Concurrent removals of certain anonymous shared memory mappings by using the UMTX_SHM_DESTROY sub-request of UMTX_OP_SHM can lead to decreasing the reference count of the object representing the mapping too many times, causing it to be freed too early. A malicious code exercizing the UMTX_SHM_DESTROY sub-request in parallel can panic the kernel or enable further Use-After-Free attacks, potentially including code execution or Capsicum sandbox escape.
2024-09-05T05:15:13.677
2024-11-21T09:35:00.713
Modified
CVSSv3.1: 10.0 (CRITICAL)
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Operating System | freebsd | freebsd | < 13.3 | Yes |
| Operating System | freebsd | freebsd | 13.3 | Yes |
| Operating System | freebsd | freebsd | 13.3 | Yes |
| Operating System | freebsd | freebsd | 13.3 | Yes |
| Operating System | freebsd | freebsd | 13.3 | Yes |
| Operating System | freebsd | freebsd | 13.3 | Yes |
| Operating System | freebsd | freebsd | 13.3 | Yes |
| Operating System | freebsd | freebsd | 13.4 | Yes |
| Operating System | freebsd | freebsd | 14.0 | Yes |
| Operating System | freebsd | freebsd | 14.0 | Yes |
| Operating System | freebsd | freebsd | 14.0 | Yes |
| Operating System | freebsd | freebsd | 14.0 | Yes |
| Operating System | freebsd | freebsd | 14.0 | Yes |
| Operating System | freebsd | freebsd | 14.0 | Yes |
| Operating System | freebsd | freebsd | 14.0 | Yes |
| Operating System | freebsd | freebsd | 14.0 | Yes |
| Operating System | freebsd | freebsd | 14.0 | Yes |
| Operating System | freebsd | freebsd | 14.0 | Yes |
| Operating System | freebsd | freebsd | 14.0 | Yes |
| Operating System | freebsd | freebsd | 14.0 | Yes |
| Operating System | freebsd | freebsd | 14.0 | Yes |
| Operating System | freebsd | freebsd | 14.1 | Yes |
| Operating System | freebsd | freebsd | 14.1 | Yes |
| Operating System | freebsd | freebsd | 14.1 | Yes |
| Operating System | freebsd | freebsd | 14.1 | Yes |