Description
The kernel handler for IPV6_MSFILTER dropped a serializing lock in order to copy the source-filter list from userspace, then reacquired the lock. During this window another thread could free the multicast filter structure, leaving the handler with a stale pointer to freed memory.

An unprivileged local user can exploit this use-after-free to escalate privileges.
Published: 2026-06-27
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free flaw exists in the FreeBSD kernel IPv6 multicast filtering code. The kernel releases a serialized lock while copying a list of source filters from user space, then re‑acquires the lock. During this interval another thread may free the multicast filter structure, leaving the kernel with a stale pointer that can be dereferenced. The flaw allows any unprivileged local user to trigger an access to freed memory and potentially gain root privileges.

Affected Systems

FreeBSD operating systems running the kernel with the IPV6_MSFILTER socket option enabled are affected. The issue is present in all current releases of the FreeBSD kernel that have not yet been patched by the vendor.

Risk and Exploitability

The vulnerability provides a local privilege escalation path. With a CVSS score of 7.8, it is considered a high severity issue. The EPSS score of <1% indicates a low exploitation probability. As it is not listed in the CISA KEV catalog, there are no known active exploits in the wild. Successful exploitation would give an attacker full control of the host.

Generated by OpenCVE AI on June 29, 2026 at 14:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the system to a FreeBSD kernel version that contains the patch for the IPV6_MSFILTER use.
  • If a patch is not immediately available, limit unprivileged access to the IPV6_MSFILTER socket option through firewall rules or ACLs to reduce the attack surface.
  • Monitor local authentication logs for anomalous patterns that may indicate exploitation attempts and consider enabling audit logging for privileged escalations.

Generated by OpenCVE AI on June 29, 2026 at 14:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Sat, 27 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Freebsd
Freebsd freebsd
Vendors & Products Freebsd
Freebsd freebsd

Sat, 27 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description The kernel handler for IPV6_MSFILTER dropped a serializing lock in order to copy the source-filter list from userspace, then reacquired the lock. During this window another thread could free the multicast filter structure, leaving the handler with a stale pointer to freed memory. An unprivileged local user can exploit this use-after-free to escalate privileges.
Title Use-after-free bug in the IPV6_MSFILTER socket option handler
Weaknesses CWE-416
References

cve-icon MITRE

Status: PUBLISHED

Assigner: freebsd

Published:

Updated: 2026-06-30T03:55:29.049Z

Reserved: 2026-05-29T20:24:28.615Z

Link: CVE-2026-49412

cve-icon Vulnrichment

Updated: 2026-06-29T13:06:20.730Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T14:45:04Z

Weaknesses