-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-26:43.tcp Security Advisory
The FreeBSD Project
Topic: Use-after-free in TCP RACK stack option handler
Category: core
Module: tcp
Announced: 2026-06-30
Credits: Maik Muench
Affects: All supported versions of FreeBSD.
Corrected: 2026-06-30 17:20:11 UTC (stable/15, 15.1-STABLE)
2026-06-30 17:22:00 UTC (releng/15.1, 15.1-RELEASE-p1)
2026-06-30 17:21:28 UTC (releng/15.0, 15.0-RELEASE-p11)
2026-06-30 17:19:52 UTC (stable/14, 14.4-STABLE)
2026-06-30 17:21:00 UTC (releng/14.4, 14.4-RELEASE-p7)
2026-06-30 17:20:34 UTC (releng/14.3, 14.3-RELEASE-p16)
CVE Name: CVE-2026-49422
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
FreeBSD supports multiple pluggable TCP stacks. A given TCP socket can
be configured to use a particular TCP implementation via setsockopt(2).
The RACK stack implements the Recent ACKnowledgment (RACK) loss
detection algorithm and is provided as the loadable kernel module
tcp_rack.ko.
II. Problem Description
The RACK setsockopt(2) handler drops the connection lock in order to
copy option data from userspace, then reacquires the lock. After
reacquiring, it verifies that the TCP stack had not been switched away,
but did not reload its pointer to the stack's per-connection control
block. If userspace switches stacks twice during this window, the
check will succeed but the saved pointer will refer to freed memory.
III. Impact
The bug may be exploitable by an unprivileged local user to escalate
privileges.
IV. Workaround
Systems that have not loaded the tcp_rack.ko kernel module are not
affected. The module is not loaded by default. To check whether
it is loaded, run:
# kldstat -m tcp_rack
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date, and
reboot the system.
Perform one of the following:
1) To update your vulnerable system installed from base system packages:
Systems running a 15.0-RELEASE or later version of FreeBSD on the amd64 or
arm64 platforms, which were installed using base system packages, can be
updated via the pkg(8) utility:
# pkg upgrade -r FreeBSD-base
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system installed from binary distribution sets:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms
which were not installed using base system packages can be updated via the
freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-26:43/tcp.patch
# fetch https://security.FreeBSD.org/patches/SA-26:43/tcp.patch.asc
# gpg --verify tcp.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch -E -p0 < /path/to/patch
c) Recompile your kernel as described in
and reboot the
system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ aed4c4dd9afc stable/15-n284327
releng/15.1/ 490e506a1ca8 releng/15.1-n283572
releng/15.0/ 57b3853cc9bb releng/15.0-n281074
stable/14/ df8885512da5 stable/14-n274452
releng/14.4/ 800acf75eb80 releng/14.4-n273734
releng/14.3/ 8845978fec03 releng/14.3-n271534
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat
Or visit the following URL, replacing NNNNNN with the hash:
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
The latest revision of this advisory is available at
-----BEGIN PGP SIGNATURE-----
iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmpEEkcbFIAAAAAABAAO
bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv+1AQAMZB1D+dHqyjfENkZer9
nXE18ljPEZzAO/wZvEls9PbqqAX9eyYK7dChKsQchYiRNQVDekXc9BEgOpFJuJPH
ZbjNpH+xnzt7iMTiU2lQnOqASrtfVsvwWoLOvqeTIKr2O0Sh9v2SfyurQS8zEh6D
JdgVQKrGT6Nw0wQ/Kc/Ul4Wii2gkGP9kIcqhDRNfqMybuxAYJEYlWqKwzLlI36j+
C7f3d5CNhhXdjuv08Rvyp6Pvh5hd04yQGiI1iN4pCqJlGLOvguPm0DJhr1WOqOcI
jjkPL5envbvOFhEDe69scIsfZnvcXv79IgYyZvz2rKnO/k3Ce7azEUWjMQemb1ZD
ih6FDn1HtOb04zTMFCtdZAd05+qr2B9BsynGcFBdg/KGG1is87VU0SpyYSv5Uj7z
tbFfxb8mPvulMqmG+l29voVBRJB5VqSr3zCBMEc/GrvI0R+d7sHWSSgB898s7XPE
H/QzpHwDmvE0k7sIDQeevjhvj93XrkS6+QOcNiJRmc9G7+UOBssxOzp20GAKD9a1
/h2fzCpyjS3hJxQ9Y9xUeSiibS2tneZ7d4hoTZm9+5JIq3Y1ORdL0gOFHFdDIfFU
nLKNPguFAGZkd/ASS6/ULvW7UqZJ0UdQrcFS5RIBMsYNYF8uCDramlZ4qWiz2DsT
yqCs7JnSKZzpSqdKKEQSKabq
=oO9/
-----END PGP SIGNATURE-----