CVE-2009-3527

FreeBSD 6.3-6.4 - Race Condition in Pipe Close Function

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-3527. PoCs published by Przemyslaw Frasunek.

AI-analyzed exploit summary This exploit targets a race condition in FreeBSD <= 6.4 between pipeclose() and knlist_cleardel(), leading to a NULL pointer dereference. It achieves local privilege escalation (LPE) by executing arbitrary kernel code to modify credentials and escape jail.

Description

Race condition in the Pipe (IPC) close function in FreeBSD 6.3 and 6.4 allows local users to cause a denial of service (crash) or gain privileges via vectors related to kqueues, which triggers a use after free, leading to a NULL pointer dereference or memory corruption.

Exploits (1)

exploitdb WORKING POC VERIFIED
by Przemyslaw Frasunek · clocalfreebsd
https://www.exploit-db.com/exploits/9859

This exploit targets a race condition in FreeBSD <= 6.4 between pipeclose() and knlist_cleardel(), leading to a NULL pointer dereference. It achieves local privilege escalation (LPE) by executing arbitrary kernel code to modify credentials and escape jail.

Classification
Working Poc 95%
Attack Type
Lpe
Complexity
Complex
Reliability
Racy
Target: FreeBSD <= 6.4
No auth needed
Prerequisites: Multiprocessor system · Unpatched FreeBSD <= 6.4
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Patch vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1022982
Patch vendor-advisory x_refsource_freebsd
http://security.freebsd.org/advisories/FreeBSD-SA-09:13.pipe.asc
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/58544
Exploit mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/506449
Patch vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/36375

Scores

EPSS 0.0055
EPSS Percentile 41.7%

Details

CWE
CWE-362
Status published
Products (2)
freebsd/freebsd 6.3
freebsd/freebsd 6.4
Published Oct 06, 2009
Tracked Since Feb 18, 2026