-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-26:29.ip6_multicast Security Advisory
The FreeBSD Project
Topic: Use-after-free bug in the IPV6_MSFILTER socket option handler
Category: core
Module: ip6_multicast
Announced: 2026-06-09
Credits: Andrew Griffiths at Calif.io
Credits: Maik Münch
Affects: All supported versions of FreeBSD
Corrected: 2026-06-09 19:17:32 UTC (stable/15, 15.1-STABLE)
2026-06-09 19:20:10 UTC (releng/15.1, 15.1-RC3-p1)
2026-06-09 19:19:47 UTC (releng/15.0, 15.0-RELEASE-p10)
2026-06-09 19:17:49 UTC (stable/14, 14.4-STABLE)
2026-06-09 19:19:09 UTC (releng/14.4, 14.4-RELEASE-p6)
2026-06-09 19:18:39 UTC (releng/14.3, 14.3-RELEASE-p15)
CVE Name: CVE-2026-49412
This vulnerability was independently reported by multiple parties prior to
publication.
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
FreeBSD's IPv6 multicast subsystem supports source-specific multicast
filtering via the IPV6_MSFILTER socket option. This option, set with
setsockopt(2), allows applications to specify which remote hosts are
permitted to send to a joined multicast group.
II. Problem Description
The kernel handler for IPV6_MSFILTER dropped a serializing lock in order
to copy the source-filter list from userspace, then reacquired the lock.
During this window another thread could free the multicast filter
structure, leaving the handler with a stale pointer to freed memory.
III. Impact
An unprivileged local user can exploit this use-after-free to escalate
privileges.
IV. Workaround
No workaround is available.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date, and
reboot the system.
Perform one of the following:
1) To update your vulnerable system installed from base system packages:
Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64
platforms, which were installed using base system packages, can be updated
via the pkg(8) utility:
# pkg upgrade -r FreeBSD-base
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system installed from binary distribution sets:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms
which were not installed using base system packages can be updated via the
freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 15.1]
# fetch https://security.FreeBSD.org/patches/SA-26:29/ip6_multicast-15.1.patch
# fetch https://security.FreeBSD.org/patches/SA-26:29/ip6_multicast-15.1.patch.asc
# gpg --verify ip6_multicast-15.1.patch.asc
[FreeBSD 15.0]
# fetch https://security.FreeBSD.org/patches/SA-26:29/ip6_multicast-15.0.patch
# fetch https://security.FreeBSD.org/patches/SA-26:29/ip6_multicast-15.0.patch.asc
# gpg --verify ip6_multicast-15.0.patch.asc
[FreeBSD 14.x]
# fetch https://security.FreeBSD.org/patches/SA-26:29/ip6_multicast-14.patch
# fetch https://security.FreeBSD.org/patches/SA-26:29/ip6_multicast-14.patch.asc
# gpg --verify ip6_multicast-14.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
and reboot the
system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ ce2b95932ec2 stable/15-n283885
releng/15.1/ 3d80e4aec3c1 releng/15.1-n283554
releng/15.0/ ed4692b8226e releng/15.0-n281056
stable/14/ 522182827ea1 stable/14-n274314
releng/14.4/ a7062a6de005 releng/14.4-n273718
releng/14.3/ e6859453de61 releng/14.3-n271518
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat
Or visit the following URL, replacing NNNNNN with the hash:
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
The latest revision of this advisory is available at
-----BEGIN PGP SIGNATURE-----
iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoolxMbFIAAAAAABAAO
bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv7wUP/30Oo0Z61lnOg4P7VBtk
K6bljtcQ0SoiW++eWtX2TFHqCrcNS0qPSxQFVKDkkUf2Wx9M/zfkhUWnTpAwbQdB
m+8bUN8CGEjhvAihfKgCAQZGSqcVq8A2km+JgFpc9ehZ3RjnjFQ0DYZTOh1goZiQ
TPsWf8NwKQfed1LhQcDLp0hw7R4//wBICfluzFvLDqPG7TtcAvcJN04jrmd6XCaY
zddGXzWvrPGuRPY7/xgiwg26B4yK/OwzOJ0uBzBGLGzkuUKJjZgzot3kVy7WmTVw
iWKRChKQiakM+hkf/xi3CZiyUVGdlxd5GDWxJ8HvaNkYtk/iRzvalVMkSrZNdnaJ
rVMCmt0d+PxD6+2xORikqn+FiYNc+5gUB64O9t74+L1/XMtM0IWz/g2Zs66qding
0gABccQX5217YvZK8fubpihEPF7NCNblfikIZbdWYwmMk7azQ93tTO0ySCpuzIVX
+OJWR2QRrz004ohwgl9peBfcDEvbxN5KEovVDt/QTZ1JGKQ8AeiJCd7JZsNP1zMw
SAOof6EyOEzuilT8JDmOXhnXptOVwCG470bD9rYL3O6apFfcWqFVh+5njEaGMrBf
8W381AnPDmkEROxj3fzJkM7Xik64aJrHgLGFuHZAQ1Yjpr+SrJRKcdHx295qFp4a
m+8DOaIYeHuOhRTGRLMubJIj
=uFAo
-----END PGP SIGNATURE-----