CVE-2026-45251— Kernel use-after-free via file descriptor syscalls
Possible ATT&CK Techniques 2AI
T1068 · Exploitation for Privilege Escalation T1203 · Exploitation for Client ExecutionGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-45251
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Kernel use-after-free via file descriptor syscalls
Source: NVD (National Vulnerability Database)
Vulnerability Description
A file descriptor can be closed while a thread is blocked in a poll(2) or select(2) call waiting for that descriptor. Because the blocked thread does not hold a reference to the underlying object, this closure may result in the object being freed while the thread remains blocked. In this situation, the kernel must remove the blocked thread from the per-object wait queue prior to freeing the object. In the case of some file descriptor types, the kernel failed to unlink blocked threads from the object before freeing it. When the blocked thread is subsequently woken, it accesses memory that has already been freed resulting in a use-after-free vulnerability. The use-after-free vulnerability may be triggered by an unprivileged local user and can be exploited to obtain superuser privileges.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
释放后使用
Source: NVD (National Vulnerability Database)
Vulnerability Title
FreeBSD 资源管理错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
FreeBSD是FreeBSD基金会的一套类Unix操作系统。 FreeBSD存在资源管理错误漏洞,该漏洞源于文件描述符关闭时线程阻塞在poll或select调用中,内核在释放对象前未能从对象等待队列中移除阻塞线程,导致释放后重用,可能被无特权本地用户触发并利用获取超级用户权限。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-45251
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-45251
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-45251 (1)
Same Patch Batch · FreeBSD · 2026-05-21 · 7 CVEs total
| CVE-2026-45250 | Stack buffer overflow via setcred(2) | |
| CVE-2026-45252 | Heap overflow in FUSE_LISTXATTR | |
| CVE-2026-45255 | Remote code execution via installer Wi-Fi access point scans | |
| CVE-2026-45253 | Missing validation in ptrace(PT_SC_REMOTE) | |
| CVE-2026-45254 | Incorrect libcap_net limitation list manipulation | |
| CVE-2026-39461 | select(2) file descriptor set overflow causes stack overflow |
IV. Related Vulnerabilities
Same product: FreeBSD
- CVE-2026-45254
Incorrect libcap_net limitation list manipulation - CVE-2026-45255
Remote code execution via installer Wi-Fi access point scans - CVE-2026-39461
select(2) file descriptor set overflow causes stack overflow - CVE-2026-45253
Missing validation in ptrace(PT_SC_REMOTE) - CVE-2026-45252
Heap overflow in FUSE_LISTXATTR
Same vendor: FreeBSD
- CVE-2026-45254
Incorrect libcap_net limitation list manipulation - CVE-2026-45255
Remote code execution via installer Wi-Fi access point scans - CVE-2026-39461
select(2) file descriptor set overflow causes stack overflow - CVE-2026-45253
Missing validation in ptrace(PT_SC_REMOTE) - CVE-2026-45252
Heap overflow in FUSE_LISTXATTR
V. Comments for CVE-2026-45251
No comments yet