Integer overflow in the f_count counter in FreeBSD before 4.2 through 5.0 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via multiple calls to (1) fpathconf and (2) lseek, which do not properly decrement f_count through a call to fdrop.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Freebsd | Freebsd | 1.1.5.1 | 1.1.5.1 |
| Freebsd | Freebsd | 2.1.0 | 2.1.0 |
| Freebsd | Freebsd | 2.1.5 | 2.1.5 |
| Freebsd | Freebsd | 2.1.6 | 2.1.6 |
| Freebsd | Freebsd | 2.1.6.1 | 2.1.6.1 |
| Freebsd | Freebsd | 2.1.7 | 2.1.7 |
| Freebsd | Freebsd | 2.1.7.1 | 2.1.7.1 |
| Freebsd | Freebsd | 2.2 | 2.2 |
| Freebsd | Freebsd | 2.2 | 2.2 |
| Freebsd | Freebsd | 2.2.1 | 2.2.1 |
| Freebsd | Freebsd | 2.2.2 | 2.2.2 |
| Freebsd | Freebsd | 2.2.3 | 2.2.3 |
| Freebsd | Freebsd | 2.2.4 | 2.2.4 |
| Freebsd | Freebsd | 2.2.5 | 2.2.5 |
| Freebsd | Freebsd | 2.2.6 | 2.2.6 |
| Freebsd | Freebsd | 2.2.7 | 2.2.7 |
| Freebsd | Freebsd | 2.2.8 | 2.2.8 |
| Freebsd | Freebsd | 3.1 | 3.1 |
| Freebsd | Freebsd | 3.2 | 3.2 |
| Freebsd | Freebsd | 3.3 | 3.3 |
| Freebsd | Freebsd | 3.4 | 3.4 |
| Freebsd | Freebsd | 3.5 | 3.5 |
| Freebsd | Freebsd | 3.5.1 | 3.5.1 |
| Freebsd | Freebsd | 4.2 | 4.2 |
| Freebsd | Freebsd | 4.3 | 4.3 |
| Freebsd | Freebsd | 4.3 | 4.3 |
| Freebsd | Freebsd | 4.4 | 4.4 |
| Freebsd | Freebsd | 4.5 | 4.5 |
| Freebsd | Freebsd | 4.5 | 4.5 |
| Freebsd | Freebsd | 4.6 | 4.6 |
| Freebsd | Freebsd | 4.6 | 4.6 |
| Freebsd | Freebsd | 4.7 | 4.7 |
| Freebsd | Freebsd | 4.7 | 4.7 |
| Freebsd | Freebsd | 4.9 | 4.9 |
| Freebsd | Freebsd | 4.10 | 4.10 |
| Freebsd | Freebsd | 4.10 | 4.10 |
| Freebsd | Freebsd | 4.10 | 4.10 |
| Freebsd | Freebsd | 4.10 | 4.10 |
| Freebsd | Freebsd | 4.11 | 4.11 |
| Freebsd | Freebsd | 4.11 | 4.11 |
| Freebsd | Freebsd | 4.11 | 4.11 |
| Freebsd | Freebsd | 4.11 | 4.11 |
| Freebsd | Freebsd | 5.0 | 5.0 |