FreeBSD Kernel UAF via Indirect FD Close in Poll/Select (CVE-2026-45251)
CVE-2026-45251 Published on May 21, 2026
Kernel use-after-free via file descriptor syscalls
A file descriptor can be closed while a thread is blocked in a poll(2) or select(2) call waiting for that descriptor. Because the blocked thread does not hold a reference to the underlying object, this closure may result in the object being freed while the thread remains blocked. In this situation, the kernel must remove the blocked thread from the per-object wait queue prior to freeing the object.
In the case of some file descriptor types, the kernel failed to unlink blocked threads from the object before freeing it. When the blocked thread is subsequently woken, it accesses memory that has already been freed resulting in a use-after-free vulnerability.
The use-after-free vulnerability may be triggered by an unprivileged local user and can be exploited to obtain superuser privileges.
Vulnerability Analysis
CVE-2026-45251 can be exploited with local system access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
What is a Dangling pointer Vulnerability?
Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.
CVE-2026-45251 has been classified to as a Dangling pointer vulnerability or weakness.
Products Associated with CVE-2026-45251
Want to know whenever a new CVE is published for FreeBSD? stack.watch will email you.
Affected Versions
FreeBSD:- Version 15.0-RELEASE and below p9 is affected.
- Version 14.4-RELEASE and below p5 is affected.
- Version 14.3-RELEASE and below p14 is affected.