CVE-2026-45251

7.8 HIGH

A file descriptor can be closed while a thread is blocked in a poll(2) or select(2) call waiting for that descriptor

Published: 2026-05-21 · Last updated: 2026-05-21

Severity and scoring

CVSS: 7.8 HIGH
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-416

Affected products

Vendor	Product
freebsd	freebsd

Description

A file descriptor can be closed while a thread is blocked in a poll(2) or select(2) call waiting for that descriptor. Because the blocked thread does not hold a reference to the underlying object, this closure may result in the object being freed while the thread remains blocked. In this situation, the kernel must remove the blocked thread from the per-object wait queue prior to freeing the object. In the case of some file descriptor types, the kernel failed to unlink blocked threads from the object before freeing it. When the blocked thread is subsequently woken, it accesses memory that has already been freed resulting in a use-after-free vulnerability. The use-after-free vulnerability may be triggered by an unprivileged local user and can be exploited to obtain superuser privileges.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-45251
[Vendor advisory]https://security.freebsd.org/advisories/FreeBSD-SA-26:19.file.asc

Related CVEs

Same vendor

CVE-2026-45255 — When bsdinstall or bsdconfig are prompted to scan for nearby Wi-Fi networks, they build up a list of network names and use bsddialog(1) t... (7.5 HIGH)
CVE-2026-45254 — In the case of the cap_net service, when a key present in the old limit was omitted from the new limit, the missing key was treated as "a... (6.5 MEDIUM)
CVE-2026-45253 — ptrace(PT_SC_REMOTE) failed to properly validate parameters for the syscall(2) and __syscall(2) meta-system calls (8.4 HIGH)
CVE-2026-45252 — When a fusefs file system implements extended attributes, the kernel may send a FUSE_LISTXATTR message to the userspace daemon to retriev... (5.5 MEDIUM)
CVE-2026-39461 — libcasper(3) communicates with helper processes via UNIX domain sockets, and uses the select(2) system call to wait for data to become av... (8.8 HIGH)

Same CWE

CVE-2026-10640 — Zephyr's IPv6 Neighbor Discovery send paths (net_ipv6_send_na, net_ipv6_send_ns, net_ipv6_send_rs in subsys/net/ip/ipv6_nbr.c) updated th... (4.2 MEDIUM)
CVE-2026-10639 — In Zephyr's native IPv4 stack, icmpv4_handle_echo_request() in subsys/net/ip/icmpv4.c builds an echo-reply packet (reply), hands it to ne... (4.8 MEDIUM)
CVE-2026-10638 — subsys/net/ip/icmpv6.c reads the network interface from a net_pkt after that packet has been handed to net_try_send_data() (5.9 MEDIUM)
CVE-2026-10637 — subsys/net/ip/ipv6_mld.c:mld_send() read the packet interface via net_pkt_iface(pkt) after net_send_data(pkt) returned successfully (5.9 MEDIUM)
CVE-2026-10636 — In Zephyr's IPv4 IGMP implementation, igmp_send() in subsys/net/ip/igmp.c read the network interface back out of the packet via net_pkt_i... (3.7 LOW)