FreeBSD Security Advisory - The code which handles a close(2) of a descriptor created by posix_openpt(2) fails to undo the configuration which causes SIGIO to be raised. This bug can lead to a write-after-free of kernel memory. The bug permits malicious code to trigger a write-after-free, which may be used to gain root privileges or escape a jail.
c20e2ba9892c896b4cdba0602e7caccb54edd10e2ab74a179baf8dc75414522d