FreeBSD-SA-19:19.mldv2 Security Advisory
The FreeBSD Project
Topic: ICMPv6 / MLDv2 out-of-bounds memory access
Credits: CJD of Apple
Affects: All supported versions of FreeBSD.
Corrected: 2019-08-06 17:13:41 UTC (stable/12, 12.0-STABLE)
2019-08-06 17:11:17 UTC (releng/12.0, 12.0-RELEASE-p9)
2019-08-06 17:15:46 UTC (stable/11, 11.3-STABLE)
2019-08-06 17:11:17 UTC (releng/11.3, 11.3-RELEASE-p2)
2019-08-06 17:11:17 UTC (releng/11.2, 11.2-RELEASE-p13)
CVE Name: CVE-2019-5608
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
MLDv2 is the Multicast Listener Discovery protocol, version 2. It is used
by IPv6 routers to discover multicast listeners.
II. Problem Description
The ICMPv6 input path incorrectly handles cases where an MLDv2 listener
query packet is internally fragmented across multiple mbufs.
A remote attacker may be able to cause an out-of-bounds read or write that
may cause the kernel to attempt to access an unmapped page and subsequently
No workaround is available. Systems not using IPv6 are not affected.
Perform one of the following:
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:
Does anyone have any more details about the implication of this ? e.g.
does a daemon need to be listening on a target device ? Is it merely the
act of forwarding such packets ? Can a non root user open such a daemon ?
> FreeBSD-SA-19:19.mldv2 Security
> The FreeBSD
> Topic: ICMPv6 / MLDv2 out-of-bounds memory access
> MLDv2 is the Multicast Listener Discovery protocol, version 2. It is used
> by IPv6 routers to discover multicast listeners.
> II. Problem Description
> The ICMPv6 input path incorrectly handles cases where an MLDv2 listener
> query packet is internally fragmented across multiple mbufs.
> III. Impact
> A remote attacker may be able to cause an out-of-bounds read or write that
> may cause the kernel to attempt to access an unmapped page and