MNBSD-2026-60: Use-after-free in the TCP RACK stack setsockopt(2) handler (CVE-2026-49422)

Severity: Unknown

Affected Package: kernel/tcp_rack

Summary: Use-after-free in the TCP RACK stack setsockopt(2) handler (CVE-2026-49422)

Description

The RACK TCP stack (tcp_rack.ko) setsockopt(2) handler drops the connection lock to copy option data from userspace, then reacquires it. After reacquiring, it verified that the stack had not been switched away but did not reload its pointer to the stack's per-connection control block. 1. Use-after-free in rack_set_sockopt() (CWE-416, CVE-2026-49422) - if userspace switches stacks twice during the window, the check succeeds but the saved pointer refers to freed memory. An unprivileged local user may be able to escalate privileges. Only systems that have loaded tcp_rack.ko are affected; the module is not loaded by default.

Affected Versions

kernel/tcp_rack

Recommendations

No specific recommendations provided.

References

Additional Information

Aliases: CVE-2026-49422

Published: July 01, 2026
Last Modified: July 01, 2026