From nobody Tue Jun  9 23:13:35 2026
X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZl8H3X1Kz6gqHf
	for <freebsd-announce@mlmmj.nyi.freebsd.org>; Tue, 09 Jun 2026 23:13:35 +0000 (UTC)
	(envelope-from security-advisories@freebsd.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "freefall.freebsd.org", Issuer "R12" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4gZl8H1gFgz3PVk;
	Tue, 09 Jun 2026 23:13:35 +0000 (UTC)
	(envelope-from security-advisories@freebsd.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1781046815; h=from:from:reply-to:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc; bh=ijLis1D3PnaXPGRkb/gipWkcZRP3C7Z8qoyPSL/kqfU=;
	b=CCJCBfN/7SE9KXov7WljS052tK2YWDvKORcnI2ITj7nEOOY7kqkqSgAnqSXr1igBE7r11V
	SdfH+yzLAk15HcMBzvap/GrIMB4ahC5abPOGwBBSywXSljD6PkJb7sfpvD/j0ag7S+GDLv
	brAB2dkc3wYhTlAQda1jovAJ4I22kIMiyWgUWWSvQpbM09F0LSlufn+d5ruqkJ4kvB9Hc0
	t9RnWTzMMchklNZ9RlRTdFuDPIAN9gqqJPJ1rre1Qtox09LHiGkhbipvUhUG5ZxpGHglPS
	DctbKTtmwibXQLTjRaTo+NhagoTp9eugkDNGHY9s990f/DJWRJIOjQmj9oPBBQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781046815; a=rsa-sha256; cv=none;
	b=BxTqmPsp/IAlV9VRu+lHPf49iEypG/rwZuifYWfJ23c5YFJNbVE4T3hGUSZ17a6Qk0D8Az
	YfO+1X5vj1k4asn1vdsTEnUfBmidHqecnN/5ja1hsH1z3+mRsFjr/AmLQiYv3POUeiCAkn
	WFOnA2N9zEwxfgeSQHNiAGVYDu03WF+ndKNZw3p6lSGT8RhqqfYaIhqynTFduZ7RMyLpQY
	R7nkTF8ve821sr6LpTqLYwRZ/xWVUnXSfGj7jEJTXgdCyRMGlep3I8ndHgxgydcpSyDkkB
	0SGUkYpS9cxpzixuA1CLQzAwt3yC9jiiQF9DqR+zqW7hxGXGiLJ13E3TRFUebw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1781046815; h=from:from:reply-to:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc;
	bh=ijLis1D3PnaXPGRkb/gipWkcZRP3C7Z8qoyPSL/kqfU=;
	b=gElhS/Ie9c75CvFUWtF9bchYXEG+BLmhYOoJ70et8AHvGvo7XFs7+X5H2qzSP7I1ixTfoI
	Kdy1RCaJoguxyw5TRo09TY2n15QOs8SL2nLPLl+iigOEI4Ebgc53B/zGKX/02Q/hzmuA8v
	lIVAquNRzN/aU3heh6BTIWl1D6DVFP5FbroKEw66L64D02FaN+AKz/B1bmiLkZ2/6pUwcv
	k790x3nPN/h1UHu68YENXenKtCPrt4xzO0SPMQjGfUCEOt44ii201K0I8IN/lzmaQOt/FV
	aNoRu96WeXDdpGqDTPXw9mE8ikVXpH+51FMzCc9nNqJqjZB75qZE+knR6+hSTg==
Received: by freefall.freebsd.org (Postfix, from userid 945)
	id 2F2F41FC54; Tue, 09 Jun 2026 23:13:35 +0000 (UTC)
From: FreeBSD Security Advisories <security-advisories@freebsd.org>
To: FreeBSD Security Advisories <security-advisories@freebsd.org>
Subject: FreeBSD Security Advisory FreeBSD-SA-26:29.ip6_multicast
Reply-To: freebsd-security@freebsd.org
Precedence: bulk
Message-Id: <20260609231335.2F2F41FC54@freefall.freebsd.org>
Date: Tue, 09 Jun 2026 23:13:35 +0000 (UTC)
List-Id: Project Announcements [moderated] <freebsd-announce.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-announce
List-Help: <mailto:announce+help@freebsd.org>
List-Post: <mailto:announce@freebsd.org>
List-Subscribe: <mailto:announce+subscribe@freebsd.org>
List-Unsubscribe: <mailto:announce+unsubscribe@freebsd.org>
X-BeenThere: freebsd-announce@freebsd.org
Sender: owner-freebsd-announce@FreeBSD.org
List-Id: <freebsd-announce.FreeBSD.org>
List-Post: <mailto:freebsd-announce@FreeBSD.org>
List-Help: <mailto:freebsd-announce+help@FreeBSD.org>
List-Subscribe: <mailto:freebsd-announce+subscribe@FreeBSD.org>
List-Unsubscribe: <mailto:freebsd-announce+unsubscribe@FreeBSD.org>
List-Owner: <mailto:postmaster@FreeBSD.org>
Precedence: list

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-SA-26:29.ip6_multicast                              Security Advisory
                                                          The FreeBSD Project

Topic:          Use-after-free bug in the IPV6_MSFILTER socket option handler

Category:       core
Module:         ip6_multicast
Announced:      2026-06-09
Credits:        Andrew Griffiths at Calif.io
Credits:        Maik Münch
Affects:        All supported versions of FreeBSD
Corrected:      2026-06-09 19:17:32 UTC (stable/15, 15.1-STABLE)
                2026-06-09 19:20:10 UTC (releng/15.1, 15.1-RC3-p1)
                2026-06-09 19:19:47 UTC (releng/15.0, 15.0-RELEASE-p10)
                2026-06-09 19:17:49 UTC (stable/14, 14.4-STABLE)
                2026-06-09 19:19:09 UTC (releng/14.4, 14.4-RELEASE-p6)
                2026-06-09 19:18:39 UTC (releng/14.3, 14.3-RELEASE-p15)
CVE Name:       CVE-2026-49412

This vulnerability was independently reported by multiple parties prior to
publication.

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.

I.   Background

FreeBSD's IPv6 multicast subsystem supports source-specific multicast
filtering via the IPV6_MSFILTER socket option.  This option, set with
setsockopt(2), allows applications to specify which remote hosts are
permitted to send to a joined multicast group.

II.  Problem Description

The kernel handler for IPV6_MSFILTER dropped a serializing lock in order
to copy the source-filter list from userspace, then reacquired the lock.
During this window another thread could free the multicast filter
structure, leaving the handler with a stale pointer to freed memory.

III. Impact

An unprivileged local user can exploit this use-after-free to escalate
privileges.

IV.  Workaround

No workaround is available.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date, and
reboot the system.

Perform one of the following:

1) To update your vulnerable system installed from base system packages:

Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64
platforms, which were installed using base system packages, can be updated
via the pkg(8) utility:

# pkg upgrade -r FreeBSD-base
# shutdown -r +10min "Rebooting for a security update"

2) To update your vulnerable system installed from binary distribution sets:

Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms
which were not installed using base system packages can be updated via the
freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 15.1]
# fetch https://security.FreeBSD.org/patches/SA-26:29/ip6_multicast-15.1.patch
# fetch https://security.FreeBSD.org/patches/SA-26:29/ip6_multicast-15.1.patch.asc
# gpg --verify ip6_multicast-15.1.patch.asc

[FreeBSD 15.0]
# fetch https://security.FreeBSD.org/patches/SA-26:29/ip6_multicast-15.0.patch
# fetch https://security.FreeBSD.org/patches/SA-26:29/ip6_multicast-15.0.patch.asc
# gpg --verify ip6_multicast-15.0.patch.asc

[FreeBSD 14.x]
# fetch https://security.FreeBSD.org/patches/SA-26:29/ip6_multicast-14.patch
# fetch https://security.FreeBSD.org/patches/SA-26:29/ip6_multicast-14.patch.asc
# gpg --verify ip6_multicast-14.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:

Branch/path                             Hash                     Revision
- -------------------------------------------------------------------------
stable/15/                              ce2b95932ec2    stable/15-n283885
releng/15.1/                            3d80e4aec3c1  releng/15.1-n283554
releng/15.0/                            ed4692b8226e  releng/15.0-n281056
stable/14/                              522182827ea1    stable/14-n274314
releng/14.4/                            a7062a6de005  releng/14.4-n273718
releng/14.3/                            e6859453de61  releng/14.3-n271518
- -------------------------------------------------------------------------

Run the following command to see which files were modified by a
particular commit:

# git show --stat <commit hash>

Or visit the following URL, replacing NNNNNN with the hash:

<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:

# git rev-list --count --first-parent HEAD

VII. References

<URL:https://www.cve.org/CVERecord?id=CVE-2026-49412>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:29.ip6_multicast.asc>
-----BEGIN PGP SIGNATURE-----

iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoolxMbFIAAAAAABAAO
bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv7wUP/30Oo0Z61lnOg4P7VBtk
K6bljtcQ0SoiW++eWtX2TFHqCrcNS0qPSxQFVKDkkUf2Wx9M/zfkhUWnTpAwbQdB
m+8bUN8CGEjhvAihfKgCAQZGSqcVq8A2km+JgFpc9ehZ3RjnjFQ0DYZTOh1goZiQ
TPsWf8NwKQfed1LhQcDLp0hw7R4//wBICfluzFvLDqPG7TtcAvcJN04jrmd6XCaY
zddGXzWvrPGuRPY7/xgiwg26B4yK/OwzOJ0uBzBGLGzkuUKJjZgzot3kVy7WmTVw
iWKRChKQiakM+hkf/xi3CZiyUVGdlxd5GDWxJ8HvaNkYtk/iRzvalVMkSrZNdnaJ
rVMCmt0d+PxD6+2xORikqn+FiYNc+5gUB64O9t74+L1/XMtM0IWz/g2Zs66qding
0gABccQX5217YvZK8fubpihEPF7NCNblfikIZbdWYwmMk7azQ93tTO0ySCpuzIVX
+OJWR2QRrz004ohwgl9peBfcDEvbxN5KEovVDt/QTZ1JGKQ8AeiJCd7JZsNP1zMw
SAOof6EyOEzuilT8JDmOXhnXptOVwCG470bD9rYL3O6apFfcWqFVh+5njEaGMrBf
8W381AnPDmkEROxj3fzJkM7Xik64aJrHgLGFuHZAQ1Yjpr+SrJRKcdHx295qFp4a
m+8DOaIYeHuOhRTGRLMubJIj
=uFAo
-----END PGP SIGNATURE-----