Files
src/sys/netinet6
Mark Johnston 1bac7df1ba in6_mcast: Fix a race in in6p_set_source_filter()
We drop the inpcb lock in order to copy in the source list, but this
leaves a window where the multicast filter structure might be freed.
This can be exploited to obtain root privileges.

In the v4 code this race is mitigated by holding the global multicast
lock across the gap.

Restructure the code to copy in filters before doing anything else, so
that there's no need to drop the inpcb lock and reason about the
correctness of doing so.  Do the same in the v4 code for consistency.

Approved by:	so
Security:	FreeBSD-SA-26:29.ip6_multicast
Security:	CVE-2026-49412
Reported by:	Andrew Griffiths <andrew@calif.io>
Reported by:	Maik Münch <maik@secfault-security.com>
Reviewed by:	glebius
Sponsored by:	The FreeBSD Foundation
Differential Revision:	https://reviews.freebsd.org/D57347
2026-06-09 19:13:21 +00:00
..
2025-12-02 22:02:10 -07:00
2025-12-02 22:02:10 -07:00
2026-02-19 15:21:01 +01:00
2026-04-12 10:26:08 -07:00
2025-12-02 22:02:10 -07:00
2026-03-30 16:08:21 +00:00
2025-12-02 22:02:10 -07:00