Description
A file descriptor can be closed while a thread is blocked in a poll(2) or select(2) call waiting for that descriptor. Because the blocked thread does not hold a reference to the underlying object, this closure may result in the object being freed while the thread remains blocked. In this situation, the kernel must remove the blocked thread from the per-object wait queue prior to freeing the object.

In the case of some file descriptor types, the kernel failed to unlink blocked threads from the object before freeing it. When the blocked thread is subsequently woken, it accesses memory that has already been freed resulting in a use-after-free vulnerability.

The use-after-free vulnerability may be triggered by an unprivileged local user and can be exploited to obtain superuser privileges.
Published: 2026-05-21
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free condition exists in the FreeBSD kernel when a file descriptor is closed while a thread is blocked in poll(2) or select(2). The closed descriptor is freed before the blocked thread is removed from its wait queue, so when the thread is later awakened it accesses memory that has already been reclaimed. The exposed memory read constitutes a use‑after‑free flaw (CWE‑416) and can be leveraged by an unprivileged local user to gain superuser privileges.

Affected Systems

The vulnerability affects the FreeBSD operating system; vendor and product information indicates only the FreeBSD base system. No specific version or patch level is listed, so users should verify whether their installed FreeBSD release is among the affected ones and stay current with vendor updates.

Risk and Exploitability

The flaw is local only, requiring the attacker to run as a normal user on the target machine. Because the exploit can elevate privileges to root, the high CVSS score of 7.8 indicates a serious risk. The EPSS score is below 1% and the vulnerability is not listed in the CISA KEV catalog. An attacker would need the ability to open a file descriptor, wait on it with poll/select, then close it, which is feasible within a local session.

Generated by OpenCVE AI on May 21, 2026 at 16:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest FreeBSD stable release that contains the vendor‑supplied fix for the use‑after‑free bug
  • Restart the system or affected services to ensure the updated kernel is loaded
  • If a patch is not yet available, monitor the FreeBSD security mailing list and work‑around page for interim mitigations; otherwise, restrict local user access to operations that can open, poll, or select file descriptors until the kernel can be updated

Generated by OpenCVE AI on May 21, 2026 at 16:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:freebsd:freebsd:14.3:-:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p10:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p11:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p12:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p13:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p1:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p2:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p3:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p4:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p5:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p6:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p7:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p8:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p9:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.4:-:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.4:p1:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.4:p2:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.4:p3:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.4:p4:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.4:rc1:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:-:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p1:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p2:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p3:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p4:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p5:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p6:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p7:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p8:*:*:*:*:*:*

Thu, 21 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 21 May 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Freebsd
Freebsd freebsd
Vendors & Products Freebsd
Freebsd freebsd

Thu, 21 May 2026 10:15:00 +0000

Type Values Removed Values Added
Description A file descriptor can be closed while a thread is blocked in a poll(2) or select(2) call waiting for that descriptor. Because the blocked thread does not hold a reference to the underlying object, this closure may result in the object being freed while the thread remains blocked. In this situation, the kernel must remove the blocked thread from the per-object wait queue prior to freeing the object. In the case of some file descriptor types, the kernel failed to unlink blocked threads from the object before freeing it. When the blocked thread is subsequently woken, it accesses memory that has already been freed resulting in a use-after-free vulnerability. The use-after-free vulnerability may be triggered by an unprivileged local user and can be exploited to obtain superuser privileges.
Title Kernel use-after-free via file descriptor syscalls
Weaknesses CWE-416
References

Subscriptions

Freebsd Freebsd
cve-icon MITRE

Status: PUBLISHED

Assigner: freebsd

Published:

Updated: 2026-05-21T14:15:14.029Z

Reserved: 2026-05-11T16:27:44.891Z

Link: CVE-2026-45251

cve-icon Vulnrichment

Updated: 2026-05-21T14:15:10.008Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-21T10:16:26.043

Modified: 2026-05-21T19:01:22.710

Link: CVE-2026-45251

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T16:30:14Z

Weaknesses