From nobody Tue Jun 9 23:12:42 2026 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZl7G1vxKz6gpqb for ; Tue, 09 Jun 2026 23:12:42 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZl7G1J3Yz3MwV; Tue, 09 Jun 2026 23:12:42 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046762; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=uss4UWiDvTo4+SKymVZeJOzeJ5y1/rm1QEYSxmawLXM=; b=sG3lUfUBiVz2DRrvnDltDbTbL/T/Ftf+wK+U/fpA9pcqXdjp28Ibb1YuHp0/Rqq8FKul9m F90jXAwDw54ISsMsIvUuPaT5KQL0UCiw9Z1fnQU79LTlewhurw06WjPIgDgJZmzw/VqTTw ZjHRp+cu6fwDd6gPkIk0OmCSI3dAxdshQENFpf0lLcjs53snmWJB3dWOmYmEbNEgp2veCn NhmTZHJ13tOwuqIzxnQRWvicRjIVzDvs8CHCJWkrXiwcYEDlUUXGX+wecOK7fBJFSC7GKZ WQvVEKQgDZKoUC8tjTljN7t+7FL7Qksi31Ah6XAwVenomLs253K4bgI5oR+yCQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781046762; a=rsa-sha256; cv=none; b=td+j2DOtCuOV5TJXb/nqg5zrvhRyvxmuziXvCP9PUc4fyJGXIAa0Hocmg2a0L0EkwfCEkS /GDJYIokuR/+JfiUYm4+VZlOfBOmnJ9c0WPkVvMXJhzstDT7SEe0+12HecdJO4HRuKx1Uu GFHreX18HH2lgOdxTEDMCtBVyovBq/4urhHbAHdJkhTDxmVg/3UIPOdk+d2QzhBKVWWwEn DdJ3q5x0N+rgw8l8chRT42W282alhi58UmrkhcNE+E3s5axDtqTLHvoeTI5KX4ZSq7HLUy 6QVrVA6BZbIP+0swKxFooE2s5fG1QPw4F1mSoaiF+Qt30NtHArGCBUmaIaiaxw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046762; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=uss4UWiDvTo4+SKymVZeJOzeJ5y1/rm1QEYSxmawLXM=; b=M7vDfa9/5pnt+NzHUqkhAOeC7T2R9A8REOjzK4V3JDHfPE/07lklk1z/NG7Gj66pLzjh+A 2H9KmlDdlvpychqPNPfIKUY1791iC+NNyCmo4mVlCWtqSddal2hbIYvpAixEcHUe1Hq7sH FFTOBVdxC6Lik7fJ+avl+TUPiAVM4BZtkNxyzReuum1t5in2+czlsPURjburWwaeXFwAuu J3i8kmxtbumHCj5JDPze8+3BYBTG+LaRD7AtHPjXqPT5kVZYA2//ls3Pndj7d2O+JASOxD e0jYN8e3cx3nq3oqV8aTq+ewddkApRWfX4E863O3zTJUA4z0Y/8AsE7v+GH7jg== Received: by freefall.freebsd.org (Postfix, from userid 945) id 1F4D41FD1C; Tue, 09 Jun 2026 23:12:42 +0000 (UTC) From: FreeBSD Errata Notices To: FreeBSD Errata Notices Subject: FreeBSD Errata Notice FreeBSD-EN-26:14.syslogd Reply-To: freebsd-stable@freebsd.org Precedence: bulk Message-Id: <20260609231242.1F4D41FD1C@freefall.freebsd.org> Date: Tue, 09 Jun 2026 23:12:42 +0000 (UTC) List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-announce@freebsd.org Sender: owner-freebsd-announce@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-26:14.syslogd Errata Notice The FreeBSD Project Topic: syslogd(8) memory leak in casper_ttymsg() Category: core Module: syslogd Announced: 2026-06-09 Affects: FreeBSD 15.0 and later Corrected: 2026-05-26 20:41:22 UTC (stable/15, 15.1-STABLE) 2026-05-28 22:16:09 UTC (releng/15.1, 15.1-RC2) 2026-06-09 19:19:32 UTC (releng/15.0, 15.0-RELEASE-p10) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background syslogd(8) is the system log daemon, responsible for receiving log messages from the kernel and from userland programs and dispatching them according to syslog.conf(5). It can be configured to log messages to a system console or to logged-in users' TTYs. As of FreeBSD 15.0, syslogd runs in a Capsicum sandbox, and delegates the actual writing of console messages to a libcasper(3) service. II. Problem Description When delivering a message to the console or to a terminal, the libcasper service retrieved the message text with nvlist_take_string_array(9), which transfers ownership of the array and its strings to the caller. The casper_ttymsg() and casper_wallmsg() functions never freed them, leaking memory on every message routed to the console or a terminal. III. Impact On long-running systems that emit a steady stream of log messages routed to /dev/console or to user terminals, the resident size of syslogd.casper helper process grows without bound. This may eventually lead to memory pressure, including swap usage, or process termination by the out-of-memory killer. syslogd itself continues to function. IV. Workaround Periodically restarting syslogd will reclaim leaked memory. Systems that do not direct syslog output to /dev/console, terminals, or wall destinations are not affected. V. Solution Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # service syslogd restart 2) To update your system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # service syslogd restart 3) To update your system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/EN-26:14/syslogd.patch # fetch https://security.FreeBSD.org/patches/EN-26:14/syslogd.patch.asc # gpg --verify syslogd.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart syslogd(8), or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ be03b0fb2241 stable/15-n283693 releng/15.1/ d51d91b07f5b releng/15.1-n283540 releng/15.0/ 998de2d14e25 releng/15.0-n281049 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmooiS0bFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvi2gQAMf5aER4RND+DWh7qbbQ ZuQwejCwW1MeX/oex0TAD8tvGgaBXOztAMMPQ4KRyrzjIYeo5+NpWAYlhqiAOOKE DCctvWY2hMylj5NNV2etV4QpK0h2R4ZTRj2gnWhYIr/PkzRmaJu9tc3dOH5DQSQZ WZTwo+Wu/vcAnevgIe4cOPI07YdZjl6bGlOo8q0qBaJ1xKk5NbY3Se9IJX3pCf31 KODaPY1Py9EuYyW1HoDfrZV7V0iV3X51lgLNmHa2l8Z2cFD/U7Xsk08wU/vtcY0o la+hvXwMjzHrtie6a2FNV2twyH534B/2ye5Olsf/QnI+g6mEKr3Xif9tt5fYQHXW Lku+Auc3Hy1d1vK5MUOUpf53SEtvLFkISBAAFIT5x/4kC9W+Kjvl7vspSw+2whuM S4iLfBbx3DN9aHCNvL1rnkTvn9H7/nOtiaJ5SHBXmtWyYDS/ZptBuzq8L0NaLRfp lHoSCwND6HXQNZZi3QGVctthFg24ZJoxZOZrx7cDHIphtf/AHMlYkpIPZMaCuiBa Pw0B/m03VBFYgHCyXlKjQ1EKbAHpS3/pNv5EtCnAAWPNGNoiAjQDa5CnUg0nlz3d wI+qXBAAM7dUndhvs10/ta/n15Dn6hf89Eojx4SDvPWWAmvtmhd0dDn7kIRDVzVf 2nqvCHY/6icyLLm3vbwjwgv5 =nmHp -----END PGP SIGNATURE----- From nobody Tue Jun 9 23:12:46 2026 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZl7L4HY0z6gpc9 for ; Tue, 09 Jun 2026 23:12:46 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZl7L1PSlz3MxS; Tue, 09 Jun 2026 23:12:46 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046766; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=3PsK3be737IUe3RD6r2YUbiEbyb/XtWc9P/KWvpAV5I=; b=XU5FJZv4BHwQejmAI9V4CjQmAWB6htuPiOue9FtA1IuCFvoA7FIUcPdhXwaVUtzlpNowq8 fnNghYUR3jIE5AI5is7ioy85Wy4UEBPui6hkra70K6BvaM3ElakdY1Y9XQROXGahLacqG+ cGSv7yrYiIJROog/1j3KO6Tk33Jdy4Zm2/x1C3qGqktaGCcbMLJ3TpYAdS7C+fI2/ZRZYN ucHPSz6/FnDfnIY2L+1TMa87lP7R5f7E/tU5WML9vMM0ebmJzB6GXhXsCj0uMDkAnspG8s /+b+0NTos/tLIEnojN/jRV/hRMSy+71whFGuyrUsn5fA9dGg5E+R+e1QYtvFjg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781046766; a=rsa-sha256; cv=none; b=TGnecQvbhE6HB3EtHNfgTLLIhe/Pr/BrHBKGKPAEf/9TnGYnrJjFZ3Igisdcs34nqvMVyd cfr0sbDok3IwONtPpZncfb+7Zi7L/5rrfpxHOGzMuPnnsvOo+VhZJc1qFad9Omzb6VhTfa Y5HyqgWnoE8LCkXkQ03MVpjekpm26hQAK3DU5leRUM430cTWabNo2Bw5ddm38VlDGR6vaR fCLlYwVBqRRLZrqiq8X80kiZijKyNG934mTv5HP5p6rUGYsiTTHSxe/3lj+Z7CfG59hlee yJ0sPdFQdEB0FoOTE3CrSOMS4CdkfxP3yiVUl1VPds1lK8bex2qSE8+Env3u8Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046766; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=3PsK3be737IUe3RD6r2YUbiEbyb/XtWc9P/KWvpAV5I=; b=eS/fjX4hWxH8HY8mkN0/8K/6QS4SEopfwdCfDAbyjlEWV9hoQxp8ISLZAZG5DQKOa1eVtG GGELjDmoN6qcqPUfG74KaCR6JHX2yw8O07JCdK1IofCzWn6EfLadOvdg6wbJeNdsP5cxpb 8IFCJh/37npwHnclPU9Dz7tFK/dRCUkcO08ShiZpf2Qdg7NAz1ynDQXhyInx8ZqBhRDUoG 0mdOBqBYOwF3xd3r2fV3tPI+C8Ok9dlUdBIobGKG5iMEQljmZPkEyudglfb0jJp8XDq1oa WlTXm4HG2BQRPEvwSxaS03oh+0BlcN+YY5DAyzv/ywlXOA8O7yOurbMnD8LVPw== Received: by freefall.freebsd.org (Postfix, from userid 945) id 0DCFD1FCB5; Tue, 09 Jun 2026 23:12:46 +0000 (UTC) From: FreeBSD Errata Notices To: FreeBSD Errata Notices Subject: FreeBSD Errata Notice FreeBSD-EN-26:15.openssl Reply-To: freebsd-stable@freebsd.org Precedence: bulk Message-Id: <20260609231246.0DCFD1FCB5@freefall.freebsd.org> Date: Tue, 09 Jun 2026 23:12:46 +0000 (UTC) List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-announce@freebsd.org Sender: owner-freebsd-announce@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-26:15.openssl Errata Notice The FreeBSD Project Topic: Update OpenSSL to 3.0.20 and 3.5.6 Category: contrib Module: openssl Announced: 2026-06-09 Affects: All supported versions of FreeBSD. Corrected: 2026-04-12 02:15:10 UTC (stable/15, 15.0-STABLE) 2026-06-09 19:19:33 UTC (releng/15.0, 15.0-RELEASE-p10) 2026-04-13 00:12:11 UTC (stable/14, 14.4-STABLE) 2026-06-09 19:18:58 UTC (releng/14.4, 14.4-RELEASE-p6) 2026-06-09 19:18:25 UTC (releng/14.3, 14.3-RELEASE-p15) CVE Name: CVE-2026-2673, CVE-2026-28387, CVE-2026-28388, CVE-2026-28389, CVE-2026-31789, CVE-2026-31790 For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit for the Transport Layer Security (TLS) protocol. It is also a general-purpose cryptography library. II. Problem Description The OpenSSL releases included with the affected FreeBSD versions predate OpenSSL 3.0.20 (FreeBSD 14) and 3.5.6 (FreeBSD 15). This update imports the current upstream point release on each branch. The import resolves several issues affecting different OpenSSL versions, and therefore different FreeBSD versions. Instead of listing detailed writeups for each issue, please see the referenced advisory from OpenSSL. Issues affecting FreeBSD 15 (OpenSSL 3.5): CVE-2026-2673 - DEFAULT keyword corrupts the key-agreement group list CVE-2026-28387 - Possible use-after-free in DANE client code CVE-2026-28388 - NULL dereference when processing a delta CRL CVE-2026-28389 - NULL dereference processing CMS KeyAgreeRecipientInfo CVE-2026-31789 - Heap buffer overflow in hexadecimal conversion CVE-2026-31790 - NULL dereference processing CMS KeyTransRecipientInfo Issues affecting FreeBSD 14 (OpenSSL 3.0): CVE-2026-28387 - Possible use-after-free in DANE client code CVE-2026-28388 - NULL dereference when processing a delta CRL CVE-2026-28389 - NULL dereference processing CMS KeyAgreeRecipientInfo CVE-2026-31789 - Heap buffer overflow in hexadecimal conversion CVE-2026-31790 - NULL dereference processing CMS KeyTransRecipientInfo III. Impact The issues include missing input validation, NULL pointer dereferences, a use-after-free, and a heap buffer overflow. Impact is generally limited to a crash and a Denial of Service. See the OpenSSL advisory for specific details. IV. Workaround No workaround is available. V. Solution Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. A reboot is required following the upgrade to ensure that all applications and kernel code are rebuilt with the updated OpenSSL-provided code. Perform one of the following: 1) To update your system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for an erratum fix" 2) To update your system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for an erratum fix" 3) To update your system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.0] # fetch https://security.FreeBSD.org/patches/EN-26:15/openssl-15.0.patch # fetch https://security.FreeBSD.org/patches/EN-26:15/openssl-15.0.patch.asc # gpg --verify openssl-15.0.patch.asc [FreeBSD 14.4] # fetch https://security.FreeBSD.org/patches/EN-26:15/openssl-14.4.patch # fetch https://security.FreeBSD.org/patches/EN-26:15/openssl-14.4.patch.asc # gpg --verify openssl-14.4.patch.asc [FreeBSD 14.3] # fetch https://security.FreeBSD.org/patches/EN-26:15/openssl-14.3.patch # fetch https://security.FreeBSD.org/patches/EN-26:15/openssl-14.3.patch.asc # gpg --verify openssl-14.3.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all daemons that use the library, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 51a80be04fe6 stable/15-n282933 releng/15.0/ 0f6e90c4cc4f releng/15.0-n281050 stable/14/ 27ac9d336f71 stable/14-n273945 releng/14.4/ 1bfe60bae8b8 releng/14.4-n273712 releng/14.3/ d95a8c20f3bc releng/14.3-n271512 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoolw4bFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv5ewP/3XwoJ809Y0eVU/MrvNM VujyPzQFeMYHg9Od8AYqCfL9AsJaPPnI9sDLHLTIlwfC34ahC8xksEhfpKAoVn/9 kSgKG8Evmb2xOxxz9mnH3cj/4IuyfvDoA7bWLI1yjdjXdm7rP9dE+nI0xktm1aeX TkMHrpTzeR0F/M1fehjuUuYKdHzINvorKFA49fZm3GvDWogLPWGzU2fLhpHwGa8Z D7Maxi9U+cuv5zlw6GxKHvPTJTwzLy7F9GejFEq+25YFdhvyKe7ZB8J33ttz1nlc Ee8z/QkJM/O8/YrvX2i4ZqFmSjgOPbOrbSOiLo13Yusj1TQn/wmsuymP4Vjxf7xM 7ERML9TW1yti0ZCxriwcWUNSt7agPqP18Gjo2las1v8EVuGZ3PB/EhMmP+s0RPtd ZhVSK7UVJiX0zrIhE5bse+2A67l71rDNLKh7pt7P2FFID2yKLDBgUjMoUbNODsvO rOeZ09ndMQT24yrkjYM7uKHqmicQs/uBJzXItEr8NU5psKe4gIAfzrWDSl6Lg53y yJPtEitkcGPHRwDV4fdCcauri2fiw1S8yWH6DXl/CLviAApE9w7NRpD181g0eo5E QkRHy/rge2A9vK00KGpZsm7HPeIggdob3iK9TkYg3N+tZhBRfh7WtnQR7ZN7iMpv J6mK8Rm9NoDASI4IXgdRR5gs =Ocgt -----END PGP SIGNATURE----- From nobody Tue Jun 9 23:13:05 2026 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZl7k0W28z6gprM for ; Tue, 09 Jun 2026 23:13:06 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZl7j3hDMz3NlR; Tue, 09 Jun 2026 23:13:05 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046785; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=tivrbYmly80Hn94BoaLH7ruKqvQRduljtiGoPnKHrOQ=; b=Pv+nmMVeORaQpEtJaxNdoNrQQlPScsJjDcqVemGoTLApLV/lhP/ds9wbI8RsD1HhufKULc NIMSrmEFq5JJfhFlEwVLVY9KIKIas1CJ0wuiWV+5itQvNKZ2m/+SmO3thJRzwTP32fAIxX h6XrWQILIKUUi+wJ6fqWlOIsdwnb53Wb3W7mB8c9aVHx9ZE6cYiCk6NPGkYyJsgpYVKwMd QAZ4gnw3ySXpj+nIIQGpvHsYYEqYvLmte7CA0Q3RLTcoPerOtdal5FuxtOs/fzZ1+SeDV7 UAXyfJ3rlsfnC9FxzTduTc/KDqHbrovoUrVCFwiUTXKQAyHD33pbkk4ax1tVQQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781046785; a=rsa-sha256; cv=none; b=PrJkb6zdA09L8B0J2dd41FqYzXVuZYChdLhxYHmaihROkUBm3JgKbj1NVu7p89UajQwvpr KHGbTXBJE+iAfq8htGmjsKNjk7sU6x0oJWck4jOSmgqz1d46Tr/8vTcjMnMZomYuOmDzEu TRfXhzZVGMdcOJuSnA6jPUsBPBjhDuvmfWYWeRtpuWG2cmp0BDIsImo+rQNzjm4cXGlkZD 2OzYdB20EGEyx1c1VV68m9TVAv159X59QxV4hyMfqbPWO+G6QUsTu1Tv9OI31RKh05Y1Z+ 2x66VmAQkh3BStKyqr2uqD2R+0PDQKLshumJl+Vit7EWqABrS2Noy1QLXGF5qw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046785; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=tivrbYmly80Hn94BoaLH7ruKqvQRduljtiGoPnKHrOQ=; b=RzVRZqh7EhymEzAT3aXa64AcT0WozjDIBjSORVsGjqe6pcPjxFvVm5jDdm9LjK7yw/LJZo JeI+kMXiH0YIEy0LHxCGgTI4uucqnuZ51csV2aiQcAejG+HagPvnHLRigSxMGiLhDUqavY UbHrgDTUrIv8QALZV7gHrHpaR57M/MmGS+5IPow+ScNK9AMyJFY2Gywv9aa6kZwR+zZFo/ VVUgaYDyOCwhuNvFnO+a28l1l9VcZJLGxwbos4tDiQpp/nmG3TNt0kGkpjaCh+Dx95C/Ha S5S4agQGwuLe4IHCcVUwA9V9PpoAWw18SpkEu1etTVYYnWU/qZ+av2cLqHHSPQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id 6CD381FCB8; Tue, 09 Jun 2026 23:13:05 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:25.thr Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260609231305.6CD381FCB8@freefall.freebsd.org> Date: Tue, 09 Jun 2026 23:13:05 +0000 (UTC) List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-announce@freebsd.org Sender: owner-freebsd-announce@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:25.thr Security Advisory The FreeBSD Project Topic: Missing permission check in thr_kill2(2) Category: core Module: thr Announced: 2026-06-09 Credits: Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai Credits: Igor Gabriel Sousa e Souza Affects: All supported versions of FreeBSD Corrected: 2026-06-09 19:17:27 UTC (stable/15, 15.1-STABLE) 2026-06-09 19:20:05 UTC (releng/15.1, 15.1-RC3-p1) 2026-06-09 19:19:42 UTC (releng/15.0, 15.0-RELEASE-p10) 2026-06-09 19:17:45 UTC (stable/14, 14.4-STABLE) 2026-06-09 19:19:04 UTC (releng/14.4, 14.4-RELEASE-p6) 2026-06-09 19:18:34 UTC (releng/14.3, 14.3-RELEASE-p15) CVE Name: CVE-2026-45256 This vulnerability was independently reported by multiple parties prior to publication. For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The thr_kill2(2) system call delivers a signal to a specific thread of a process identified by its process and thread IDs. As with kill(2), the kernel verifies that the calling process is permitted to signal the target before the signal is delivered. II. Problem Description When used to deliver a signal to a specific thread, thr_kill2(2) called p_cansignal() to determine whether the operation was permitted but did not check the result before delivering the signal. The signal was sent even when the permission check failed. The system call returned the resulting error to the caller, but by then the signal had already been delivered. III. Impact The missing check allows an unprivileged local user who knows or can guess a target's process and thread IDs to send any signal to a process they would not normally be permitted to signal, including processes owned by other users or by root. The same check enforces jail boundaries, so a jailed process can signal processes on the host or in other jails. Thread IDs are allocated globally and sequentially, and so can be discovered by brute force with no visibility into the target. An attacker can stop or terminate arbitrary processes, including critical system daemons, resulting in a Denial of Service (DoS). IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:25/thr.patch # fetch https://security.FreeBSD.org/patches/SA-26:25/thr.patch.asc # gpg --verify thr.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ afa0c67a1ba3 stable/15-n283881 releng/15.1/ 068168fefd4b releng/15.1-n283549 releng/15.0/ 6f6c7b996719 releng/15.0-n281051 stable/14/ 72ad7baa99c7 stable/14-n274310 releng/14.4/ 31f6086db8fe releng/14.4-n273713 releng/14.3/ fa5581c379fe releng/14.3-n271513 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmooiUobFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvHNUQAMEmYLwDsVIj73SAnWE4 PN3KAVFvybeK4R4xYPiwPDtOrdV6HEb4G9O9VgZAomMzE9U7OIZVbXSjKdnEc4Ud /54Kg0VlURUCUxncndeBVnT56IzXf9uuT1HuAcSoyN2dDZedAGFbtIrg2YJvPyWL oOe1TyRrj03sP8VnznCZZsPYIqUb7UopdFHaVv2qONdlC0OSnODWiqeRJ8Z38tCd 918AbxTarEKwv5Qx8kV2mvvXIAaK1f6K7l2KqFGdp8HCf5C/plBd7vv6SEVvQhDj 8D6c1Syc/rUTkn6bmeLFinaPxK7OB1oS/Z+7DwJrjlusAhSKbBFcesE2hHYzxEhP 8rmevDJPMNZbouvuC4aJeDSKvGd5eUL+5Rt/EIijBsrlzZv1g/glllbTc/7+g3um aGP9c4BCDUJVjWxui5ACqR9pe2LWQwDtA7YbukXZqkH0M2OroxLRWWCyOLrAlela Eilf64XI6KliSMR+rAL6dmPLxFXVMpJXRKxJmUK3FXDi+Vm0bGaeRwCz49Ts+6XV oU7MRQG/F1w+lZRkS2XQ6YJTv4DBiDAofl7i0Rcjlq1JbWxBjpF8ArZX5VqSSi1y bOkum8QekuU/sbBIij7JyiEPx2r0ICm/pGXDYnxYuwd0+48orpu9uB6M0gKYEe6D mYgtjqeBtUCJwPKOzr36faXQ =rFeT -----END PGP SIGNATURE----- From nobody Tue Jun 9 23:13:11 2026 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZl7r0dnsz6gq9V for ; Tue, 09 Jun 2026 23:13:12 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZl7q3fb4z3Nf0; Tue, 09 Jun 2026 23:13:11 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046791; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=a8OSRKIZGBdIHFE3SvEYpbWYrl/ff7HDFDWSQWYfkxA=; b=NaLvze0MdhAcUIX8xG9H0wYJ6qfXDdXfVqnOVs/0/DiZaKAPApujogE8afDdm9T/jBtw+C Z3FeNF7E6yg1JO7yKg3y6oZlkKggzpeojnXeqWb4O/Oa6I+2qpolSb4xLpuooo75k2+EvC dCE5ddy+INjx580aMBJdxn4aykQX0/ituaMS3gVHUz1iXA0ee478ncAzsNK+6RAc2IC2lH 8f5YR3GV7v7biCsJTwdm27UqdAMiJHcFPWg69VSv5ajbCR1DVQk0e9EZCYV/HTl0v21mxW KGxHqPr7Qv6uAi/MyCaaq9haOfZqu7Efsu9rFpl2TR5ds2QWgrS8YRLsBl4Zyw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781046791; a=rsa-sha256; cv=none; b=D//rKU5DauPBlopsSfZ1bM4c4M6U0rnaiQro00+IYscLm45S3yfCWLPQNnvv4hvl41f4vS T/y2+NUXWblssJQin766vTaVEF00Wa4BQ89CaM9a1s26/fQRKHsXU0gJGoavPBjm+0oiPt 9KzWKFnU3N8UIhBVAC9h6AkF44E5iNWif8BE9BSzv+YakHHy5qAkA0nAHbUOPJTpVLlrtj gTBcI+rIgSem2wiBt2g1KXE2AwlZ7QooquJfxf15x6UkprVsJnaPtzCbhQpMUNyVqNEVtE phhv5gsnjt07gia3MigTAFTBqFZ3wQ8NkSy/gop7dpIflAAAOy4zmbaTP7rh8g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046791; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=a8OSRKIZGBdIHFE3SvEYpbWYrl/ff7HDFDWSQWYfkxA=; b=WY9Q158uII4U5fySnXbyNRNS6qG7rlp01jyRMctrOfMhZ0qEYVfQOPAnVuovMErSWEobvN T5x15MPx+WN4T29PfR6A+GFFO2ypdoGklvJhj5+ykNfl3B0y3eWa83JgXELxz/dgvfD/Z6 uEBxHeHV3djx/B4Pl3EtE7D3Z2Ib2F3pWdwtCWtkxSNPR3ZRHBhhnXWbu6AE5NSOjjd0uF qML/eBWxYUFvSUviPgS0K8+YEYBzF4BpsLmWFAN4MXgTdhTVSA/FZm6jmKiEJa6MuqvccQ aoeI9OOykS07xC2CR8yF4ozmCaLZJTBWz07LOzuyCb4OIjYWBUVXcQN0zUEsWw== Received: by freefall.freebsd.org (Postfix, from userid 945) id 6CBCC1FB69; Tue, 09 Jun 2026 23:13:11 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:26.ktls Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260609231311.6CBCC1FB69@freefall.freebsd.org> Date: Tue, 09 Jun 2026 23:13:11 +0000 (UTC) List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-announce@freebsd.org Sender: owner-freebsd-announce@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:26.ktls Security Advisory The FreeBSD Project Topic: Arbitrary file overwrite via the KTLS receive path Category: core Module: ktls Announced: 2026-06-09 Credits: Bumsrakete Affects: All supported versions of FreeBSD Corrected: 2026-06-09 19:17:28 UTC (stable/15, 15.1-STABLE) 2026-06-09 19:20:06 UTC (releng/15.1, 15.1-RC3-p1) 2026-06-09 19:19:43 UTC (releng/15.0, 15.0-RELEASE-p10) 2026-06-09 19:17:46 UTC (stable/14, 14.4-STABLE) 2026-06-09 19:19:05 UTC (releng/14.4, 14.4-RELEASE-p6) 2026-06-09 19:18:35 UTC (releng/14.3, 14.3-RELEASE-p15) CVE Name: CVE-2026-45257 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Kernel TLS (KTLS) moves Transport Layer Security (TLS) record processing into the kernel, allowing applications to encrypt and decrypt socket data without copying it to and from userspace and to serve TLS data with sendfile(2). When a connection uses software KTLS on the receive path, the kernel decrypts each incoming TLS record in place within the socket buffer. II. Problem Description The KTLS receive path decrypted each record in place, assuming that the mbufs holding received data were anonymous and safe to modify. This assumption does not hold for data placed on a socket by sendfile(2), which can reference file-backed memory directly through non-anonymous M_EXTPG pages or EXT_SFBUF mbufs. When the sender transmits such data over a loopback connection without enabling KTLS on the transmit side, the file-backed mbufs reach the receiver's decryption path unchanged. Decrypting a record in place then overwrites the backing file's page cache instead of a private copy of the data. III. Impact An unprivileged local user who can read a file can overwrite its contents with data of their choosing by sending the file over a loopback connection on which they have enabled KTLS receive. The write modifies the page cache directly, so it bypasses file flags such as schg and is written back to disk. By overwriting a setuid binary or other trusted file, a local user can escalate privileges, potentially gaining full control of the affected system. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:26/ktls.patch # fetch https://security.FreeBSD.org/patches/SA-26:26/ktls.patch.asc # gpg --verify ktls.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ a51345704403 stable/15-n283882 releng/15.1/ 48c1c5e3c348 releng/15.1-n283550 releng/15.0/ 540a315cdb46 releng/15.0-n281052 stable/14/ 333bdd7e9427 stable/14-n274311 releng/14.4/ d43259dd66b3 releng/14.4-n273714 releng/14.3/ af3398862ac0 releng/14.3-n271514 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmooiUwbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv6hQP/3x8lGHZpLeT8PjB5NMF xCfwzKQlu5vlkOqSv+9uEGsh3FQa9gHE/68SwZYa01waeFbTSKpBvrf1X4kRKGnE r3z8DSAPnVqSRzp4k0PNTxPLtF09FfWiMEBA+PIedL91WkG24gQ63k3fORVjkSvs a/uY1DQnmypV2mdV/S/hWmrtVCmi5itZKsVedZFoZHZ04GKwIObMoqXgtbUxdfhJ XvjSCqGgvpsUPVpE72nKYAbbL81w344tNOGtjoC07utitkLoHtMlYqMTfXCv0dY7 Oo3RZ408afAl1CalUdZ64KXJWqjCZt3FWxtn4ugZkewLc3cDyO5Y2ZUDMAb71P/V Sdq6+GRIC5wMOmd2C2Wb4C72FODhh4o4+n/E7qeIojT5jozWNFAFN0ugzNcqzuM9 b8ekwLWK9MbtjZWF1A0OhsLqQoYuBcwX4RymVJCfpEnlPEDwaf0fv/Sx/OyU9MBx zbT/Thqa9cB++4U6Obodcj55mXM9p23b9OpEnSD5FKlhxXPxCYW5gc2mK4k+yoKd 5ZCzzcdzbMoNgqyHnvrBgFGMsPggXJxaidsRFtVSb9E1GWQUweyN9hR10Gr8wX5j QL18EHe3Lcgg2Z+mi8NQ8lrqPoGpTIjZ8enEYHLrILe/p8JMjNU5fe+YqQTE0tyD pWQqqx8AYbHJsnCDELTeqt96 =lD4w -----END PGP SIGNATURE----- From nobody Tue Jun 9 23:13:16 2026 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZl7x5Gqxz6gqB6 for ; Tue, 09 Jun 2026 23:13:17 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZl7x1sRkz3Nks; Tue, 09 Jun 2026 23:13:17 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046797; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=/xrqJjBwzZKo6uk2HN5I3zYauz/WFlGJC8NRs9pYiF4=; b=cKBvNqHNbAolcPS+y3Jrp5DA8/DPPJCLeb2m4afG7tKDn9mfL4ky4p/oa9mGWFag7Lc2pQ xy9pjq8sranjnHxKJUKEE01bkMb0iTf72bAYXb9RrcsdOQKPPVggLK7wh1rq2Aly78zBhL fLBfhfZSHOsnp2NwP6BfzWNh/dXsor6nU1XJMhm2x/56e4F9gQGFKWPJ4mkD+rqT5ijRvd uf7F9OvcFOwzKGNlrpxCfJ4ftMhy8jT/ve6iMPKSpmLtXkvubXXIuADtXd/54p3xJOjaUX 8OyI4DkvA3qTmXtkOQt6N8fd9wVjjqv2tWXfALecuuOqRKO0GBFbYB0vdcKNBQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781046797; a=rsa-sha256; cv=none; b=YclHEUDL47FVHDdqPNaGyEThcTrAH5cIaXA/r+90ZRiRwK8lLN2QD1OzaOLvClQ25sf+Wy YisgoKvOiC5e/QCVo7m9kjqRcX6xQv0jpgJU/sGvm0IZGMEmKfDyf5FvWtNuMbTAzkVn3f Yg83hA+/D8Nad0Gk9u6iaKMs5HSeADoDcCaLAPpBnYRCk3VNdYrjAMowWMqsD5t6Vdd19y HOW5hX+OoTCs+sTCWW9GeB3qFap9zDjoC8K65SU01iy3AlwaBSPD6hxIM2JVPp/NQLWKq7 XBBx0cahkkoLFtvOEAP+07Yvpxk8WVBRZ+UzM+fgT27C1g1uxS2BDGCDySjCHg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046797; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=/xrqJjBwzZKo6uk2HN5I3zYauz/WFlGJC8NRs9pYiF4=; b=kKS8hwyi9y1RAYAfbHHK6nls9PQ4U653ILX/xiROnxH11bmAegr+TWnq46sYWCbuDFOKo6 ZlnLyJaIAPZnX1YkqCzEows9PoaP9V2aoTISMdpM+4RvdQKgdo0Pb05QBW6z2bpqCzyn6F p61ElxNbeeiNUPg/CF0katNJcMyhX+Fhjf3gC+PfpmPO035IjmznJQtV/m8WRr+axUWmBh sZ6YIqmCv+vN3dTIx5QB7Ecv52nSbrZRDbA16IBiDYmw38U1K56rTx9QXA5QUuM1zTrG9d 4QDE7YBTY0NVOmEXK6n6t7pCNTW4E4dihOPyYSBt4QHMDWX2eX0LqwtfVQ5+vA== Received: by freefall.freebsd.org (Postfix, from userid 945) id 02BD91FD22; Tue, 09 Jun 2026 23:13:16 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:27.sound Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260609231317.02BD91FD22@freefall.freebsd.org> Date: Tue, 09 Jun 2026 23:13:16 +0000 (UTC) List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-announce@freebsd.org Sender: owner-freebsd-announce@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:27.sound Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in the sound(4) mmap path Category: core Module: sound Announced: 2026-06-09 Credits: Lexpl0it, 75Acol, ch0wn, zer0duck (CVE-2026-45258) Credits: Emmanuel Genier from Quarkslab (CVE-2026-45258) Credits: Hazley Samsudin of GovTech CSG (CVE-2026-45258) Credits: Lexpl0it, 75Acol, Liyw979, Rob1n (CVE-2026-49417) Affects: All supported versions of FreeBSD. Corrected: 2026-06-09 19:17:31 UTC (stable/15, 15.1-STABLE) 2026-06-09 19:20:08 UTC (releng/15.1, 15.1-RC3-p1) 2026-06-09 19:19:45 UTC (releng/15.0, 15.0-RELEASE-p10) 2026-06-09 19:17:48 UTC (stable/14, 14.4-STABLE) 2026-06-09 19:19:07 UTC (releng/14.4, 14.4-RELEASE-p6) 2026-06-09 19:18:37 UTC (releng/14.3, 14.3-RELEASE-p15) CVE Name: CVE-2026-45258, CVE-2026-49417 CVE-2026-45258 was independently reported by multiple parties prior to publication. For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD provides audio support through the sound(4) driver, which presents each audio device as a set of character device nodes such as /dev/dsp. Applications can use mmap(2) on these devices to map a channel's audio buffer directly into their address space. II. Problem Description The sound(4) driver contained two memory-safety errors in its mmap(2) support. First, dsp_mmap_single() validated the requested mapping by checking the sum of the user-supplied offset and length against the buffer size. This addition could overflow, so that a large offset and length wrapped around and passed the check. The offset was then narrowed from 64 to 32 bits when converted to a buffer address, yielding a mapping that extended past the audio buffer into unrelated kernel memory. (CVE-2026-45258) Second, the audio buffer backing a mapping could be freed when the device was closed even though the mapping remained valid. The freed memory could then be reused elsewhere while still accessible through the stale mapping. (CVE-2026-49417) III. Impact The /dev/dsp device nodes are world-accessible by default. On a system with an audio device, either issue allows an unprivileged local user to read and write kernel memory, which can be used to escalate privileges, potentially gaining full control of the affected system. At a minimum, an attacker can crash the kernel, resulting in a Denial of Service (DoS). IV. Workaround No workaround is available. Systems with no sound devices are unaffected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.1] # fetch https://security.FreeBSD.org/patches/SA-26:27/sound-15.1.patch # fetch https://security.FreeBSD.org/patches/SA-26:27/sound-15.1.patch.asc # gpg --verify sound-15.1.patch.asc [FreeBSD 15.0] # fetch https://security.FreeBSD.org/patches/SA-26:27/sound-15.0.patch # fetch https://security.FreeBSD.org/patches/SA-26:27/sound-15.0.patch.asc # gpg --verify sound-15.0.patch.asc [FreeBSD 14.4] # fetch https://security.FreeBSD.org/patches/SA-26:27/sound-14.4.patch # fetch https://security.FreeBSD.org/patches/SA-26:27/sound-14.4.patch.asc # gpg --verify sound-14.4.patch.asc [FreeBSD 14.3] # fetch https://security.FreeBSD.org/patches/SA-26:27/sound-14.3.patch # fetch https://security.FreeBSD.org/patches/SA-26:27/sound-14.3.patch.asc # gpg --verify sound-14.3.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 7628e1ddfd52 stable/15-n283884 releng/15.1/ abc077216bac releng/15.1-n283552 releng/15.0/ bda153dc04b4 releng/15.0-n281054 stable/14/ f8f9050d61dd stable/14-n274313 releng/14.4/ 0e8cc8d8a49f releng/14.4-n273716 releng/14.3/ de5fd56985c3 releng/14.3-n271516 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmooiU8bFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvWEsP/0Ge9wC58QJLIkykVAHl hZoU1NU0DaY6L03B4dDiQkbX03CZK4taPmOE6Wp4AjxJztw0gF2SyWY1xHeUafPY NzNGJFhSA+Y6yGiBhffDtewUdfFnHg7JVvmU5KYj5xfKrxSksYOnv8KOuGeI1Vw0 A25TIrP5bKVFu45s2SCNrCHeXMl2Nm2ObMFdd0ZF04abcXyMQbSLlWDA15ZvtSXB e1nOKZTrfHFSGXIx83SqtkTMY0SRbNvGZk3uUAlIXeQR2q4kInyNy42R3j/av4fh 0Il0ZLapO6lTfJwwl9E+ZB4OpE3LJdMap1rrspGo/XMFZOACFCkyrBiKSQHkhkDU WAHtGNOvKXCll4O0LZfEjQkQnGsBhJtmhthF95O8cADXZG+G1crj3+IBL8TLRUWw QsH9dGrD4rNUWaAueztPUEza4zJdbTAgEfSHvauuAlq6LCmrjiyJFmNYvPsNlRGG JMJa5PKEgguR/8054XHlsN8GdxYup8b8bYp55KcTbAjfyj+HAQIJp17tpZKiJjR5 wfaMtkNhCgzM44oGaWbVpwOMeWB/YtrkR3h+ROzAwVallVBoIuUWzu4as3sSOB+a GSwkPy+lD5m2qojRtXuGw7bzvdu2fx6iEeMt1XogXbHxiNxi1tDg0QJDNaWTojk2 Nh8uk5rUl64eHOU4DH+ztFLl =eTyF -----END PGP SIGNATURE----- From nobody Tue Jun 9 23:13:23 2026 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZl841zscz6gqGj for ; Tue, 09 Jun 2026 23:13:24 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZl8357CGz3Nyj; Tue, 09 Jun 2026 23:13:23 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046803; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=3HzqdQupoOuFctlhZgwa1RQauoOO/dKv5Bx0XIdv9fE=; b=EAps3MlyEY1hzmZieyrX9Zf+hR40Fe/Pi16GcEt6yXFJdYHfTuTqoy1nN0+lkfitHdgs1+ qVEXFgZSjA4fr/QRoZRI5psSSSf6187YX8xZ/Y5vUDC1jMQ4nsVCJOO11/ib+seHPwVcDq 0I5/uiwsuuiFNSzQsVz/gkrBEojJWHTduiGEFQBbZfI7yqv66N/2Cd00dm6E+W+Nynt1fJ 0BuuLNFR1V/vRaseOJzwTOh9Y7raY/B730dLbH/7eXDe2Ur0o9BELoQjyI3o7ZJfBi/bnD 9ixZZpWGUrGZcfAHTPKlEiTYxtQFCz5tRd/G5pFpymKgUMNS6bofkb3qrNsAWg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781046803; a=rsa-sha256; cv=none; b=Vsly7breD8t9zOaNXtJ7hvQOOeE01si9rlyYRzJ85Q+C/cO1/RLpL4xdOYIr16hkdqPEuA OfAD15zKrBpXapmOR4LfBhhO3Ld3iGmm2ZvemXRQoqEzpIrS+RDjZ0jZNUM047Y4OiwsSo sWHoWouy+4geci89Ol1uqlI38mB1JKGS1PAxxgiT7k4au6WZMd4sA9pR2/xdp5FX8VHvo+ KGBa5HSkXydhF4xMO1a7zIudUB+lZy3Lp+SgWmDcqxZC8Z8qgk4/pyU3PAtpH5iNwc1aQm hZZarJu7OZ6nnGTtn8z7XzjYOn1htqr5Twvm85SeuYxTHoTAzU6atSq57MCVWA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046803; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=3HzqdQupoOuFctlhZgwa1RQauoOO/dKv5Bx0XIdv9fE=; b=mOorAiNKAXD2pAHBVx4kUXYENKZNXTWt8DpKuLk/wEDpJFhdb56ChXNkHCN8BvUFVJChI6 5WvCZ0nrgFewovYUWdFUR5QuTK4Vd4Fy5a6ylvxqUNfaEXklMaRWZmt6jd7TRPjZitGan5 4jpvExK6WViA9M5NUGSmF4OmnfJhp/u7SaSf4cizg+gScgHv9BN/V3nv55CiYi1M3CYjvg GQXVtAFk6l37wATAbYMNu0Ljh470VERucou6I2e9RwZ7HrDbZpohLvRnxAOZaWWze25O7p pkSb8odFCwNhKK69mfoIewEYtgXQUJ1HFIPvCoJkrY+lHq7cyTLeMB7IE9OoVQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id A7B501FCBE; Tue, 09 Jun 2026 23:13:23 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:28.capsicum Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260609231323.A7B501FCBE@freefall.freebsd.org> Date: Tue, 09 Jun 2026 23:13:23 +0000 (UTC) List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-announce@freebsd.org Sender: owner-freebsd-announce@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:28.capsicum Security Advisory The FreeBSD Project Topic: sigqueue(2) missing capability mode restriction Category: core Module: capsicum Announced: 2026-06-09 Credits: Ed Maste Affects: All supported versions of FreeBSD. Corrected: 2026-05-29 19:11:40 UTC (stable/15, 15.1-STABLE) 2026-06-09 19:20:09 UTC (releng/15.1, 15.1-RC3-p1) 2026-06-09 19:19:46 UTC (releng/15.0, 15.0-RELEASE-p10) 2026-05-29 19:12:58 UTC (stable/14, 14.4-STABLE) 2026-06-09 19:19:08 UTC (releng/14.4, 14.4-RELEASE-p6) 2026-06-09 19:18:38 UTC (releng/14.3, 14.3-RELEASE-p15) CVE Name: CVE-2026-45259 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Capsicum is a lightweight OS capability and sandbox framework. It provides two kernel primitives: capability mode, and capabilities. Capability mode restricts the ability of a sandboxed process to interact with the global namespace, including the ability to send signals to other processes, other than via capability-based interfaces. In capability mode, kill(2) restricts signal delivery to the calling process only, preventing a sandboxed process from signalling other processes. sigqueue(2) provides similar signal delivery functionality, and is similarly permitted in capability mode. II. Problem Description sigqueue(2) was marked as permitted in capability mode with the introduction of Capsicum in 2011, but the implementation of kern_sigqueue did not include a capability mode check restricting signal delivery to the calling process's own PID. III. Impact A process in capability mode can use sigqueue(2) to send signals to any process it could signal following standard Unix permissions, bypassing the Capsicum sandbox restriction. A compromised sandboxed process could interfere with other processes, for example by sending SIGKILL or SIGSTOP. This could be any process running as the same user, or any process, for a superuser sandboxed process. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.1] # fetch https://security.FreeBSD.org/patches/SA-26:28/capsicum-15.1.patch # fetch https://security.FreeBSD.org/patches/SA-26:28/capsicum-15.1.patch.asc # gpg --verify capsicum-15.1.patch.asc [FreeBSD 15.0] # fetch https://security.FreeBSD.org/patches/SA-26:28/capsicum-15.0.patch # fetch https://security.FreeBSD.org/patches/SA-26:28/capsicum-15.0.patch.asc # gpg --verify capsicum-15.0.patch.asc [FreeBSD 14.x] # fetch https://security.FreeBSD.org/patches/SA-26:28/capsicum-14.patch # fetch https://security.FreeBSD.org/patches/SA-26:28/capsicum-14.patch.asc # gpg --verify capsicum-14.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ defd9b86ef99 stable/15-n283744 releng/15.1/ 871d33e8a66a releng/15.1-n283553 releng/15.0/ 77ee83d12625 releng/15.0-n281055 stable/14/ d11ff01b3aec stable/14-n274231 releng/14.4/ eab757f954ed releng/14.4-n273717 releng/14.3/ f56e8cb94df6 releng/14.3-n271517 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoolxAbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv9xQQALSpP1xklc9UjGzlSpTo 2owWykX02TVDqd7a57jEFpak6F9sJ1B83jrkEQVIGjBGQpTIWYt/C34QEzeo502F +dqfqXr32MyudPDq+lsWB7HhafG/gktTDpibJrQkqPDdTc+TwzzhoHxGAdckAMsr vCqnUF6UmtmTzQEyoQBqPGPWbVnyVboOQ0ZvKouMZdMBVlC7IvWPDlbpMEOLePTE NPHeuxFYbFHMUkOLq97Dhg4XTqdIG0t3n/0jA1kjCDvJWDbXpR1bPy1USTNxHO35 xjeZshL2IWXDJSxLFBNE+cNFwg4dyp5vXcQXh3HtyMC9PMPMyIbJT7zQluV3CVI7 9gC6MMH7QiLssj5hJqMSXccrNzkag6Alu9ET5A/NtoGjyogbXmIPsQ9hLAqf/c9v 5m4O86dlHBL/JsGcPqsGw3+gucqgso2gy4yQ8h1GqGwNGv440TMAHRz5eAu+qOZq tDxo3OqK3HIEoChiQaRZp5bc/p0L1Rfka10J0HmIxB2KkdHEjdMn5SBsEYRsIv5v Sp34rl0cLm0oHraIQ0jNVTwZetrxl4CMIAexHYO1hJ+jZDRdBQ5CC7S83+t2Tbnu JgRsm6A+1TZfWsaflIx9ga42DEndXgqpmdrtjIFoO1zNQjrvcd3sqJH6GTMNdywg 2woyv6Bb/bwINWDE7EhicoJl =WJPW -----END PGP SIGNATURE----- From nobody Tue Jun 9 23:13:35 2026 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZl8H3X1Kz6gqHf for ; Tue, 09 Jun 2026 23:13:35 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZl8H1gFgz3PVk; Tue, 09 Jun 2026 23:13:35 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046815; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=ijLis1D3PnaXPGRkb/gipWkcZRP3C7Z8qoyPSL/kqfU=; b=CCJCBfN/7SE9KXov7WljS052tK2YWDvKORcnI2ITj7nEOOY7kqkqSgAnqSXr1igBE7r11V SdfH+yzLAk15HcMBzvap/GrIMB4ahC5abPOGwBBSywXSljD6PkJb7sfpvD/j0ag7S+GDLv brAB2dkc3wYhTlAQda1jovAJ4I22kIMiyWgUWWSvQpbM09F0LSlufn+d5ruqkJ4kvB9Hc0 t9RnWTzMMchklNZ9RlRTdFuDPIAN9gqqJPJ1rre1Qtox09LHiGkhbipvUhUG5ZxpGHglPS DctbKTtmwibXQLTjRaTo+NhagoTp9eugkDNGHY9s990f/DJWRJIOjQmj9oPBBQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781046815; a=rsa-sha256; cv=none; b=BxTqmPsp/IAlV9VRu+lHPf49iEypG/rwZuifYWfJ23c5YFJNbVE4T3hGUSZ17a6Qk0D8Az YfO+1X5vj1k4asn1vdsTEnUfBmidHqecnN/5ja1hsH1z3+mRsFjr/AmLQiYv3POUeiCAkn WFOnA2N9zEwxfgeSQHNiAGVYDu03WF+ndKNZw3p6lSGT8RhqqfYaIhqynTFduZ7RMyLpQY R7nkTF8ve821sr6LpTqLYwRZ/xWVUnXSfGj7jEJTXgdCyRMGlep3I8ndHgxgydcpSyDkkB 0SGUkYpS9cxpzixuA1CLQzAwt3yC9jiiQF9DqR+zqW7hxGXGiLJ13E3TRFUebw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046815; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=ijLis1D3PnaXPGRkb/gipWkcZRP3C7Z8qoyPSL/kqfU=; b=gElhS/Ie9c75CvFUWtF9bchYXEG+BLmhYOoJ70et8AHvGvo7XFs7+X5H2qzSP7I1ixTfoI Kdy1RCaJoguxyw5TRo09TY2n15QOs8SL2nLPLl+iigOEI4Ebgc53B/zGKX/02Q/hzmuA8v lIVAquNRzN/aU3heh6BTIWl1D6DVFP5FbroKEw66L64D02FaN+AKz/B1bmiLkZ2/6pUwcv k790x3nPN/h1UHu68YENXenKtCPrt4xzO0SPMQjGfUCEOt44ii201K0I8IN/lzmaQOt/FV aNoRu96WeXDdpGqDTPXw9mE8ikVXpH+51FMzCc9nNqJqjZB75qZE+knR6+hSTg== Received: by freefall.freebsd.org (Postfix, from userid 945) id 2F2F41FC54; Tue, 09 Jun 2026 23:13:35 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:29.ip6_multicast Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260609231335.2F2F41FC54@freefall.freebsd.org> Date: Tue, 09 Jun 2026 23:13:35 +0000 (UTC) List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-announce@freebsd.org Sender: owner-freebsd-announce@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:29.ip6_multicast Security Advisory The FreeBSD Project Topic: Use-after-free bug in the IPV6_MSFILTER socket option handler Category: core Module: ip6_multicast Announced: 2026-06-09 Credits: Andrew Griffiths at Calif.io Credits: Maik Münch Affects: All supported versions of FreeBSD Corrected: 2026-06-09 19:17:32 UTC (stable/15, 15.1-STABLE) 2026-06-09 19:20:10 UTC (releng/15.1, 15.1-RC3-p1) 2026-06-09 19:19:47 UTC (releng/15.0, 15.0-RELEASE-p10) 2026-06-09 19:17:49 UTC (stable/14, 14.4-STABLE) 2026-06-09 19:19:09 UTC (releng/14.4, 14.4-RELEASE-p6) 2026-06-09 19:18:39 UTC (releng/14.3, 14.3-RELEASE-p15) CVE Name: CVE-2026-49412 This vulnerability was independently reported by multiple parties prior to publication. For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD's IPv6 multicast subsystem supports source-specific multicast filtering via the IPV6_MSFILTER socket option. This option, set with setsockopt(2), allows applications to specify which remote hosts are permitted to send to a joined multicast group. II. Problem Description The kernel handler for IPV6_MSFILTER dropped a serializing lock in order to copy the source-filter list from userspace, then reacquired the lock. During this window another thread could free the multicast filter structure, leaving the handler with a stale pointer to freed memory. III. Impact An unprivileged local user can exploit this use-after-free to escalate privileges. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.1] # fetch https://security.FreeBSD.org/patches/SA-26:29/ip6_multicast-15.1.patch # fetch https://security.FreeBSD.org/patches/SA-26:29/ip6_multicast-15.1.patch.asc # gpg --verify ip6_multicast-15.1.patch.asc [FreeBSD 15.0] # fetch https://security.FreeBSD.org/patches/SA-26:29/ip6_multicast-15.0.patch # fetch https://security.FreeBSD.org/patches/SA-26:29/ip6_multicast-15.0.patch.asc # gpg --verify ip6_multicast-15.0.patch.asc [FreeBSD 14.x] # fetch https://security.FreeBSD.org/patches/SA-26:29/ip6_multicast-14.patch # fetch https://security.FreeBSD.org/patches/SA-26:29/ip6_multicast-14.patch.asc # gpg --verify ip6_multicast-14.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ ce2b95932ec2 stable/15-n283885 releng/15.1/ 3d80e4aec3c1 releng/15.1-n283554 releng/15.0/ ed4692b8226e releng/15.0-n281056 stable/14/ 522182827ea1 stable/14-n274314 releng/14.4/ a7062a6de005 releng/14.4-n273718 releng/14.3/ e6859453de61 releng/14.3-n271518 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoolxMbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv7wUP/30Oo0Z61lnOg4P7VBtk K6bljtcQ0SoiW++eWtX2TFHqCrcNS0qPSxQFVKDkkUf2Wx9M/zfkhUWnTpAwbQdB m+8bUN8CGEjhvAihfKgCAQZGSqcVq8A2km+JgFpc9ehZ3RjnjFQ0DYZTOh1goZiQ TPsWf8NwKQfed1LhQcDLp0hw7R4//wBICfluzFvLDqPG7TtcAvcJN04jrmd6XCaY zddGXzWvrPGuRPY7/xgiwg26B4yK/OwzOJ0uBzBGLGzkuUKJjZgzot3kVy7WmTVw iWKRChKQiakM+hkf/xi3CZiyUVGdlxd5GDWxJ8HvaNkYtk/iRzvalVMkSrZNdnaJ rVMCmt0d+PxD6+2xORikqn+FiYNc+5gUB64O9t74+L1/XMtM0IWz/g2Zs66qding 0gABccQX5217YvZK8fubpihEPF7NCNblfikIZbdWYwmMk7azQ93tTO0ySCpuzIVX +OJWR2QRrz004ohwgl9peBfcDEvbxN5KEovVDt/QTZ1JGKQ8AeiJCd7JZsNP1zMw SAOof6EyOEzuilT8JDmOXhnXptOVwCG470bD9rYL3O6apFfcWqFVh+5njEaGMrBf 8W381AnPDmkEROxj3fzJkM7Xik64aJrHgLGFuHZAQ1Yjpr+SrJRKcdHx295qFp4a m+8DOaIYeHuOhRTGRLMubJIj =uFAo -----END PGP SIGNATURE----- From nobody Tue Jun 9 23:13:40 2026 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZl8P6QRjz6gqJ1 for ; Tue, 09 Jun 2026 23:13:41 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZl8N62t1z3PWk; Tue, 09 Jun 2026 23:13:40 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046820; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=4vPtQJOFqlvPEYNtA2P7eLcsN2Cgf85xqBn3mPKjsIY=; b=au+pzSete49CGaOmHl/5UpGtnIS0ZFQ0Tssp8wvEJWyHfkcj/3acFOFPR/zloNvilx0056 RLB3DGyIvIC9xhHb02qvH8oehMJ79fWmDmWHev0FjG0gVLPcDkxhk3E6+1KnwiydRWb4f1 xC9Ah0fL7WjM+bhkF7z8MnWZRLr2Cv9BFzXzzPVWUtQJ8XzlBASzUeeol+v3dZ+dl84DcS geXcjIgsym4vcfm5yyToah7i240bQZZ9NK86jnxzqirQvmHbnxVATYRKaCb/S9NEIluAk6 L2Hi1GDdlbd6gFEIWwN2mFSLg0/RGhECqjdRngcBbXAjoPRB46QgO/1mVLSECg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781046820; a=rsa-sha256; cv=none; b=lyqEBOE+4sq3f7bzYv9+sSbZx3vOC0zm7yxsOUkyeb+smUwz7OSNi/FTyh5rAWpq4nWX0z AaX1Tnwq2Mg/7WhBrKBJchSFEKg7FE1tzWPeSf2Jbemd30yWK2ZwUCysueoX4Vuk5hlqJ9 uKJ0+L7PvWlwCix7lSFOQJlm327DJVULGpt5pDByi1SzdrBhJ+uOXFVqrF5lRdgtqfdiF+ lxluuEKrbuJhMCfDQY9f9xW/Sx+ChTIAs6GfO6Txa6w+ac14voTBKhnLGLY/UGOCWyJ8NZ JG/v84x51AKcQe/LbomgUWaaT2BgP3P7FN+0A3O/j5ytOSFfjOlMBy8xEJtbPg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046820; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=4vPtQJOFqlvPEYNtA2P7eLcsN2Cgf85xqBn3mPKjsIY=; b=NbhjDnX7xBd7AvtRQjx9eKOaIDJEWUTzGI7Cgw0+EEEmRucgPeZQFl7yU8K1ODbj2iN9cw 76VxgF33+LL6S1WCyr5yQAVI5hA38CWHYapSKyoqnrgVKM3hbJNvCxkK+YbSsGJdCYSnGi upBr56uVk/Z9WzsCvLtNS/kOeUoTvyOyCs5iHOOd2GJX8hpURpl5If6nPzgxCu4K8IpN6N Jft/YJs0aIW4THwyw1NRzfXWYZ8IRHyclzp19LWknrRVwx0ouQV+0nqvRK5xguD/IlRMyf Aw+U/UHNkR16+ymvNOHlbf0suM9Qj1/fqp1yTOjlhF+cAuaeJ0Ftyvwtv3l08w== Received: by freefall.freebsd.org (Postfix, from userid 945) id C89561FCC0; Tue, 09 Jun 2026 23:13:40 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:30.linux Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260609231340.C89561FCC0@freefall.freebsd.org> Date: Tue, 09 Jun 2026 23:13:40 +0000 (UTC) List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-announce@freebsd.org Sender: owner-freebsd-announce@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:30.linux Security Advisory The FreeBSD Project Topic: Flaw in Linuxulator execution of setugid binaries Category: core Module: linux Announced: 2026-06-09 Credits: Minseong Kim of NSHC Red Alert Labs Affects: All supported versions of FreeBSD Corrected: 2026-06-09 19:17:33 UTC (stable/15, 15.1-STABLE) 2026-06-09 19:20:11 UTC (releng/15.1, 15.1-RC3-p1) 2026-06-09 19:19:48 UTC (releng/15.0, 15.0-RELEASE-p10) 2026-06-09 19:17:50 UTC (stable/14, 14.4-STABLE) 2026-06-09 19:19:11 UTC (releng/14.4, 14.4-RELEASE-p6) 2026-06-09 19:18:40 UTC (releng/14.3, 14.3-RELEASE-p15) CVE Name: CVE-2026-49413 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD provides a Linux system call emulation layer through a loadable kernel module, referred to as the Linuxulator. This allows users to run unmodified Linux binaries on FreeBSD. When the kernel executes a set-user-ID or set-group-ID Linux binary, it passes the AT_SECURE flag in the ELF auxiliary vector to tell the runtime linker (typically, glibc) to disable dangerous features such as LD_PRELOAD. glibc's runtime linker relies on this setting and in particular does not query the kernel to determine whether it is loading a set-user-ID or set-group-ID executable. II. Problem Description The Linuxulator determined whether a binary was set-user-ID or set-group-ID by checking the P_SUGID process flag. During execve(2), this flag is not yet set at the point where the auxiliary vector is constructed, so AT_SECURE was incorrectly set to zero for set-user-ID and set-group-ID executables. III. Impact An unprivileged local user can inject a shared library via LD_PRELOAD into a set-user-ID or set-group-ID Linux binary, gaining the privileges of that binary. IV. Workaround No workaround is available. Systems that do not have either linux.ko or linux64.ko loaded, or which do not have any Linux executables with the set-uid or set-gid bits set, are not affected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:30/linux.patch # fetch https://security.FreeBSD.org/patches/SA-26:30/linux.patch.asc # gpg --verify linux.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 3ac9726c4269 stable/15-n283886 releng/15.1/ a4d36c975be0 releng/15.1-n283555 releng/15.0/ 0b18ec59972b releng/15.0-n281057 stable/14/ ff411cc40cd4 stable/14-n274315 releng/14.4/ 3fe092282025 releng/14.4-n273719 releng/14.3/ 0dcf9bba4b9f releng/14.3-n271519 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoolxUbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv0MEQAI764nJgo/wT5iqrDJrx F4G4LlMCqgxEB82jU48GEvy2/vbjp+nsB7hpQW/LnANWBmbbZzFUutXEqLcZKZp1 eE8ZoSoqTbCw82t7GJGcNrIt3+woBgW8IGb/onL4VxiVuFPEU/0GnJ8nwwOa9LGL LjdtvRcXaKVnWWqIDUq25cuz6+yBu5UIDWTbSHFeWr8swVhKA5Vjt1wKTXekFJhy qtEVWv8Jm5nb0C17eRYo8AY/nGh1DZv7LdJNc4dAZyy3H+QNDH7P7atYvyU06pvD Q+YNH6HENqqkGvg0YAYqrol+5me82oIK/Sz66b3VBYiBLD4FX8LaJePOfhSoKof4 f9Tk6lvpouJOmOETwZX2sAYrGDh/LMd+l/Np7vDMhQSrow4+0CDNHSI3yur8Kfkf I6pyEC3iCVi6x/xsQ2AjInMCz+Pw+YpKLKGJLyNT9hKqidQq2ebTBe86GMzPZtAM OdJ7rRMIXt2QNJmovverYVMBVBd8rXBVn//gB8Uu5CyjHG3jN/f/Rc1BhADgBS3R H1KOBxIOl3CzXU5GLxSEniI7czyeY2q9paWwddPR0BK0mqF6IP31OEekc0irRmjC damqozUiNlFFP7rC2fj2eVbhrowrtVSpo4D4oEsI6EPkVB3A67+Pq0untDa096gc X86EUvnyRijJsIl5JXb+OJoT =4LUk -----END PGP SIGNATURE----- From nobody Tue Jun 9 23:13:46 2026 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZl8W0yvgz6gqWG for ; Tue, 09 Jun 2026 23:13:47 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZl8V5c7Fz3Phx; Tue, 09 Jun 2026 23:13:46 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046826; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=eklNOUy52+TaTE+SmqSuZiXSHwTe2b9EFjl6nXX5btg=; b=ANFliDDCp6wX49cuqFUFqfPFZuM8iMP7KxbyQ1/2rq0u3GMhmcZArqwmx8jg2sGw/VL8HE f2mA2VY70CKEA9qWIKE5doRRqNW0WraG7Gj6WBz+5OGdda3X7xf6dTmU1Xs/ocYdWhZ2r+ V2I55nNRKQdAigXXDBKrcWTZyPXSZWFlIiHTsHYjMSuVPuP5DlIvOMMJXYQm5HvKJY1upK 2oZ4ul9GC0oAJTFytdg5M1BxzmSSnqx46f+3pQs6wc1ESaSBO2km/UpUqbKGN6cf+qEAYb 86IBsd6wENvnPlC47p3ewpi5rPb/3/GLwwo+p3xrKfol+PNDJyT138hRStZutQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781046826; a=rsa-sha256; cv=none; b=Lrz3loCYZA8Kl7e+4cnvRMZvENo8VsoIyoCLGRnUz16GOxpVI8K2t/slVssdq5o9wB8xQC vycbd4qgXJ9/DVp+gdm7B12te3wU1cZ6jlRUJy0xPbe8N/M9tcZeG60zDJmgxkhoxJxRQ/ SFF+hhO64mIzFSEwpfnsG48oUMihEU7HPq99CXeabeDePjjRDilZFmEMSdF/QirrUl0L3Z DYArac4yX3hsOF93pV39RWWObwvEJZ2s005eTF5WJgNHpM4OCNMSjRA9a6gpi+kYnr0wsX sTysqjK/fNfEU1mvZ3PAsheIiQr5XE2zFqRPEE5vl2OOFps7NDjdcLDEzscKkQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046826; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=eklNOUy52+TaTE+SmqSuZiXSHwTe2b9EFjl6nXX5btg=; b=YGO7235jEsjj45QsY27WlTl9fjXiCLnEslz+qryrcOprdQu/jT8KnHoQEwSyqsMR0DB1fr gKVODHd6+Hj7RFU4RzqNrbcYtDgJjmMI/epZbh9v0ouCxsD21hcPajobM7Mi+t/m1VpAzX in0Qm0GjZB56PgcKf0olGmxx69sx0u06XYiX8M7awFa5ZNV/4puzU/A5+OcPFUrrCFbPh1 JjUBfClUsDv3rf1hFDWOcJGGacCc7UxBhjdXXuZ5SZTWmY5TAYP6atdPc8sjMHPIHPOhHu drmZ2NinlYHBxgzGNQDX2FdzolyrZUBZR7lVcQejOAdm9eKJ+eMzu/Apw0LlDg== Received: by freefall.freebsd.org (Postfix, from userid 945) id A8DB11FD26; Tue, 09 Jun 2026 23:13:46 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:31.arm64 Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260609231346.A8DB11FD26@freefall.freebsd.org> Date: Tue, 09 Jun 2026 23:13:46 +0000 (UTC) List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-announce@freebsd.org Sender: owner-freebsd-announce@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:31.arm64 Security Advisory The FreeBSD Project Topic: Arm CPU errata may bypass page table permission changes Category: core Module: arm64 Announced: 2026-06-09 Affects: All supported versions of FreeBSD Corrected: 2026-06-09 19:17:34 UTC (stable/15, 15.1-STABLE) 2026-06-09 19:20:12 UTC (releng/15.1, 15.1-RC3-p1) 2026-06-09 19:19:50 UTC (releng/15.0, 15.0-RELEASE-p10) 2026-06-09 19:17:51 UTC (stable/14, 14.4-STABLE) 2026-06-09 19:19:12 UTC (releng/14.4, 14.4-RELEASE-p6) 2026-06-09 19:18:41 UTC (releng/14.3, 14.3-RELEASE-p15) CVE Name: CVE-2025-10263 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Page tables control the translation of virtual addresses to physical addresses and the access permissions on those addresses. On Arm CPUs, when page table permissions are updated, a TLB Invalidate (TLBI) instruction followed by a Data Synchronization Barrier (DSB) must be issued to ensure subsequent accesses observe the new permissions. II. Problem Description Some Arm CPUs have errata where the ordering of stores and the TLBI+DSB sequence may be incorrect. If one CPU stores to a virtual address while another CPU invalidates the translation for that address, the second CPU's TLBI+DSB may complete before the first CPU's store has been globally observed. III. Impact This erratum may allow software to write to a previously writable location after the page table is modified to forbid writes to that location. Consequently this may allow software to write to memory owned by a higher exception level, possibly allowing software to escalate privilege to that higher exception level. IV. Workaround No workaround is available. The following ARM CPU models are affected: C1-Premium C1-Ultra Cortex-A76 Cortex-A76AE Cortex-A77 Cortex-A78 Cortex-A78AE Cortex-A78C Cortex-A710 Cortex-X1 Cortex-X1C Cortex-X2 Cortex-X3 Cortex-X4 Cortex-X925 Neoverse-N1 Neoverse-N2 Neoverse-V1 Neoverse-V2 Neoverse-V3 Neoverse-V3AE V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.x] # fetch https://security.FreeBSD.org/patches/SA-26:31/arm64-15.patch # fetch https://security.FreeBSD.org/patches/SA-26:31/arm64-15.patch.asc # gpg --verify arm64-15.patch.asc [FreeBSD 14.4] # fetch https://security.FreeBSD.org/patches/SA-26:31/arm64-14.4.patch # fetch https://security.FreeBSD.org/patches/SA-26:31/arm64-14.4.patch.asc # gpg --verify arm64-14.4.patch.asc [FreeBSD 14.3] # fetch https://security.FreeBSD.org/patches/SA-26:31/arm64-14.3.patch # fetch https://security.FreeBSD.org/patches/SA-26:31/arm64-14.3.patch.asc # gpg --verify arm64-14.3.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 9d9d6c6e6081 stable/15-n283887 releng/15.1/ 81435fc0882c releng/15.1-n283556 releng/15.0/ a53619675cdc releng/15.0-n281058 stable/14/ e99aa8682dba stable/14-n274316 releng/14.4/ 889e306ded21 releng/14.4-n273720 releng/14.3/ 61d0cea4c00f releng/14.3-n271520 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmooiWIbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv4nwP/3M5KElYqojhl044KzbV UyoCXW3MoTm+aXnjlkf2f6+00EHtEkmboe3fYGwsUGFOp9uk0iNgDCE1jMmAhDY7 AJSegcxbUVhCcZwxfaUkIDRtv3iYt4vkN59se62/QrgA/2UiyBRWMJLYvLN4ZF0C 7xuwJVyJjHq65Z1jU4noaXQ/UqaCQgPJBmZ2XL+OMfJtdHZdproN3vL/7BLXaPwv wuiZSc/agrBQgnbv4IFlNWc/LtXo+Hh3/vSSw3U2GUnNHARLxb62Kj2vaMz9HWP3 ObykAXru4hpLXdRndf+dsqHCow6slbb89Iqzn93axbmvhxvuOdNNkNkS0Yfj+B9Y kMuDMqTR8Q+wXFY5JlTsTGGH8paDdyYWeZUHsI+2HqgYWS8CMQJwal2hErT4TG82 gU0xIIpZKHc09FMsw+z/TjNZO0aLQbbZAN45qpqdvZoQ174jX/ZVtkIGEOSQXyQA YT4O/yozBjNABBTYtCTVwdnJjM6L4sva2mKbtGnCTS/3tC2dVgEhsgE2zwzHtGPv lAtJwTbqyLBOP+aUFh2w0OaNwy0c5bB88AxyS/EKcliHtyAveedbXYFjLLVIMhLY tpodoCSwrM6PgkddWy6+YVCbcoD6JfS1U5T2IH0EJXPSQvV8SPbs3LRY4F7O5zDi x+jJy5JL/2hjps/C/581Iq5y =SmlG -----END PGP SIGNATURE----- From nobody Tue Jun 9 23:13:51 2026 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZl8c1txmz6gqR2 for ; Tue, 09 Jun 2026 23:13:52 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZl8b5l3mz3Q0d; Tue, 09 Jun 2026 23:13:51 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046831; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=RoNN8RCs1wM7XAfR3qVxg8oQM+5tmWCaXkVhwBhrD3E=; b=QnzJvlCgXiWbvmmHcWbp1WrbxQ8NNTkOfRMbynGC9Z3ZUNsLgA3UMIFc3bdsWQ5N+m+PXy TmVFQ5vqMf2zQChr+HeKZHDUhD9RhK4b2xW6Fz63HVq0h3a1lf5LpzdN7LoGC7IFZkfFyq /7BGkV8L/tCtwqJSEINFwnaTXLDHmzq2ghsALxMtvZcHxoeb/+i+06685lwc116eflrtbp fTzfqrxX53QEvnvbb+I/sfZqd6J+4z86p2N4kSPrw+SYKNiMHEscYGTq6zjtiYrnl5GgPZ IVvQjhL7Hq568sqdpYK6x7iy4Tz2UOXFuQX/IAci+qe4lgXZwMAlOPOpSdSjzw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781046831; a=rsa-sha256; cv=none; b=FgJAzv84ktTFeN4Ghr7mlIvo7DY2TZDOWatI9eZhhH+sHJh0eb6HSyU+DVbdeIJPhNaH9z l+FN0ml+qaPkMlPDXqKoHy28qxkH1nSvQxZ+iWFzCoBPiL2wWrEuLZGWJ9VSPLkiSL705O Ipp3Lb6Uxn8L09eEu4Xwf1WvO05FAa6+Jyl29Fhek6w4bogl0Y09fV+kxcqdiKzEk/tVJt EPct1c/Kd5ReajvoIdBpwMKGIxlUpaTLU+cdaVY6x9gZ+8bu+J9ISYDkszBx12z6wf97xX 6F4gTFQU/J/fs5JakgEAUiEGgosWx6XOOte630Ulk91SWQR330GJUoZE6QCCbQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046831; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=RoNN8RCs1wM7XAfR3qVxg8oQM+5tmWCaXkVhwBhrD3E=; b=jA51togfRCKzLnhoPk/bV67GO5FCKR6KGtKmo2ZzwlOwepezTgeBrDXUsB73GXbvmYixtd 5d8YxKRrew/ypkVEDzJwoQDiDUcWqirqmeBtaI1CwVMLon5u92xAUSFmKWFQ8BUvK/+9u4 Yd8Rngv6A3z/PhQnBW6Iv99inp8+RJ7GkFuhvskB69eTfhM+pf+UGFNXYS7dDm0xDpg4wK xd7fEGqoGqt5XHYhQbPzwXnbRhYGCVNm2vu6EYZ9YARbOqyUHT8gRO9H9F8kfrLozF8yTj 3Jr0NxFo3vjc1v6cpn2maY1kENQnU9eYcmWgLlhgwG23IObAZ+EcAocv0Y4tvA== Received: by freefall.freebsd.org (Postfix, from userid 945) id B7EFF1FAFB; Tue, 09 Jun 2026 23:13:51 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:32.elf Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260609231351.B7EFF1FAFB@freefall.freebsd.org> Date: Tue, 09 Jun 2026 23:13:51 +0000 (UTC) List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-announce@freebsd.org Sender: owner-freebsd-announce@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:32.elf Security Advisory The FreeBSD Project Topic: ASLR bypass for setuid executables via procctl(2) Category: core Module: kernel Announced: 2026-06-09 Credits: Synacktiv Affects: All supported versions of FreeBSD Corrected: 2026-06-09 19:17:35 UTC (stable/15, 15.1-STABLE) 2026-06-09 19:20:13 UTC (releng/15.1, 15.1-RC3-p1) 2026-06-09 19:19:51 UTC (releng/15.0, 15.0-RELEASE-p10) 2026-06-09 19:17:53 UTC (stable/14, 14.4-STABLE) 2026-06-09 19:19:13 UTC (releng/14.4, 14.4-RELEASE-p6) 2026-06-09 19:18:43 UTC (releng/14.3, 14.3-RELEASE-p15) CVE Name: CVE-2026-49414 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Address Space Layout Randomization (ASLR) randomizes the base addresses of executable images and shared libraries in a process's address space. FreeBSD enables ASLR by default for Position-Independent Executables (PIEs). The procctl(2) system call allows a process to set per-process ASLR preferences, including force-disabling randomization. When a setuid or setgid binary is executed, the kernel is expected to ignore any such user-set preferences if they come from an unprivileged user. II. Problem Description The ELF image activator cleared per-process ASLR preference flags for setuid binaries after the code that computes the PIE base address, rather than before. As a result, a user-requested ASLR disable was still in effect at the point where the base address was chosen. III. Impact An unprivileged local user can disable ASLR for a setuid PIE binary by calling procctl(2) before execve(2). This makes exploitation of any separate memory corruption vulnerability in that binary significantly easier. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.x] # fetch https://security.FreeBSD.org/patches/SA-26:32/elf-15.patch # fetch https://security.FreeBSD.org/patches/SA-26:32/elf-15.patch.asc # gpg --verify elf-15.patch.asc [FreeBSD 14.4] # fetch https://security.FreeBSD.org/patches/SA-26:32/elf-14.4.patch # fetch https://security.FreeBSD.org/patches/SA-26:32/elf-14.4.patch.asc # gpg --verify elf-14.4.patch.asc [FreeBSD 14.3] # fetch https://security.FreeBSD.org/patches/SA-26:32/elf-14.3.patch # fetch https://security.FreeBSD.org/patches/SA-26:32/elf-14.3.patch.asc # gpg --verify elf-14.3.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ e1cdc49846c1 stable/15-n283888 releng/15.1/ 796579bcfbc4 releng/15.1-n283557 releng/15.0/ 6e51dfc401e7 releng/15.0-n281059 stable/14/ e417948e6139 stable/14-n274317 releng/14.4/ 547fc2a98a24 releng/14.4-n273721 releng/14.3/ 744f62ccbf82 releng/14.3-n271521 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoolxcbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvzjAP/izsPLlrhPmUVbO6pLVA 22HiuxV4URIIzMe4SbVa8ALyWM85TNAKjRUyr7VwAslFvfzRCtL0o/w0Fypsvoss a4jpiC8QHjeUFlRz6fmYq4sgHZdi/sz0zOmGKHVYiCA1Jdrp1tM4NxkKeDquc61d iD1yulnjkr8axb4gv4Y/C1McT7fvECbiaK9ni/vgwwluy0cqRIz7rPe8NrAD6pYn 1WPgkHmGeNwpIhPHbBd9WCoQNiU+BLyNyuFASWjZWiIMiMwCKQdvm0qVJ1fPWxeP 2GxxpWfoftwDkRy1/tURs0dVuI+Ko40sTFKiUVUMyOu0ndnyuR8VGICWlwA903yY N05s8R65FpXJbERu3Bc4HO+fKzQxCqWocgcUHBI9VO9QGIcNRR1S1PgkltNUI0wI KTJith+ru6XFRK5ts74cBR7i2p2r+cVFs/FyzXXP1v4A1U+Fe6PwwdhWdwJy9r4s aOJPh5b5Go2BvRayptPt+18vdXm8N4L1xk94lk/h9X6lrMe9+WhWnH1BUnMD3dVm m8mSczWkkveFNiEfj3WGdbTlpVvXUqHdwIx+v2obj0fBUDkg9r1M2ZZjaW3DEPM9 aLOrjdK9t+ntJyNBQCnNCRZFaiFGHK9bdEjm9WhyfMAnxoKg1hNhzhq+jyxrPDZY OY6FBpNTQ9NhGUkgpkgArAEj =unW5 -----END PGP SIGNATURE----- From nobody Tue Jun 9 23:13:56 2026 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZl8h3w6pz6gqck for ; Tue, 09 Jun 2026 23:13:56 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZl8h1JmTz3Q9y; Tue, 09 Jun 2026 23:13:56 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046836; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=azjBhPsvt/6KSQk3EbILQoe0jvt/cSjmP1RS10cW3QY=; b=CVKadWM4UNU/YgHfW/RtwiDJODpD8d1oMZDri+dHrXJ7PlUcoVUTPyNcrtAcepDZChvmKX 1j76RRWcOWg5KCi7ugs3r47gUHneVVGRNEnWKVKj5noMxjIxeS6HBPHWzHXyIgW6zK44VF PA8Okt9lEDy9niiVkErNIGZMitZvj6d7aRiOrMM8GD/Gnbm0z2VW3QOo8ASQIquUl+w1AT j2hZJA7ioIAIgRUZuQu6XsBJUSPR6uU557iG4Raz31LHou4iFsRWntz6rCFuYNR8yZQoVj 3AxW9ckEQW/jgZPHRJZzreInp3iZ0koqo1KUfFk60tOzuUGkm40W0xt5v7I1Qg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781046836; a=rsa-sha256; cv=none; b=pUfhEcZWeqMmvFd15XTHGmGDlsz3goynJ5+gOVO+ZGAHMEA+FDJMQEgDYdGtDZDfOWZdqp PFsybvxZokrP6Nb3rqbNp33VCARFozX3qKm/oVQckKTGz5Uf0aEjayRknrGdjfPDbYBQtM VRr8+YvLEclbgQOt/Iw7lKT1Nz0YdN6x9ZwMlawErptrlnIY+rarTVJfRUdtjnPnmv48va bjBoPq8toua7Wbr0+fILpXjCfmaTZpOR3EjTWtEAB9l5hAFXlWpPLMMZI6p/rJR5PIZYgr tBWlnx2NZFqwnK2yJo90EBsotbTjIGU/3ylazi1N8BoTQzZNb7XDtGodClrZMA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046836; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=azjBhPsvt/6KSQk3EbILQoe0jvt/cSjmP1RS10cW3QY=; b=UY3xZw2VuNFg/mYeC7qh/njJPCSEZUHIGSQt4AEA1nvva2NUw4AVGCXfCFdseQsSM4BHRz rQHjan/erhjpEjJWIZLYG6ywDEnPEM6zXMjO5opJ7ZFAhI8CxBteN1WUvAcqq7PScpSBiZ pX4WbZXgRXmYXrpStDG7YBIrsvwhjYKNf5cXeTyIWZcZbqKrR2toZ39nk3GjyRY+7Owt8z gZEHcxLgFwf4n/UNMzOF3pIBuiAUOl2Ns1rKDH/GDk0pNejtxwsbxIepEnxqmGFwWiEiED 8QW9/3QRM0UAapeLyuXmsuyBPKqJ61aFUth9qI9QWjbna76zyabMrfeTu687Kw== Received: by freefall.freebsd.org (Postfix, from userid 945) id 131DB1FA78; Tue, 09 Jun 2026 23:13:56 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:33.unbound Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260609231356.131DB1FA78@freefall.freebsd.org> Date: Tue, 09 Jun 2026 23:13:56 +0000 (UTC) List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-announce@freebsd.org Sender: owner-freebsd-announce@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:33.unbound Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in unbound Category: contrib Module: unbound Announced: 2026-06-09 Affects: All supported versions of FreeBSD Corrected: 2026-05-26 16:48:51 UTC (stable/15, 15.1-STABLE) 2026-05-28 22:16:07 UTC (releng/15.1, 15.1-RC2) 2026-06-09 19:19:52 UTC (releng/15.0, 15.0-RELEASE-p10) 2026-05-26 16:49:56 UTC (stable/14, 14.4-STABLE) 2026-06-09 19:19:14 UTC (releng/14.4, 14.4-RELEASE-p6) 2026-06-09 19:18:44 UTC (releng/14.3, 14.3-RELEASE-p15) CVE Name: CVE-2026-32792, CVE-2026-33278, CVE-2026-40622, CVE-2026-41292, CVE-2026-42534, CVE-2026-42923, CVE-2026-42944, CVE-2026-42959, CVE-2026-42960, CVE-2026-44390, CVE-2026-44608 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Unbound is a validating, recursive, and caching DNS resolver included in the FreeBSD base system as an optional service called local_unbound. II. Problem Description Multiple vulnerabilities have been reported in Unbound. Instead of listing detailed writeups for each issue, please see the upstream advisories referenced below. CVE-2026-33278 - Possible remote code execution during DNSSEC validation CVE-2026-42944 - Heap overflow and crash with multiple nsid, cookie, padding EDNS options CVE-2026-42959 - Crash during DNSSEC validation of malicious content CVE-2026-32792 - Packet of death with DNSCrypt CVE-2026-44608 - Use-after-free and crash in RPZ code CVE-2026-40622 - "Ghost domain name" variant CVE-2026-42960 - Possible cache poisoning while following delegation CVE-2026-41292 - Parsing a long list of incoming EDNS options degrades performance CVE-2026-42534 - Jostle logic bypass degrades resolution performance CVE-2026-42923 - Degradation of service with unbounded NSEC3 hash calculations CVE-2026-44390 - Unbounded name compression causes degradation of service III. Impact The issues range from Denial of Service (DoS) through resource exhaustion or crashes to possible remote code execution during DNSSEC validation. See the upstream Unbound advisories for specific details. IV. Workaround No workaround is available. Systems not running the local_unbound service are not affected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and restart the local_unbound service. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:33/unbound.patch # fetch https://security.FreeBSD.org/patches/SA-26:33/unbound.patch.asc # gpg --verify unbound.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ d2a10ff4cb84 stable/15-n283689 releng/15.1/ 1b6c85cfac36 releng/15.1-n283539 releng/15.0/ 6160bd311a1b releng/15.0-n281060 stable/14/ de9d7a2ab8f5 stable/14-n274187 releng/14.4/ 857abc12945a releng/14.4-n273722 releng/14.3/ a68c183e0ad2 releng/14.3-n271522 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmooiWwbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv5ZcQAMqhP1F0oVdGJ4ZlTusj An1CAKA3CO3TKt6jrbnTbnw4s1+9kKjwABGcrZw/0sdoq+e0DzhlG8uI9Pol46d8 ANgWVa0T2d4rTDxCRJZZsqxqDfd3PwpGbUPzNNptxnJxWSR5j87m0N6PcMddCBFc BKg8vdeOJDPky+khcNwXG/g52HcNheXPqzTgq1IMuYrNId4Xrp6pnKbpIPeEYXgj 6+GWIBz20B1qtEwNnjkDdqoHYK143SZcZzapO9QFmo+Su/tVJ+/ymEtFcY7Ze7JB Hm8jiBIX3S7emFLyUPvAAiY5Oh84IgpazGXhljDGc8R9Wt/ipoDfBSYmGUl9ZNFH 0haadzi5JdQmbqCANURXc7t81miGEI4LDKTcJaIkP0ITVxktENyr5YIpSh/OQEI0 NbAI+ASPp8eVI15YxVaKd0HIdjsGZPY0eRQymMAC55yponTu35aKFc+RG2xCVZat JPzrp50ZjmTxNMFt1MMPgZTZQxQC14iONT8LVymnG7cgAsjXGw2X7gjRWRMdC4Hb EezcuwDnHwYAWzD41+1W7WpyMXXdCW8gaIpcLzl41egTpTe932J++9va7RU1R86e VlqcpvxmEtu7shIvepFHi12l2JNsqsYLmhsYVoUJsMAOHQck2eUXOqfZ4+aQGwye cL48Uk5LxTjYEHENCtOKOm3e =7uMj -----END PGP SIGNATURE----- From nobody Tue Jun 9 23:14:01 2026 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZl8n4jYQz6gqY2 for ; Tue, 09 Jun 2026 23:14:01 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZl8n14xXz3Q62; Tue, 09 Jun 2026 23:14:01 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046841; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=Vm+SqV7N3mqFN2q6T8hiC3FY/oljTsgurocxAreXDOo=; b=q7ltNezViOfqZWqW3SYHdYHe9aMHpPx8n9uRclHvY8aXBrplOgzhwC/0W8BEjhmz06dPsi CmKiA3fQp10dUY2l5phNeUtovE+nOh9IQlcP6rOY6cB/az4l97ait2D6/Aciv3iZL6POxy VSP8WXm7GvwSKR0umnWCR7S07P7+G9fkqJydIQONVDIiWrjlIrTOkPPLW1yG4zEzWwRHhp WcqRsYDusX0zwgb/XSfL7zE3hITdU76NO4E1NCUwwSLHFPkA41NYB8NbzhXY0WsBSuiJgM Wfjgwu/BXIY5wv25FzWRKPzwX7VIQozkqOMM9lLjrFZeRduDX9wtOSUUHJGTtQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781046841; a=rsa-sha256; cv=none; b=S/baweG0HaFWB/A1FV+2Cm98oBMYwtUgjRk76+p1nqT2hC36p1CkvkEz+UTeo8IF91nZGZ krnx/T/rIHuuVHNifKe/+idol6FkOHD0UaWwglGQbRqJ930VJ6ixj0x0V4HyD0g246aLal Z3uXRma159Ne8VTBRqgpvtPA8MzFzo6KZGvPH6QnQhN+vDBvwApijWyfAibaj7WRctJTz9 8VelVU5yEaAOeBVtyvSXIsTn2BxqPDazuWx4nfL2ia6RiXuyVRVsxySKDx+3rPqVrD5vQ2 7H1ad0kfy1tliLfckm1uFjKYnmm2r+PL4ntRN8GK2eLx0THmG3bq1A+0UOC/Ag== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046841; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=Vm+SqV7N3mqFN2q6T8hiC3FY/oljTsgurocxAreXDOo=; b=Lk+lFuVjaCu+bIYkLEGBuhk01/6eI/Dt8fdbYjfgePuC6EvQ6uBtXnoxGDJiN6u55dy70W Rxn0xaF+9pTztgckb376CU+3AvNjQLyAM/wvdS4tVmbmnM3rrageirSTz634ehHM+lWhc7 w6AgXfDkLswQigmfrcXDHXxoEV3EEeQs27MKN/exULv+CrxA3WC1QSTGHmJYWPf5nXDoJ7 ru7wm9lSWZuGfUghXAJFnuJ+X1w1i4XrpdFMMwUEm2amRvdUbOuzPr2ik2xygAIhLCcEty mtPZ2SPbAupGDREZ2j0qnhuNGARXQJOiBNeXzbQmVm7SUh630NR7t5wKegFUmg== Received: by freefall.freebsd.org (Postfix, from userid 945) id 1D5841FB71; Tue, 09 Jun 2026 23:14:01 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:34.vt Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260609231401.1D5841FB71@freefall.freebsd.org> Date: Tue, 09 Jun 2026 23:14:01 +0000 (UTC) List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-announce@freebsd.org Sender: owner-freebsd-announce@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:34.vt Security Advisory The FreeBSD Project Topic: Integer overflow in vt(4) CONS_HISTORY ioctl Category: core Module: vt Announced: 2026-06-09 Credits: Ed Maste Affects: All supported versions of FreeBSD Corrected: 2026-06-07 17:10:53 UTC (stable/15, 15.1-STABLE) 2026-06-09 19:20:14 UTC (releng/15.1, 15.1-RC3-p1) 2026-06-09 19:19:53 UTC (releng/15.0, 15.0-RELEASE-p10) 2026-06-07 17:12:28 UTC (stable/14, 14.4-STABLE) 2026-06-09 19:19:15 UTC (releng/14.4, 14.4-RELEASE-p6) 2026-06-09 19:18:45 UTC (releng/14.3, 14.3-RELEASE-p15) CVE Name: CVE-2026-49416 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background vt(4) is FreeBSD's default system console driver. It provides virtual terminals on the physical console, including a scrollback history buffer. The CONS_HISTORY ioctl(2) allows a user to resize the scrollback history of a virtual terminal. II. Problem Description The CONS_HISTORY ioctl handler did not adequately validate the requested history size. A large value caused an integer overflow in the buffer size calculation, resulting in a heap allocation smaller than expected. Subsequent initialization of the buffer wrote beyond the end of the allocation. III. Impact An unprivileged local user with access to a vt(4) device can trigger an out-of-bounds write in the kernel, potentially escalating privileges. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:34/vt.patch # fetch https://security.FreeBSD.org/patches/SA-26:34/vt.patch.asc # gpg --verify vt.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ deaaddf1d3c4 stable/15-n283854 releng/15.1/ 8ed11b21e544 releng/15.1-n283558 releng/15.0/ f4cf977dfe92 releng/15.0-n281061 stable/14/ b5a4f4bfbc95 stable/14-n274300 releng/14.4/ 799e830134d5 releng/14.4-n273723 releng/14.3/ 9cba21c2de16 releng/14.3-n271523 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmooiW4bFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvpd8P/0WOqL3COrZKAvzgZO+u tOfo4MhWYDw+jMAHtFLU5qH6GNfgUA8j5OaLaN1Rf+Z0+UNyy6CC5wehumdzRHm8 dPdfW9mKA932rsrOMM5/RtgLmBjVok4VjzC+KZbpO2b2cEJN5Tq1ZIYqZyvhbUV5 ZXjgdTZ1w2osE7IzPK2v0OOCRh+uiVLjpBiE4M18K0bmsnEytHm3xOpUUIkSNGWe gwunylrC0FstCKI778agymVHf4LX/xzEm7E62B4Ydk21GbB5QEx8ZnOOWWY8OehJ O48CBQILxnsIYSySx258nO9K8SwrZ45IonJmxb+N1OTTl+qDeSQo9Wfw2zTR4YZl qBBXpl9Ra/dL4zOGM0HOBEwlOXruCC4vm84vipZowJwO5e97/XZVdhNhkU8HHNWO 256nEIRwAFx/KqJ63AseOsq6REIP6hhCLo8NyWqLYpdp0MGClZ7UBQ5ay6TvwVHD Qf+KyZrfGh6q7pU2ADmLdzf0H6FiUASsbPiRjcd5o/T4qPY9vJKJGOfd8EVHqzsH Rh2yhdtbsbCqTvfOjnUIuj5vJnk3sr/HG9wJXNqEgLcBz33/jmNaNhHXcyc2Yw9N 7lBHW20nj3jDFhK8MdKSvBUZ4WSmr8yBYb85v4L6kb9EKDiUQMa7eJ6cCaHYYRff NH418v0qjh1t7fJRdmx1HtvQ =ZGXy -----END PGP SIGNATURE----- From nobody Tue Jun 9 23:14:07 2026 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZl8w0LHtz6gqmc for ; Tue, 09 Jun 2026 23:14:08 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZl8v2b95z3QNX; Tue, 09 Jun 2026 23:14:07 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046847; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=nf3omi+2yT46rq/4o3Rt/re84Zi1lv0VpkGJhD+zI6A=; b=p4259f9YJmRUGSbqIRyM7UZWqMQ/0sg+zPo+TuTYW5peFMnKCb+oMHAiEBgF3WMJiDw4ds wE3BITiHXEpc8kCxFWBASVBIP4PPOdnBih3GTSlvmwd6Pke8qx416Xk4yjMSJryxqcoTf6 LFffer02VBtUtmuRaEikAz6EXWhp/DzvmBqTfJQ75GqcyjnPH81GjFsAbDaIEymp+KIF74 sbUAbKsjK2JQSiyXNJXdvmbG8tx0RAyjOk1w02ZtZE8BIs3yjoCkr0ZUXU7ATo9/pNPHW4 06r4jt0gk3Qx9Ebtji2idfZ2blpK7mTTT9GfxNqEVxfGjoJcwRX/Ylh4b2DijA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781046847; a=rsa-sha256; cv=none; b=e00xn6tqw5b8NWIc1mmw3Vwl6YzBeL8iPBXVQrwhm64A74rl+Bg5zd/uhZqWwVdmpDctaY uvY2SVx8LHEu02hbyc9zypdiFo5yGZ9LJU7jyRG7s1dm8eX9yU7iofjkfg/VzhP1amTqsp VlIGDY/Kaokumeh2HFyguJQPIi223LwFGVpeu+Crk20blIBL0+FXxHRENcM7kLiEL/lqHB ZxljQ0vQhI3jrvy5Fv4VPojApLXnHj1Mvlp1zJX54wliiLJ/ET/AtX4Fv6JpBzdCyf6jq4 4vX5e6onMG65dxixGlXhr40tqYeTS2/pdOQq/FIKTRDQ+amV12eK4g8m92ZuFA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046847; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=nf3omi+2yT46rq/4o3Rt/re84Zi1lv0VpkGJhD+zI6A=; b=X8u1MXhzE5is4VobxdVJNAq4gbbPbEguztcnOdmJjRo9Hk42sr/V8DbvBu0Nd8LecskxvH dEmGFF2fM9w1P2Pdj8Gx65PO0opIFYEbhfYVETG2poPxaejV5eP2QX7nmobasQJ1aZF0+Q r/QMoufSYVFlEFQylIjISiQWVNNuNCZNmkk9ord+wH2otFi4vEQH8O5GPnyKN6er/36bZS RLmrOt1V4eLNNssdp0yTCAYnW3QuGPIlRlgv4pzjdHqGdqqEAZJJTd0wNI+CVwQc6AQQ3s qtiGwt44LLCXi//HvMgyCafaSK5g3ZShYV/n8FtQDOVMXsSQM1ekmzC/EyTGeA== Received: by freefall.freebsd.org (Postfix, from userid 945) id 4C8371FCC4; Tue, 09 Jun 2026 23:14:07 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:35.openssl Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260609231407.4C8371FCC4@freefall.freebsd.org> Date: Tue, 09 Jun 2026 23:14:07 +0000 (UTC) List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-announce@freebsd.org Sender: owner-freebsd-announce@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:35.openssl Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in OpenSSL Category: contrib Module: openssl Announced: 2026-06-09 Credits: See linked vendor advisory in References section Affects: All supported versions of FreeBSD. Corrected: 2026-06-09 19:17:36 UTC (stable/15, 15.1-STABLE) 2026-06-09 19:20:15 UTC (releng/15.1, 15.1-RC3-p1) 2026-06-09 19:19:54 UTC (releng/15.0, 15.0-RELEASE-p10) 2026-06-09 19:17:54 UTC (stable/14, 14.4-STABLE) 2026-06-09 19:19:16 UTC (releng/14.4, 14.4-RELEASE-p6) 2026-06-09 19:18:46 UTC (releng/14.3, 14.3-RELEASE-p15) CVE Name: CVE-2026-7383, CVE-2026-9076, CVE-2026-34180, CVE-2026-34181, CVE-2026-34182, CVE-2026-34183, CVE-2026-42764, CVE-2026-42766, CVE-2026-42767, CVE-2026-42768, CVE-2026-42769, CVE-2026-42770, CVE-2026-45445, CVE-2026-45446, CVE-2026-45447 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit for the Transport Layer Security (TLS) protocol. It is also a general-purpose cryptography library. II. Problem Description Multiple issues have been reported as part of this advisory with different issues affecting different OpenSSL versions and therefore different FreeBSD versions. Instead of exhaustively listing detailed writeups for each issue, please see the referenced advisory from OpenSSL. Issues affecting FreeBSD 15.x (OpenSSL 3.5): CVE-2026-7383 - Possible heap buffer overflow in ASN.1 string conversion CVE-2026-9076 - Out-of-bounds read in CMS password-based decryption CVE-2026-34180 - Heap buffer over-read in ASN.1 content parsing CVE-2026-34181 - PKCS#12 files with PBMAC1 accepted with short HMAC keys CVE-2026-34182 - CMS AuthEnvelopedData may accept forged messages CVE-2026-34183 - Unbounded memory growth in the QUIC PATH_CHALLENGE handler CVE-2026-42764 - NULL dereference in QUIC server initial packet handling CVE-2026-42766 - Possible NULL dereference in password-based CMS decryption CVE-2026-42767 - NULL dereference in CRMF EncryptedValue decryption CVE-2026-42768 - Bleichenbacher oracle in CMS_decrypt() and PKCS7_decrypt() CVE-2026-42769 - Trust-anchor substitution in CMP rootCaKeyUpdate handling CVE-2026-42770 - FFC-DH peer validation uses attacker-supplied q CVE-2026-45445 - AES-OCB IV ignored on the EVP_Cipher() one-shot path CVE-2026-45446 - Empty-message tag bypass in AES-GCM-SIV and AES-SIV modes CVE-2026-45447 - Heap use-after-free in PKCS7_verify() Issues affecting FreeBSD 14.x (OpenSSL 3.0): CVE-2026-7383 - Possible heap buffer overflow in ASN.1 string conversion CVE-2026-9076 - Out-of-bounds read in CMS password-based decryption CVE-2026-34180 - Heap buffer over-read in ASN.1 content parsing CVE-2026-34182 - CMS AuthEnvelopedData may accept forged messages CVE-2026-42766 - Possible NULL dereference in password-based CMS decryption CVE-2026-42770 - FFC-DH peer validation uses attacker-supplied q CVE-2026-45445 - AES-OCB IV ignored on the EVP_Cipher() one-shot path CVE-2026-45446 - Empty-message tag bypass in AES-GCM-SIV and AES-SIV modes CVE-2026-45447 - Heap use-after-free in PKCS7_verify() III. Impact The issues include heap buffer overflows and over-reads, NULL pointer dereferences, a use-after-free, unbounded memory allocation, and several cryptographic flaws permitting message forgery, integrity bypass, or recovery of a private key. Security impact ranges from a Denial of Service to a potential remote code execution. See the OpenSSL advisory for specific details. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.x] # fetch https://security.FreeBSD.org/patches/SA-26:35/openssl-15.patch # fetch https://security.FreeBSD.org/patches/SA-26:35/openssl-15.patch.asc # gpg --verify openssl-15.patch.asc [FreeBSD 14.x] # fetch https://security.FreeBSD.org/patches/SA-26:35/openssl-14.patch # fetch https://security.FreeBSD.org/patches/SA-26:35/openssl-14.patch.asc # gpg --verify openssl-14.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all daemons that use the library, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 865c8ff56693 stable/15-n283889 releng/15.1/ 083bb80a125a releng/15.1-n283559 releng/15.0/ 0d6ccbb7524f releng/15.0-n281062 stable/14/ ec6bfa889b83 stable/14-n274318 releng/14.4/ 1929d9e173e5 releng/14.4-n273724 releng/14.3/ dd3096b4efe6 releng/14.3-n271524 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoolxkbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvIjEQALlvtT/r8WJ72cw03AZP 1qPNWibqFxrMccV/fEtVq2csUzMkSq6PvgK3ZZoKgh8e2whpJkEULxRJ5Th8IEoD McbPdU4+zgqcehfmH6mvuv/yshDJLe0U2iLFSTbzgbx8xe0XRyWJlutlNXSZmLvo N87HGEtO/gXCXJxZuWFDE4JfO/bECn8wgZ468AD+OMwKRnx13hszmqKnp4cn/bZ8 764BqDsyweCBSVbW7AC0A5/BP7e+S+eOGHDSDqm48Jxk8eVsEVvw5wEo7DMLQgQw /kHc9BSiQ6HPgMvjDryUzX/FhF3El3sKQxkUXNFGcYk8yChTEVtD1C+zf3FACQJA ZTeDNgJelmeJdK7uzrJtX/8Laozma0+x1+2+YrY+Y1aCqOZ0iicmlytZHRHgZc3R riEEJdw3nlV6r43WtwBYjJNyOIiqPusYK8K0/RLnMeMtS+mwjjNjGxqcHdFPbSa7 Xjs4zSAHgkg9NHMwD4S+F+upRZ3yVoZOvIDtqUKO85Mf70OYHHoaZJE4Q7mIPDyE CbtpeaNpjSkujTR5/Us4JgxRfDqDGyyER/Ub1yZl8uuhKNU7QuOWRQMTeIXp42Es uClHfLQz5Dvmwy7muDfg5cY0R/F9whvpwSOmILrsViBjcygkzFY9lE1ufW685vbH 1srvsOXI5oN55cZrX4+H6G17 =UV/w -----END PGP SIGNATURE----- From nobody Tue Jun 9 23:14:11 2026 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZl900rSJz6gr1x for ; Tue, 09 Jun 2026 23:14:12 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZl8z3DB1z3Q9s; Tue, 09 Jun 2026 23:14:11 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046851; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=l97L0f41JwybpEP9Y53mzGi39jXG96CYfLdpkSSpjOA=; b=mp4iAJcSIwYJrujNdJcFAqU9Ci14WW5D4edeCpSDpeyaG8uUMcAxbnCmryhzzZqrYk/txD jzzDPO9UJYuDnM0EeY+TkxF+LJ9W+IzBjJQ84agSAA9/47OFj/9H1aKf/+3CIvPrImUX6G oWByQkfUCOMm0yyxOsPM+4gqGfYDQWhh2PmLi7JXlgWqpYjuyPg8kX1hzvAxEgOki5FOU2 MnYKcYFGe623PHAxWJrNQxO1jaIc24QkAKz8FBx8vE4MzzqOPmtEpqcgCSjABSwjgVvT+7 5eii+Gp+h+5XyergeS1J6bbUx4oiKzncUNmLrFB1gAW/pCLlL8IjqT+zFuSHeA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781046851; a=rsa-sha256; cv=none; b=ogo+ZQmwpKrrIDpE4krJDesn35xhmGlDoO7jps52Pzm8eQe14XqF7hUh7AGhjE7ixuN3bi LgIaDw4qSD3hZbbQKiXd8Op+somYHRAX0JtqF4tDTfcxcd6YAL2VUXYvxUyK3O1K5LQHiL pxaKtpWzutZdrOdtjwErnu11fC/icTMkJTLkC6W9lX101v/9sifcJ1qNcuXclHOIttjC3a DoRbTCNFL3qMc/d6SvhM7RpBooZny35uBGBX+wNp79pRCGey6nxZwgt4d8HDHelLTonbUD H40ZUCPkfpVymBPI/z9rhbA0LdIy8qanmxS1erv31fFAsT8OtIcjfgjdTPlGlQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046851; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=l97L0f41JwybpEP9Y53mzGi39jXG96CYfLdpkSSpjOA=; b=gspSoWSiDDL5TslRZQL/NaNMPMi7AhxEvHyWBbrDkxFxwYphj8bJpVVEeOBvUF7gvhVo5r YEe5rZptI7fVrmNcB/ZscyfrTzepQhmqySRc/jCPNywWZLR18UgSDT32Hi9zRLwXh7mXy4 z1bArZId1wj07O2jraZDkClceIpRXadW50wOk2GKcVfFzAIq43cUJuL6b4bT5AQvZzOw/J tdX9h6Al/qjoPqe74KbeulEkmcRllZ/pG/dqwZstfBPMqiNuxdw2DLNp2tXU+u/mWnqaXM GkMC/duwGsUlH6oS6uwPNEafY8LkVqfe5GKlwjQ0dAog4vMYRjnR8Pg28Njf7A== Received: by freefall.freebsd.org (Postfix, from userid 945) id 5147F1FE01; Tue, 09 Jun 2026 23:14:11 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:36.ldns Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260609231411.5147F1FE01@freefall.freebsd.org> Date: Tue, 09 Jun 2026 23:14:11 +0000 (UTC) List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-announce@freebsd.org Sender: owner-freebsd-announce@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:36.ldns Security Advisory The FreeBSD Project Topic: Insufficient response validation in the ldns stub resolver Category: contrib Module: ldns Announced: 2026-06-09 Credits: Pablo Ruiz from 'codecome.ai' Affects: All supported versions of FreeBSD. Corrected: 2026-06-09 19:17:37 UTC (stable/15, 15.1-STABLE) 2026-06-09 19:20:16 UTC (releng/15.1, 15.1-RC3-p1) 2026-06-09 19:19:55 UTC (releng/15.0, 15.0-RELEASE-p10) 2026-06-09 19:17:55 UTC (stable/14, 14.4-STABLE) 2026-06-09 19:19:17 UTC (releng/14.4, 14.4-RELEASE-p6) 2026-06-09 19:18:47 UTC (releng/14.3, 14.3-RELEASE-p15) CVE Name: CVE-2026-10846 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD includes the ldns library from NLnet Labs, which provides DNS functionality for programs, including stub resolver support. Several base system tools are built on ldns, among them drill(1), host(1), and ssh(1) (for the VerifyHostKeyDNS feature). II. Problem Description When used as a stub resolver over UDP, ldns failed to verify that a received response belonged to the outstanding query. It did not check that the response source address and port matched the query destination, that the transaction ID matched, or that the question section of the response matched that of the query. III. Impact Without these checks, an off-path attacker who cannot observe the query can forge UDP responses that ldns will accept as genuine. By injecting spoofed replies, the attacker can return arbitrary DNS data to any program that uses ldns for stub resolving, including drill(1). IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:36/ldns.patch # fetch https://security.FreeBSD.org/patches/SA-26:36/ldns.patch.asc # gpg --verify ldns.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all daemons that use the library, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 20bfab98f8ae stable/15-n283890 releng/15.1/ 157d99d7ec9b releng/15.1-n283560 releng/15.0/ fbb19baa29ce releng/15.0-n281063 stable/14/ 5719a342555b stable/14-n274319 releng/14.4/ 410ab2bff36f releng/14.4-n273725 releng/14.3/ f61d7fc2ba85 releng/14.3-n271525 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmooiXQbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvuJsP/1G2bXjQo/HJ2aNYP1+h Ffz307olEEslY/xUlmulwuOdhh5A2gx0vZmh8gtUiMON+SzXN9+LxbzVnASfSj+o TFPJQNc55LUwdK/2m4i9UoW1dmEP5gIJk9uVDbGxMNgclkCWxJYvurT4DaCdf6fw a0lWUAOVpdk/pY0CCEYoyP85VaW9yroXowC5S/QSWLXoHOw6Rv5HVwd5Me6SvFir RChUVM77yyb6O+pCHyNhjSzksPrj8NzpdQyPeJeNOz3uNciRbloKPhUtsvEuppjp IQaa3P5pBw/Ivcyc+gHYZU1TlnQvHnyqIjRHmnmJCmDLwSwrD6+/sRrR5i1vVArZ DXyYK4rz/QstTXkFjZIV5SSVM6GT3CsavfnoCJzlTyOO7lQzNWUHunWFDFSdvWxJ FzSOI62+/0ZwHw0m2aLCpGXi1T5MS5Q+c4lK2zwdUdlnHTDhGLUv3hinavYYV7Bh HUzs+Hf3tVWzyi3+HVOv/zIPr3C2F6jXibVsSWD3omXRcNzei7dSkYJXKZigrpD6 7lrurOoq9ujboXBdBGimvW8sPTI+/GWfRm/pUJQUjYhl0gUmTB/MEWGpisYYwDMM bwTUTTDx97j5UYtBVvRZKz0k54DmGQAh5I1PVepszkUDTnfX6v5aSLnTnTlcxHhB jwJiXCvdJUX0Djnm0vXDSXzL =tsVt -----END PGP SIGNATURE-----