Home / mailings FreeBSD Security Advisory FreeBSD-SA-26:43.tcp
Posted on 30 June 2026
FreeBSD security notificat=============================================================================FreeBSD-SA-26:43.tcp Security Advisory
The FreeBSD Project
Topic: Use-after-free in TCP RACK stack option handler
Category: core
Module: tcp
Announced: 2026-06-30
Credits: Maik Muench
Affects: All supported versions of FreeBSD.
Corrected: 2026-06-30 17:20:11 UTC (stable/15, 15.1-STABLE)
2026-06-30 17:22:00 UTC (releng/15.1, 15.1-RELEASE-p1)
2026-06-30 17:21:28 UTC (releng/15.0, 15.0-RELEASE-p11)
2026-06-30 17:19:52 UTC (stable/14, 14.4-STABLE)
2026-06-30 17:21:00 UTC (releng/14.4, 14.4-RELEASE-p7)
2026-06-30 17:20:34 UTC (releng/14.3, 14.3-RELEASE-p16)
CVE Name: CVE-2026-49422
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
FreeBSD supports multiple pluggable TCP stacks. A given TCP socket can
be configured to use a particular TCP implementation via setsockopt(2).
The RACK stack implements the Recent ACKnowledgment (RACK) loss
detection algorithm and is provided as the loadable kernel module
tcp_rack.ko.
II. Problem Description
The RACK setsockopt(2) handler drops the connection lock in order to
copy option data from userspace, then reacquires the lock. After
reacquiring, it verifies that the TCP stack had not been switched away,
but did not reload its pointer to the stack's per-connection control
block. If userspace switches stacks twice during this window, the
check will succeed but the saved pointer will refer to freed memory.
III. Impact
The bug may be exploitable by an unprivileged local user to escalate
privileges.
IV. Workaround
Systems that have not loaded the tcp_rack.ko kernel module are not
affected. The module is not loaded by default. To check whether
it is loaded, run:
# kldstat -m tcp_rack
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date, and
reboot the system.
Perform one of the following:
1) To update your vulnerable system installed from base system packages:
Systems running a 15.0-RELEASE or later version of FreeBSD on the amd64 or
arm64 platforms, which were installed using base system packages, can be
updated via the pkg(8) utility:
# pkg upgrade -r FreeBSD-base
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system installed from binary distribution sets:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms
which were not installed using base system packages can be updated via the
freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-26:43/tcp.patch
# fetch https://security.FreeBSD.org/patches/SA-26:43/tcp.patch.asc
# gpg --verify tcp.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch -E -p0 < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ aed4c4dd9afc stable/15-n284327
releng/15.1/ 490e506a1ca8 releng/15.1-n283572
releng/15.0/ 57b3853cc9bb releng/15.0-n281074
stable/14/ df8885512da5 stable/14-n274452
releng/14.4/ 800acf75eb80 releng/14.4-n273734
releng/14.3/ 8845978fec03 releng/14.3-n271534
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat <commit hash>
Or visit the following URL, replacing NNNNNN with the hash:
<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
<URL:https://www.cve.org/CVERecord?id=CVE-2026-49422>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:43.tcp.asc>
