DragonFlyBSD Kernel Audit
← dashboard
DF-0356

nd6_resolve ln_hold mbuf accessed without nd6_mtx: UAF race with nd6_timer

Summary

nd6_resolve(:2078-2080) modifies ln_hold (free old, assign new) WITHOUT nd6_mtx. nd6_timer_dispatch(:502-523) reads+consumes ln_hold UNDER nd6_mtx (INCOMPLETE state). Output path different CPU than netisr0 -> timer reads freed mbuf -> UAF. Tight timing: concurrent IPv6 output to unresolved neighbor while 1s timer fires.