From nobody Tue Jun  9 23:13:35 2026
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZl8H3swZz6gprM
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Tue, 09 Jun 2026 23:13:35 +0000 (UTC)
	(envelope-from security-advisories@freebsd.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "freefall.freebsd.org", Issuer "R12" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4gZl8H2MNCz3Pf4;
	Tue, 09 Jun 2026 23:13:35 +0000 (UTC)
	(envelope-from security-advisories@freebsd.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1781046815; h=from:from:reply-to:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc; bh=ijLis1D3PnaXPGRkb/gipWkcZRP3C7Z8qoyPSL/kqfU=;
	b=G4My2xo2uCcTRVgOLmTcFyW3nGcRmW/1BP/DhBKSWrujtRwjzhIwCtA4QCrlyUzBN1Xott
	npot2LOFQBZfIaDqO63xWANo75VUySm1H6VN/CWbJMXeJF1/rr1hbQuWJVgt0fgiXVCIFm
	WS9zUh2PPfnySxcN8Yp/nFK1YzC1EFqvDOptVZlnVMI9V/rd2QuEuQHAf48zooRMaWUuPb
	+Xw48ALaxDWVi57M73LiCXvmuZLWURcDW/dkE5ParzHlQ6+DEG/ncJKkJniBlUz59d5eSz
	wx0DSONQL6IVb/FnheNedzN/DaxDEDDxVpBBt5PslYWedmTvQkqcfn1oQzLcyg==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781046815; a=rsa-sha256; cv=none;
	b=NI0SAJ3zxZbEm7bvJBHleL4uMX/qsqUTQdJofkGnZNxjf+PT2PqwfsQCG2mwpvjh8OWT7V
	G5lPV4pRLhkhrUwbz7AZLz/ExiD9l4cvrFJI+E9mR17jzHBDtkFuXnn8YhuCf00quMT7Eu
	Ka/6e++6jzrFKPbEc780xetc4WUr1ze6+l5r3OchpCLUZY/kABev+W8ayDBYjAhNDIuKkL
	1dDnfkXGVfMMNpgaGY363d3o6TrnA6psM34mZKsVc70k2EzePOYXzssOAp49INmAXmjBdz
	0oIFYe/n1Wf/u4OrefXbUeK86mSPYxfiuq3ewvrDU4bEZtGtJRi2Ay0BFYsU1A==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1781046815; h=from:from:reply-to:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc;
	bh=ijLis1D3PnaXPGRkb/gipWkcZRP3C7Z8qoyPSL/kqfU=;
	b=Eoq0YuKuCH4dG1PjFRLBoiTcfd5RXIm/VDeYp66HGiIq++8HMjmtKGc/6F+63QpYKcFnkC
	Ry2Y9JQbCHfmu+DGwMPxNQcmyxUJeAJicF4CU3OyyFDv4Eck5iwgxZmdqb46tCl81/TqtR
	oFh3PW8i4qZs9pEKv+QqyDO36kU3QtxqdYRqbKMeQjVJBfzHA9UsRUKJolaWTDTdqcWzAi
	g1KVKVg+WVxyldrvTvV05j33niw5up4O2eZpz/tLDJk/UT1QYQlKy6aL4EIFwKAa1jIsvA
	o85jrC+xuV1aC3m+sVeXeBg7T2+tlJmGak+ZDtz6O9lh/XxidzXXrDujG2XsCg==
Received: by freefall.freebsd.org (Postfix, from userid 945)
	id 391411FC55; Tue, 09 Jun 2026 23:13:35 +0000 (UTC)
From: FreeBSD Security Advisories <security-advisories@freebsd.org>
To: FreeBSD Security Advisories <security-advisories@freebsd.org>
Subject: FreeBSD Security Advisory FreeBSD-SA-26:29.ip6_multicast
Reply-To: freebsd-security@freebsd.org
Precedence: bulk
Message-Id: <20260609231335.391411FC55@freefall.freebsd.org>
Date: Tue, 09 Jun 2026 23:13:35 +0000 (UTC)
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
X-BeenThere: freebsd-security@freebsd.org
Sender: owner-freebsd-security@FreeBSD.org
List-Id: <freebsd-security.FreeBSD.org>
List-Post: <mailto:freebsd-security@FreeBSD.org>
List-Help: <mailto:freebsd-security+help@FreeBSD.org>
List-Subscribe: <mailto:freebsd-security+subscribe@FreeBSD.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@FreeBSD.org>
List-Owner: <mailto:postmaster@FreeBSD.org>
Precedence: list

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-SA-26:29.ip6_multicast                              Security Advisory
                                                          The FreeBSD Project

Topic:          Use-after-free bug in the IPV6_MSFILTER socket option handler

Category:       core
Module:         ip6_multicast
Announced:      2026-06-09
Credits:        Andrew Griffiths at Calif.io
Credits:        Maik Münch
Affects:        All supported versions of FreeBSD
Corrected:      2026-06-09 19:17:32 UTC (stable/15, 15.1-STABLE)
                2026-06-09 19:20:10 UTC (releng/15.1, 15.1-RC3-p1)
                2026-06-09 19:19:47 UTC (releng/15.0, 15.0-RELEASE-p10)
                2026-06-09 19:17:49 UTC (stable/14, 14.4-STABLE)
                2026-06-09 19:19:09 UTC (releng/14.4, 14.4-RELEASE-p6)
                2026-06-09 19:18:39 UTC (releng/14.3, 14.3-RELEASE-p15)
CVE Name:       CVE-2026-49412

This vulnerability was independently reported by multiple parties prior to
publication.

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.

I.   Background

FreeBSD's IPv6 multicast subsystem supports source-specific multicast
filtering via the IPV6_MSFILTER socket option.  This option, set with
setsockopt(2), allows applications to specify which remote hosts are
permitted to send to a joined multicast group.

II.  Problem Description

The kernel handler for IPV6_MSFILTER dropped a serializing lock in order
to copy the source-filter list from userspace, then reacquired the lock.
During this window another thread could free the multicast filter
structure, leaving the handler with a stale pointer to freed memory.

III. Impact

An unprivileged local user can exploit this use-after-free to escalate
privileges.

IV.  Workaround

No workaround is available.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date, and
reboot the system.

Perform one of the following:

1) To update your vulnerable system installed from base system packages:

Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64
platforms, which were installed using base system packages, can be updated
via the pkg(8) utility:

# pkg upgrade -r FreeBSD-base
# shutdown -r +10min "Rebooting for a security update"

2) To update your vulnerable system installed from binary distribution sets:

Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms
which were not installed using base system packages can be updated via the
freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 15.1]
# fetch https://security.FreeBSD.org/patches/SA-26:29/ip6_multicast-15.1.patch
# fetch https://security.FreeBSD.org/patches/SA-26:29/ip6_multicast-15.1.patch.asc
# gpg --verify ip6_multicast-15.1.patch.asc

[FreeBSD 15.0]
# fetch https://security.FreeBSD.org/patches/SA-26:29/ip6_multicast-15.0.patch
# fetch https://security.FreeBSD.org/patches/SA-26:29/ip6_multicast-15.0.patch.asc
# gpg --verify ip6_multicast-15.0.patch.asc

[FreeBSD 14.x]
# fetch https://security.FreeBSD.org/patches/SA-26:29/ip6_multicast-14.patch
# fetch https://security.FreeBSD.org/patches/SA-26:29/ip6_multicast-14.patch.asc
# gpg --verify ip6_multicast-14.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:

Branch/path                             Hash                     Revision
- -------------------------------------------------------------------------
stable/15/                              ce2b95932ec2    stable/15-n283885
releng/15.1/                            3d80e4aec3c1  releng/15.1-n283554
releng/15.0/                            ed4692b8226e  releng/15.0-n281056
stable/14/                              522182827ea1    stable/14-n274314
releng/14.4/                            a7062a6de005  releng/14.4-n273718
releng/14.3/                            e6859453de61  releng/14.3-n271518
- -------------------------------------------------------------------------

Run the following command to see which files were modified by a
particular commit:

# git show --stat <commit hash>

Or visit the following URL, replacing NNNNNN with the hash:

<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:

# git rev-list --count --first-parent HEAD

VII. References

<URL:https://www.cve.org/CVERecord?id=CVE-2026-49412>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:29.ip6_multicast.asc>
-----BEGIN PGP SIGNATURE-----

iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoolxMbFIAAAAAABAAO
bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv7wUP/30Oo0Z61lnOg4P7VBtk
K6bljtcQ0SoiW++eWtX2TFHqCrcNS0qPSxQFVKDkkUf2Wx9M/zfkhUWnTpAwbQdB
m+8bUN8CGEjhvAihfKgCAQZGSqcVq8A2km+JgFpc9ehZ3RjnjFQ0DYZTOh1goZiQ
TPsWf8NwKQfed1LhQcDLp0hw7R4//wBICfluzFvLDqPG7TtcAvcJN04jrmd6XCaY
zddGXzWvrPGuRPY7/xgiwg26B4yK/OwzOJ0uBzBGLGzkuUKJjZgzot3kVy7WmTVw
iWKRChKQiakM+hkf/xi3CZiyUVGdlxd5GDWxJ8HvaNkYtk/iRzvalVMkSrZNdnaJ
rVMCmt0d+PxD6+2xORikqn+FiYNc+5gUB64O9t74+L1/XMtM0IWz/g2Zs66qding
0gABccQX5217YvZK8fubpihEPF7NCNblfikIZbdWYwmMk7azQ93tTO0ySCpuzIVX
+OJWR2QRrz004ohwgl9peBfcDEvbxN5KEovVDt/QTZ1JGKQ8AeiJCd7JZsNP1zMw
SAOof6EyOEzuilT8JDmOXhnXptOVwCG470bD9rYL3O6apFfcWqFVh+5njEaGMrBf
8W381AnPDmkEROxj3fzJkM7Xik64aJrHgLGFuHZAQ1Yjpr+SrJRKcdHx295qFp4a
m+8DOaIYeHuOhRTGRLMubJIj
=uFAo
-----END PGP SIGNATURE-----