CVE-2026-49412 PUBLISHED

Use-after-free bug in the IPV6_MSFILTER socket option handler

Assigner: freebsd
Reserved: 29.05.2026 Published: 27.06.2026 Updated: 27.06.2026

The kernel handler for IPV6_MSFILTER dropped a serializing lock in order to copy the source-filter list from userspace, then reacquired the lock. During this window another thread could free the multicast filter structure, leaving the handler with a stale pointer to freed memory.

An unprivileged local user can exploit this use-after-free to escalate privileges.

Product Status

Vendor	FreeBSD
Product	FreeBSD
Versions	Default: unknown affected from 15.0-RELEASE to p10 (excl.) affected from 14.4-RELEASE to p6 (excl.) affected from 14.3-RELEASE to p15 (excl.)

Credits

Andrew Griffiths at Calif.io finder
Maik Münch finder

References

https://security.freebsd.org/advisories/FreeBSD-SA-26:29.ip6_multicast.asc

Problem Types

CWE-416: Use After Free CWE