Description
The kernel handler for IPV6_MSFILTER dropped a serializing lock in order to copy the source-filter list from userspace, then reacquired the lock. During this window another thread could free the multicast filter structure, leaving the handler with a stale pointer to freed memory.

An unprivileged local user can exploit this use-after-free to escalate privileges.
Published: 2026-06-27
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A use‑after‑free flaw exists in the FreeBSD kernel IPv6 multicast filtering code. The kernel releases a serialized lock while copying a list of source filters from user space, then re‑acquires the lock. During this interval another thread may free the multicast filter structure, leaving the kernel with a stale pointer that can be dereferenced. The flaw allows any unprivileged local user to trigger an access to freed memory and potentially gain root privileges.

Affected Systems

FreeBSD operating systems running the kernel with the IPV6_MSFILTER socket option enabled are affected. The issue is present in all current releases of the FreeBSD kernel that have not yet been patched by the vendor.

Risk and Exploitability

The vulnerability provides a local privilege escalation path and has no known publicly available exploits. As the EPSS score is not available, the exploit probability cannot be quantified, but the impact is a full compromise of the host should an attacker successfully execute the flaw. The lack of a KEV listing indicates that no confirmed exploitation has been reported in the wild.

Generated by OpenCVE AI on June 27, 2026 at 10:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the system to a FreeBSD kernel version that contains the patch for the IPV6_MSFILTER use.
  • If a patch is not immediately available, limit unprivileged access to the IPV6_MSFILTER socket option through firewall rules or ACLs to reduce the attack surface.
  • Monitor local authentication logs for anomalous patterns that may indicate exploitation attempts and consider enabling audit logging for privileged escalations.

Generated by OpenCVE AI on June 27, 2026 at 10:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 27 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
Description The kernel handler for IPV6_MSFILTER dropped a serializing lock in order to copy the source-filter list from userspace, then reacquired the lock. During this window another thread could free the multicast filter structure, leaving the handler with a stale pointer to freed memory. An unprivileged local user can exploit this use-after-free to escalate privileges.
Title Use-after-free bug in the IPV6_MSFILTER socket option handler
Weaknesses CWE-416
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: freebsd

Published:

Updated: 2026-06-27T09:02:55.482Z

Reserved: 2026-05-29T20:24:28.615Z

Link: CVE-2026-49412

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-27T10:30:14Z

Weaknesses