Use-After-Free Vulnerability in FreeBSD Kernel IPV6 Multicast Filter Handling
CVE-2026-49412

Currently unrated

Key Information:

Vendor: FreeBSD
Status: FreeBSD
Vendor: CVE Published:; 27 June 2026

What is CVE-2026-49412?

A vulnerability in the FreeBSD kernel's handling of IPV6 multicast filters could allow an unprivileged local user to exploit a use-after-free condition. This issue arises when the kernel handler for IPV6_MSFILTER drops a serializing lock during the process of copying the source-filter list from userspace and later reacquires it. In this brief window, another thread may free the multicast filter structure, which leads to a stale pointer to previously freed memory being used by the handler. Successful exploitation of this vulnerability could allow an attacker to escalate their privileges within the system.

Affected Version(s)

FreeBSD 15.0-RELEASE

FreeBSD 14.4-RELEASE

FreeBSD 14.3-RELEASE

References

https://security.freebsd.org/advisories/FreeBSD-SA-26:29....

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 27, 2026
Vulnerability Reserved
May 29, 2026

Credit

Andrew Griffiths at Calif.io

Maik Münch

CVE-2026-49412 Data

JSON