FreeBSD reports critical vulnerability in the kernel

FreeBSD has issued a security advisory regarding a critical vulnerability in the umtx subsystem, which could lead to a kernel panic or a Use-After-Free condition.

The vulnerability, identified as CVE-2024-43102 (CVSS score 10), affects all supported versions of FreeBSD and was reported by Synacktiv, with support from The FreeBSD Foundation and The Alpha-Omega Project.

Vulnerability Description

The _umtx_op(2) system call in FreeBSD supports synchronization primitives between threads, utilized by the POSIX-compliant 1:1 Threading Library (libthr). The vulnerability arises within the UMTX_OP_SHM operation, which provides support for shared memory associated with a specific physical address.

Concurrent removals of a memory mapping using the UMTX_SHM_DESTROY sub-request can lead to an improper decrement of the reference count of the object representing the mapping. This may cause the object to be freed prematurely.

A malicious attacker executing the UMTX_SHM_DESTROY sub-request concurrently can cause a kernel panic, leading to a denial of service or perform a Use-After-Free attack, potentially resulting in code execution or escaping from a sandbox, increasing the severity of the attack.

Affected Versions are all supported versions of FreeBSD. There is no workaround available for this vulnerability.

Users are urged to upgrade the affected FreeBSD system to a stable or release/security branch dated after the correction date.

The issue has been resolved in the following branches with corresponding Git commit hashes: