-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-26:19.file Security Advisory
The FreeBSD Project
Topic: Kernel use-after-free via file descriptor syscalls
Category: core
Module: file
Announced: 2026-05-20
Credits: 75Acol, Lexpl0it, fcgboy, and robinzeng2015
Credits: Ryan at Calif.io
Affects: All supported versions of FreeBSD.
Corrected: 2026-05-20 19:36:37 UTC (stable/15, 15.0-STABLE)
2026-05-20 19:39:31 UTC (releng/15.0, 15.0-RELEASE-p9)
2026-05-20 19:37:57 UTC (stable/14, 14.4-STABLE)
2026-05-20 19:39:57 UTC (releng/14.4, 14.4-RELEASE-p5)
2026-05-20 19:40:34 UTC (releng/14.3, 14.3-RELEASE-p14)
CVE Name: CVE-2026-45251
This vulnerability was independently reported by multiple parties prior to
publication. The reporters' findings prompted a broader review by the
FreeBSD Security Team, which identified additional occurrences of the same
issue in related code. All known exploitable instances are corrected by this
update.
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
FreeBSD implements a number of file descriptor types. Traditionally file
descriptors are used to perform file or network I/O, but other variants
exist such as process descriptors, which enable operations on a particular
process.
The select(2) and poll(2) system calls allow applications to wait for events
related to the object to which a file descriptor refers. These system calls
are implemented for many different file descriptor types. For instance, a
process descriptor may be used with either system call to wait for the target
process to exit.
II. Problem Description
A file descriptor can be closed while a thread is blocked in a poll(2) or
select(2) call waiting for that descriptor. Because the blocked thread does
not hold a reference to the underlying object, this closure may result in the
object being freed while the thread remains blocked. In this situation, the
kernel must remove the blocked thread from the per-object wait queue prior to
freeing the object.
In the case of some file descriptor types, the kernel failed to unlink
blocked threads from the object before freeing it. When the blocked thread
is subsequently woken, it accesses memory that has already been freed
resulting in a use-after-free vulnerability.
III. Impact
The use-after-free vulnerability may be triggered by an unprivileged local
user and can be exploited to obtain superuser privileges.
IV. Workaround
No workaround is available.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date, and
reboot the system.
Perform one of the following:
1) To update your vulnerable system installed from base system packages:
Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64
platforms, which were installed using base system packages, can be updated
via the pkg(8) utility:
# pkg upgrade -r FreeBSD-base
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system installed from binary distribution sets:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms
which were not installed using base system packages can be updated via the
freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 15.x]
# fetch https://security.FreeBSD.org/patches/SA-26:19/file-15.patch
# fetch https://security.FreeBSD.org/patches/SA-26:19/file-15.patch.asc
# gpg --verify file-15.patch.asc
[FreeBSD 14.x]
# fetch https://security.FreeBSD.org/patches/SA-26:19/file-14.patch
# fetch https://security.FreeBSD.org/patches/SA-26:19/file-14.patch.asc
# gpg --verify file-14.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
and reboot the
system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ 53a78e582a6f stable/15-n283641
releng/15.0/ af79f4148450 releng/15.0-n281041
stable/14/ b90b25c3779e stable/14-n274164
releng/14.4/ 8d8694c224e2 releng/14.4-n273704
releng/14.3/ 659818009d15 releng/14.3-n271504
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat
Or visit the following URL, replacing NNNNNN with the hash:
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
The latest revision of this advisory is available at
-----BEGIN PGP SIGNATURE-----
iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKG4bFIAAAAAABAAO
bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvA78P/iRlQXxVUpth5tRn2FiC
lseIWOmh3DVI1OjwFQ30VydwnA5rlOqPPTpF2hsT0ee3ExS6pUKITi3735BmkPvT
KvnOKkY9A2DdzXJQ9eZvrVJRN1/VlKx8Us1VmWWRxPHghmcqqTY0wN2lFcsyqcpN
6Wdi51z+X5sLWZZsLsvqAskWiCNqUzBSSWqCTLEW0tBD9AoW2BPQcpAeEmx4MDch
Hk2/pecoUL2T/hu3bjo60CTp3R7E4gPt9wM5Ejf32vwsW0sTNkTmy7HbZCNmYHZw
R764O4i4poDzccTiXxuhXdrIDXmRQwTyB9d6S12OmP8ec8dAQzm9p5xl4HoHhOho
9zTMCiLoU+ApN1H+bXqN9JvmZ9hfxGqdPaJgZRkQ11xRHg8tz48SigON/vxlbYff
ln9EJ+NGEcskrbUAG8cUCJ3/a8A7xLQo07TpvyddeUc6ufk+nFEBzNS3rpaFNy5y
GqFIOzqISRSsE1tf6rrItULQEKWtOMUYvAbrcLRwPAQ1cav+sOv9YlfpW36s1+mc
CyuXDh3pbN5biajjImGO1CYN92mq/Jfz/cRnvQub+78T+4w6yAxj53fBNg97tIOI
b7EISAnbgGj5akQRGJXJ84iuYij9xTPEOCSbfgAqsWXKz6l/bgSoVUhq/e0/dXKA
sr+3pjhi5P7N66SvO+7iEpYI
=iM1b
-----END PGP SIGNATURE-----