Concurrent removals of certain anonymous shared memory mappings by using the UMTX_SHM_DESTROY sub-request of UMTX_OP_SHM can lead to decreasing the reference count of the object representing the mapping too many times, causing it to be freed too early. A malicious code exercizing the UMTX_SHM_DESTROY sub-request in parallel can panic the kernel or enable further Use-After-Free attacks, potentially including code execution or Capsicum sandbox escape.
The vulnerability results from a bug in handling concurrent deletion requests of anonymous shared memory mappings using the UMTX_SHM_DESTROY sub-request of the UMTX_OP_SHM operation. Concurrent calls to this sub-request by multiple threads cause the reference counter of the object representing the memory mapping to be decremented excessively. Consequently, the object is freed prematurely, creating a classic use-after-free scenario. Malicious code executing UMTX_SHM_DESTROY in parallel can lead to kernel panic or enable further attacks exploiting the freed memory.
An attacker can trigger kernel panic (denial of service), gain the ability to execute arbitrary code (RCE) in kernel context, or escape the Capsicum sandbox by taking control of the system.
Apply patches available from the vendor according to the references — see FreeBSD advisory FreeBSD-SA-24:14.umtx published at https://security.freebsd.org/advisories/FreeBSD-SA-24:14.umtx.asc
FreeBSD — versions indicated in vendor references (advisory FreeBSD-SA-24:14.umtx)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HFreebsd
OSFreebsd13.313.414.014.113.0 – 13.3 (bez)
Related vulnerabilities
RCE w implementacji NFS w OpenBSD i FreeBSD — zdalne wykonanie kodu
FreeBSD: przepełnienie bufora w obsłudze beacon 802.11s prowadzące do RCE
In versions of FreeBSD 12.4-RELEASE prior to 12.4-RELEASE-p7 and FreeBSD 13.2-RELEASE prior to 13.2-RELEASE-p5...
pam_krb5 authenticates a user by essentially running kinit with the password, getting a ticket-granting ticket...
In FreeBSD 12.2-STABLE before r368250, 11.4-STABLE before r368253, 12.2-RELEASE before p1, 12.1-RELEASE before...