FreeBSD Kernel Use-After-Free Vulnerability via File Descriptor Syscalls

A use-after-free vulnerability has been identified in the FreeBSD kernel, affecting all supported versions. The issue arises when a file descriptor is closed while a thread is blocked in a poll or select call waiting for that descriptor. The blocked thread does not maintain a reference to the underlying object, which can lead to the object being freed while the thread remains blocked. If this occurs, the kernel must unlink the blocked thread from the wait queue before freeing the object. However, for certain file descriptor types, the kernel failed to do so. When the blocked thread is awakened, it accesses memory that has already been freed, creating a use-after-free scenario. This vulnerability can be exploited by an unprivileged local user to gain superuser privileges.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, allowing an unprivileged local user to obtain superuser privileges.

Remediation

Users can upgrade to a supported FreeBSD stable or release branch dated after the correction date and reboot the system. Instructions for updating via the pkg utility, freebsd-update utility, or by applying a source code patch are available in the FreeBSD Security Advisory.