CVE-2026-45251
Received Received - Intake
Use-After-Free in FreeBSD Kernel Due to Poll/Select Race Condition

Publication date: 2026-05-21

Last updated on: 2026-05-21

Assigner: FreeBSD

Description
A file descriptor can be closed while a thread is blocked in a poll(2) or select(2) call waiting for that descriptor. Because the blocked thread does not hold a reference to the underlying object, this closure may result in the object being freed while the thread remains blocked. In this situation, the kernel must remove the blocked thread from the per-object wait queue prior to freeing the object. In the case of some file descriptor types, the kernel failed to unlink blocked threads from the object before freeing it. When the blocked thread is subsequently woken, it accesses memory that has already been freed resulting in a use-after-free vulnerability. The use-after-free vulnerability may be triggered by an unprivileged local user and can be exploited to obtain superuser privileges.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-21
Last Modified
2026-05-21
Generated
2026-05-21
AI Q&A
2026-05-21
EPSS Evaluated
N/A
NVD
CVE-2026-45251
EUVD
EUVD-2026-31256
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
freebsd freebsd From 14 (inc) to 15 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-45251 is a use-after-free vulnerability in the FreeBSD kernel. It happens when a file descriptor is closed while a thread is blocked in a poll(2) or select(2) system call waiting for that descriptor. The kernel fails to properly remove the blocked thread from the wait queue before freeing the underlying object. As a result, when the thread is later woken, it accesses memory that has already been freed, causing a use-after-free condition.


How can this vulnerability impact me? :

This vulnerability can be exploited by an unprivileged local user to gain superuser privileges. This means an attacker with local access could escalate their privileges to root, potentially taking full control of the affected system.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, users should upgrade their FreeBSD systems to the patched versions provided by the FreeBSD Security Team.

  • Use pkg(8) to update installed packages.
  • Use freebsd-update(8) to apply binary updates.
  • Alternatively, apply the source code patches released for stable/15, stable/14, and their respective release branches.

After applying updates or patches, a system reboot is required to ensure the fixes take effect.

No workaround is available for this vulnerability.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart