CVE-2026-45251

HIGH EPSS 6.7%

Published May 21, 20261mo ago · Modified Jun 17, 20261w ago

7.8 CVSS 3.1

High

Published May 21, 2026 1mo ago

Last Modified Jun 17, 2026 1w ago

Description

A file descriptor can be closed while a thread is blocked in a poll(2) or select(2) call waiting for that descriptor. Because the blocked thread does not hold a reference to the underlying object, this closure may result in the object being freed while the thread remains blocked. In this situation, the kernel must remove the blocked thread from the per-object wait queue prior to freeing the object. In the case of some file descriptor types, the kernel failed to unlink blocked threads from the object before freeing it. When the blocked thread is subsequently woken, it accesses memory that has already been freed resulting in a use-after-free vulnerability. The use-after-free vulnerability may be triggered by an unprivileged local user and can be exploited to obtain superuser privileges.

CVSS Details

Base Score

7.8

Exploitability

1.8

Impact

5.9

Vector string

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector Local

Attack Complexity Low

Privileges Required Low

User Interaction None

Scope Unchanged

Confidentiality High

Integrity High

Availability High

Threat Intelligence

EPSS Exploit Probability

6.7% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 1

CWE-416 Use After Free Memory Safety

Affected Products 29

Vendor	Product	Version	Range
freebsd	freebsd	14.3	any
freebsd	freebsd	14.3	any
freebsd	freebsd	14.3	any
freebsd	freebsd	14.3	any
freebsd	freebsd	14.3	any
freebsd	freebsd	14.3	any
freebsd	freebsd	14.3	any
freebsd	freebsd	14.3	any
freebsd	freebsd	14.3	any
freebsd	freebsd	14.3	any
freebsd	freebsd	14.3	any
freebsd	freebsd	14.3	any
freebsd	freebsd	14.3	any
freebsd	freebsd	14.3	any
freebsd	freebsd	14.4	any
freebsd	freebsd	14.4	any
freebsd	freebsd	14.4	any
freebsd	freebsd	14.4	any
freebsd	freebsd	14.4	any
freebsd	freebsd	14.4	any
freebsd	freebsd	15.0	any
freebsd	freebsd	15.0	any
freebsd	freebsd	15.0	any
freebsd	freebsd	15.0	any
freebsd	freebsd	15.0	any
freebsd	freebsd	15.0	any
freebsd	freebsd	15.0	any
freebsd	freebsd	15.0	any
freebsd	freebsd	15.0	any

References 1

security.freebsd.org https://security.freebsd.org/advisories/FreeBSD-SA-26:19.file.asc

Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.