The thr_kill2(2) system call calls p_cansignal() to check if signaling a specific thread is permitted but fails to verify the check's result before sending the signal. Consequently, signals are delivered even when permission is denied. Since thread IDs are globally allocated and guessable, an unprivileged local attacker can send signals to processes outside their permission scope, including those owned by other users or root, and cross jail boundaries. This vulnerability enables denial of service by allowing termination or stopping of arbitrary processes.

An unprivileged local attacker can send signals to processes they normally cannot signal, including root-owned and other users' processes, bypassing jail restrictions. This can result in denial of service by stopping or terminating critical system daemons or other important processes. There is no confidentiality or integrity impact reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict local user access and monitor for suspicious use of signals targeting processes outside normal permissions.