FreeBSD -- pts(4) write-after-free
The code which handles a close(2) of a descriptor created
by posix_openpt(2) fails to undo the configuration which
causes SIGIO to be raised. This bug can lead to a
write-after-free of kernel memory.
The bug permits malicious code to trigger a write-after-free,
which may be used to gain root privileges or escape a
Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright