 2025-10-22
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Setting the SO_REUSEPORT_LB option on a UDP socket and then connecting it causes the socket to be added to a load‑balancing group. In this state the kernel accepts packets addressed to the socket from any host, not just the connected one. The effect is that the contract of connect(2) is broken and the application can receive spoofed data from arbitrary sources, exposing it to data injection or impersonation attacks.

Affected Systems

All FreeBSD releases that support the SO_REUSEPORT_LB socket option on UDP sockets are affected. Specific affected versions are not listed in the advisory; therefore any build that enables this feature is potentially vulnerable.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate impact, and the EPSS score of less than 1% suggests a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires that the attacker can send UDP packets to the vulnerable host; the kernel will route those packets to the socket regardless of the intended peer, allowing an attacker to inject spoofed data and potentially subvert application logic or masquerade as the connected host.

Generated by OpenCVE AI on May 1, 2026 at 06:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the latest FreeBSD security update that patches the SO_REUSEPORT_LB handling bug or upgrade to a FreeBSD release that removes the flaw.
  • If patching is not immediately possible, avoid setting SO_REUSEPORT_LB on UDP sockets that engage in connection‑oriented communication, or remove the option before calling connect(2).
  • As a temporary defensive measure, restrict inbound traffic using a host‑based firewall or packet filter so that only packets from the expected peers reach the application’s listening sockets.

Generated by OpenCVE AI on May 1, 2026 at 06:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 24 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Freebsd
Freebsd freebsd
Vendors & Products Freebsd
Freebsd freebsd

Wed, 22 Oct 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Oct 2025 18:00:00 +0000

Type Values Removed Values Added
Description Software which sets SO_REUSEPORT_LB on a socket and then connects it to a host will not directly observe any problems. However, due to its membership in a load-balancing group, that socket will receive packets originating from any host. This breaks the contract of the connect(2) and implied connect via sendto(2), and may leave the application vulnerable to spoofing attacks. The kernel failed to check the connection state of sockets when adding them to load-balancing groups. Furthermore, when looking up the destination socket for an incoming packet, the kernel will match a socket belonging to a load-balancing group even if it is connected, in violation of the contract that connected sockets are only supposed to receive packets originating from the connected host.
Title SO_REUSEPORT_LB breaks connect(2) for UDP sockets
Weaknesses CWE-488
References

Subscriptions

Freebsd Freebsd
cve-icon MITRE

Status: PUBLISHED

Assigner: freebsd

Published:

Updated: 2026-04-23T23:48:50.271Z

Reserved: 2025-01-29T03:07:26.190Z

Link: CVE-2025-24934

cve-icon Vulnrichment

Updated: 2025-10-22T19:58:36.275Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T18:15:34.013

Modified: 2026-04-24T00:16:26.177

Link: CVE-2025-24934

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T06:15:10Z

Weaknesses