Main Vulnerability Database Vulnerabilities #VU29604

#VU29604 Use-after-free in FreeBSD - CVE-2020-7457

Published: July 9, 2020 / Updated: July 30, 2020

Vulnerability identifier: #VU29604

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Clear

CVE-ID: CVE-2020-7457

CWE-ID: CWE-416

Exploitation vector: Local access

Exploit availability: Public exploit is available

Vulnerable software:
FreeBSD

Software vendor:
FreeBSD Foundation

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a race condition followed by a use-after-free error when processing IPv6 header options set by the IPV6_2292PKTOPTIONS socket option. A local user can set specially crafted IPv6 header options, trigger memory corruption and execute arbitrary code on the system with elevated privileges.

Remediation

Install updates from vendor's website.

External links

https://www.freebsd.org/security/advisories/FreeBSD-SA-20:20.ipv6.asc