-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:43.tcp Security Advisory The FreeBSD Project Topic: Use-after-free in TCP RACK stack option handler Category: core Module: tcp Announced: 2026-06-30 Credits: Maik Muench Affects: All supported versions of FreeBSD. Corrected: 2026-06-30 17:20:11 UTC (stable/15, 15.1-STABLE) 2026-06-30 17:22:00 UTC (releng/15.1, 15.1-RELEASE-p1) 2026-06-30 17:21:28 UTC (releng/15.0, 15.0-RELEASE-p11) 2026-06-30 17:19:52 UTC (stable/14, 14.4-STABLE) 2026-06-30 17:21:00 UTC (releng/14.4, 14.4-RELEASE-p7) 2026-06-30 17:20:34 UTC (releng/14.3, 14.3-RELEASE-p16) CVE Name: CVE-2026-49422 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD supports multiple pluggable TCP stacks. A given TCP socket can be configured to use a particular TCP implementation via setsockopt(2). The RACK stack implements the Recent ACKnowledgment (RACK) loss detection algorithm and is provided as the loadable kernel module tcp_rack.ko. II. Problem Description The RACK setsockopt(2) handler drops the connection lock in order to copy option data from userspace, then reacquires the lock. After reacquiring, it verifies that the TCP stack had not been switched away, but did not reload its pointer to the stack's per-connection control block. If userspace switches stacks twice during this window, the check will succeed but the saved pointer will refer to freed memory. III. Impact The bug may be exploitable by an unprivileged local user to escalate privileges. IV. Workaround Systems that have not loaded the tcp_rack.ko kernel module are not affected. The module is not loaded by default. To check whether it is loaded, run: # kldstat -m tcp_rack V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE or later version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:43/tcp.patch # fetch https://security.FreeBSD.org/patches/SA-26:43/tcp.patch.asc # gpg --verify tcp.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch -E -p0 < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ aed4c4dd9afc stable/15-n284327 releng/15.1/ 490e506a1ca8 releng/15.1-n283572 releng/15.0/ 57b3853cc9bb releng/15.0-n281074 stable/14/ df8885512da5 stable/14-n274452 releng/14.4/ 800acf75eb80 releng/14.4-n273734 releng/14.3/ 8845978fec03 releng/14.3-n271534 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmpEEkcbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv+1AQAMZB1D+dHqyjfENkZer9 nXE18ljPEZzAO/wZvEls9PbqqAX9eyYK7dChKsQchYiRNQVDekXc9BEgOpFJuJPH ZbjNpH+xnzt7iMTiU2lQnOqASrtfVsvwWoLOvqeTIKr2O0Sh9v2SfyurQS8zEh6D JdgVQKrGT6Nw0wQ/Kc/Ul4Wii2gkGP9kIcqhDRNfqMybuxAYJEYlWqKwzLlI36j+ C7f3d5CNhhXdjuv08Rvyp6Pvh5hd04yQGiI1iN4pCqJlGLOvguPm0DJhr1WOqOcI jjkPL5envbvOFhEDe69scIsfZnvcXv79IgYyZvz2rKnO/k3Ce7azEUWjMQemb1ZD ih6FDn1HtOb04zTMFCtdZAd05+qr2B9BsynGcFBdg/KGG1is87VU0SpyYSv5Uj7z tbFfxb8mPvulMqmG+l29voVBRJB5VqSr3zCBMEc/GrvI0R+d7sHWSSgB898s7XPE H/QzpHwDmvE0k7sIDQeevjhvj93XrkS6+QOcNiJRmc9G7+UOBssxOzp20GAKD9a1 /h2fzCpyjS3hJxQ9Y9xUeSiibS2tneZ7d4hoTZm9+5JIq3Y1ORdL0gOFHFdDIfFU nLKNPguFAGZkd/ASS6/ULvW7UqZJ0UdQrcFS5RIBMsYNYF8uCDramlZ4qWiz2DsT yqCs7JnSKZzpSqdKKEQSKabq =oO9/ -----END PGP SIGNATURE-----