Total vulnerabilities in the database
Concurrent removals of certain anonymous shared memory mappings by using the UMTX_SHM_DESTROY sub-request of UMTX_OP_SHM can lead to decreasing the reference count of the object representing the mapping too many times, causing it to be freed too early.
A malicious code exercizing the UMTX_SHM_DESTROY sub-request in parallel can panic the kernel or enable further Use-After-Free attacks, potentially including code execution or Capsicum sandbox escape.
| Software | From | Fixed in |
|---|---|---|
| freebsd / freebsd | 14.0 | 14.0.x |
| freebsd / freebsd | 14.0-beta5 | 14.0-beta5.x |
| freebsd / freebsd | 14.0-rc3 | 14.0-rc3.x |
| freebsd / freebsd | 14.0-rc4-p1 | 14.0-rc4-p1.x |
| freebsd / freebsd | 14.0-p1 | 14.0-p1.x |
| freebsd / freebsd | 14.0-p2 | 14.0-p2.x |
| freebsd / freebsd | 14.1 | 14.1.x |
| freebsd / freebsd | 14.1-p1 | 14.1-p1.x |
| freebsd / freebsd | 14.0-p4 | 14.0-p4.x |
| freebsd / freebsd | 14.0-p5 | 14.0-p5.x |
| freebsd / freebsd | 14.0-p6 | 14.0-p6.x |
| freebsd / freebsd | 14.0-p7 | 14.0-p7.x |
| freebsd / freebsd | 14.0-p3 | 14.0-p3.x |
| freebsd / freebsd | 13.3 | 13.3.x |
| freebsd / freebsd | 13.3-p1 | 13.3-p1.x |
| freebsd / freebsd | 13.3-p2 | 13.3-p2.x |
| freebsd / freebsd | 13.3-p3 | 13.3-p3.x |
| freebsd / freebsd | 14.1-p2 | 14.1-p2.x |
| freebsd / freebsd | 14.0-p8 | 14.0-p8.x |
| freebsd / freebsd | 13.3-p4 | 13.3-p4.x |
| freebsd / freebsd | 13.0 | 13.3 |
| freebsd / freebsd | 14.1-p3 | 14.1-p3.x |
| freebsd / freebsd | 14.0-p9 | 14.0-p9.x |
| freebsd / freebsd | 13.4-beta3 | 13.4-beta3.x |
| freebsd / freebsd | 13.3-p5 | 13.3-p5.x |