CVE-2026-45251
HIGHDescription
A file descriptor can be closed while a thread is blocked in a poll(2) or select(2) call waiting for that descriptor. Because the blocked thread does not hold a reference to the underlying object, this closure may result in the object being freed while the thread remains blocked. In this situation, the kernel must remove the blocked thread from the per-object wait queue prior to freeing the object. In the case of some file descriptor types, the kernel failed to unlink blocked threads from the object before freeing it. When the blocked thread is subsequently woken, it accesses memory that has already been freed resulting in a use-after-free vulnerability. The use-after-free vulnerability may be triggered by an unprivileged local user and can be exploited to obtain superuser privileges.
CVSS v3.1 Score
EPSS — Exploit Prediction
EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| freebsd | freebsd |
| freebsd | freebsd |
| freebsd | freebsd |
| freebsd | freebsd |
| freebsd | freebsd |
| freebsd | freebsd |
| freebsd | freebsd |
| freebsd | freebsd |
| freebsd | freebsd |
| freebsd | freebsd |
| freebsd | freebsd |
| freebsd | freebsd |
| freebsd | freebsd |
| freebsd | freebsd |
| freebsd | freebsd |
| freebsd | freebsd |
| freebsd | freebsd |
| freebsd | freebsd |
| freebsd | freebsd |
| freebsd | freebsd |
| freebsd | freebsd |
| freebsd | freebsd |
| freebsd | freebsd |
| freebsd | freebsd |
| freebsd | freebsd |
| freebsd | freebsd |
| freebsd | freebsd |
| freebsd | freebsd |
| freebsd | freebsd |
References
Advisories & Patches
Frequently Asked Questions
What is CVE-2026-45251? +
How severe is CVE-2026-45251? +
What products are affected by CVE-2026-45251? +
How do I check if I'm vulnerable to CVE-2026-45251? +
Related Vulnerabilities
A heap use-after-free existed when importing the blank-width characters of an ODF number format. A position value read from the …
rust-openssl is a set of OpenSSL bindings for the Rust programming language. In affected versions `ssl::select_next_proto` can return a slice …
XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder …
c-ares is an asynchronous resolver library. From 1.32.3 through 1.34.4, there is a use-after-free in read_answers() when process_answer() may re-enqueue …
There is an issue in CPython when using `bytes.decode("unicode_escape", error="ignore|replace")`. If you are not using the "unicode_escape" encoding or an …
There is a "Use After Free" vulnerability in Qt's QHttp2ProtocolHandler in the QtNetwork module. This only affects HTTP/2 handling, HTTP …