FreeBSD versions 11.0 through 13.0 suffers from a local privilege escalation vulnerability via an aio_aqueue kernel refcount bug. This research post goes into great depth on how the researcher traversed the logic flow and achieved exploitability.
326b5e8f7907c92be98ab7e3ac35bb7766ebdf09bf20a0f1659fef3debf9aa56