From nobody Tue Jun 9 23:13:05 2026 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZl7k0VRGz6gq4q for ; Tue, 09 Jun 2026 23:13:06 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZl7j476wz3Ng8; Tue, 09 Jun 2026 23:13:05 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046785; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=tivrbYmly80Hn94BoaLH7ruKqvQRduljtiGoPnKHrOQ=; b=nf2QtBksWZRD3rk4cQEghgRGJa1NGaajq0i3z4KPuRWsY4eCBfF4HL8YqK63ClEU7m1IC/ 8nj9x/kdlTKGFaL0npudvLW/CfQvsCrW6aFMvG9E7vOEnwsTY5zAX2Sy8FKcI/zFycPRSN i0M/nWSGjrHfNeRGNRYUBmlWTJZ4zfv/Y7VR5WpEdqh4To/ldOYqBqIZFKW6imHVy1j5ae 99T8cvCfI6BrxV+f4ZfFvgHxcGOtji2W3PihNjmujcvDc3+E54zxQeDqGGftKnooNW+pXf 4rDufaUufJZ2AcOm4w4SR2D/obOBlV2V/SKSKXDR8GYcN03DM1E9DTZvdxN5Bg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781046785; a=rsa-sha256; cv=none; b=CRvKs+QgHzo6LvTK5bWL66HPBMeQCk3LXk6Okil2/iXwcrpXiAUA7nuBNAT0SlU0re3ssZ P5A6XjY6AVH5yeWwba6zD2mIzpxKVuG5tTNu8/rS409yCXokS1G1Qmiwiv4q/LjE5n3v57 7JsSxW9YJHT0jE3UhOXmxw3kXLNaZMQ00Clnz7kpDbwykWr2FTR9cdxlrHB4W6sbgZ12hy vJHQuPgJtjC3M0fAl+WKSwQa63+u5YOEEfyBToA3VjCOLwgc3tbRYP+Y84/qBGXCg5xSwh 9fE46tGCek68ZRHMXpnelUdgBPtdfBt93uHhWsd0Bvt17N7i+FV1u6uiFrrMaw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046785; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=tivrbYmly80Hn94BoaLH7ruKqvQRduljtiGoPnKHrOQ=; b=fBxP5E5rrxRUnSGdL7Bac+/ulVVwWG2TDw2/KTRTGITqu5PYlJx8znCB1YG6bZTPVYrhW5 WBxzak6cfL75feKbmyLhCpjClP+27c7wN1ayIBIXs0TIzrAZhUgb0SxgWEURm7LdXDoAUG rnSp6WVxrJ/MvV4TTOwN3zPSVHjx/fsNeHR7Tw69zJz649QRKNWwRPthaiBRnVaFPTK5cX fm51C91+w5bv/WH6ll2mO6b9W5k2SNXEHMTLdjSnHOxHsYxGqbs3lxfrysbtFRc1rYvKyY y61JKgKzxqOinrXfls9JvX3exDA9yztrORAELM29dQVXjTblmo3/GPvbCfOVNQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id 80E771FCB9; Tue, 09 Jun 2026 23:13:05 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:25.thr Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260609231305.80E771FCB9@freefall.freebsd.org> Date: Tue, 09 Jun 2026 23:13:05 +0000 (UTC) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security-notifications@freebsd.org Sender: owner-freebsd-security-notifications@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:25.thr Security Advisory The FreeBSD Project Topic: Missing permission check in thr_kill2(2) Category: core Module: thr Announced: 2026-06-09 Credits: Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai Credits: Igor Gabriel Sousa e Souza Affects: All supported versions of FreeBSD Corrected: 2026-06-09 19:17:27 UTC (stable/15, 15.1-STABLE) 2026-06-09 19:20:05 UTC (releng/15.1, 15.1-RC3-p1) 2026-06-09 19:19:42 UTC (releng/15.0, 15.0-RELEASE-p10) 2026-06-09 19:17:45 UTC (stable/14, 14.4-STABLE) 2026-06-09 19:19:04 UTC (releng/14.4, 14.4-RELEASE-p6) 2026-06-09 19:18:34 UTC (releng/14.3, 14.3-RELEASE-p15) CVE Name: CVE-2026-45256 This vulnerability was independently reported by multiple parties prior to publication. For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The thr_kill2(2) system call delivers a signal to a specific thread of a process identified by its process and thread IDs. As with kill(2), the kernel verifies that the calling process is permitted to signal the target before the signal is delivered. II. Problem Description When used to deliver a signal to a specific thread, thr_kill2(2) called p_cansignal() to determine whether the operation was permitted but did not check the result before delivering the signal. The signal was sent even when the permission check failed. The system call returned the resulting error to the caller, but by then the signal had already been delivered. III. Impact The missing check allows an unprivileged local user who knows or can guess a target's process and thread IDs to send any signal to a process they would not normally be permitted to signal, including processes owned by other users or by root. The same check enforces jail boundaries, so a jailed process can signal processes on the host or in other jails. Thread IDs are allocated globally and sequentially, and so can be discovered by brute force with no visibility into the target. An attacker can stop or terminate arbitrary processes, including critical system daemons, resulting in a Denial of Service (DoS). IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:25/thr.patch # fetch https://security.FreeBSD.org/patches/SA-26:25/thr.patch.asc # gpg --verify thr.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ afa0c67a1ba3 stable/15-n283881 releng/15.1/ 068168fefd4b releng/15.1-n283549 releng/15.0/ 6f6c7b996719 releng/15.0-n281051 stable/14/ 72ad7baa99c7 stable/14-n274310 releng/14.4/ 31f6086db8fe releng/14.4-n273713 releng/14.3/ fa5581c379fe releng/14.3-n271513 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmooiUobFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvHNUQAMEmYLwDsVIj73SAnWE4 PN3KAVFvybeK4R4xYPiwPDtOrdV6HEb4G9O9VgZAomMzE9U7OIZVbXSjKdnEc4Ud /54Kg0VlURUCUxncndeBVnT56IzXf9uuT1HuAcSoyN2dDZedAGFbtIrg2YJvPyWL oOe1TyRrj03sP8VnznCZZsPYIqUb7UopdFHaVv2qONdlC0OSnODWiqeRJ8Z38tCd 918AbxTarEKwv5Qx8kV2mvvXIAaK1f6K7l2KqFGdp8HCf5C/plBd7vv6SEVvQhDj 8D6c1Syc/rUTkn6bmeLFinaPxK7OB1oS/Z+7DwJrjlusAhSKbBFcesE2hHYzxEhP 8rmevDJPMNZbouvuC4aJeDSKvGd5eUL+5Rt/EIijBsrlzZv1g/glllbTc/7+g3um aGP9c4BCDUJVjWxui5ACqR9pe2LWQwDtA7YbukXZqkH0M2OroxLRWWCyOLrAlela Eilf64XI6KliSMR+rAL6dmPLxFXVMpJXRKxJmUK3FXDi+Vm0bGaeRwCz49Ts+6XV oU7MRQG/F1w+lZRkS2XQ6YJTv4DBiDAofl7i0Rcjlq1JbWxBjpF8ArZX5VqSSi1y bOkum8QekuU/sbBIij7JyiEPx2r0ICm/pGXDYnxYuwd0+48orpu9uB6M0gKYEe6D mYgtjqeBtUCJwPKOzr36faXQ =rFeT -----END PGP SIGNATURE----- From nobody Tue Jun 9 23:13:11 2026 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZl7r0jqTz6gqCl for ; Tue, 09 Jun 2026 23:13:12 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZl7q41TBz3NsF; Tue, 09 Jun 2026 23:13:11 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046791; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=a8OSRKIZGBdIHFE3SvEYpbWYrl/ff7HDFDWSQWYfkxA=; b=QyjKkaYTaHcMVKIW2EhCg0yM8cX4BqeAJlGz7vGMmJ6IAvb3FeZZMt7qvNAZSJ/Ob+k6tB TbvDb7BtKK8n8a0mIA2NjqP+bKRumQ9T3buI1DQXqcb3ciT2fP2FZSszFjQneHhmf1R3+s fxMYLHYDXuWwFVF/3HDEoGAzJ1Z+uUymtlTn4KdV5viwDHBRXw87AwGS3LvjxwG1W/Nb0E gwGjJKvldCedRGKqhdnN0HgfHOz2WpsXxZSNiUueHjGvTapV1FkLiCo13FK0BOQrw822It HU7OAJj21w63FJand8ESHYkEfFYwWltaJhe03MFjB9i9OZdimcSKRTtsO9sMvg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781046791; a=rsa-sha256; cv=none; b=kBej0KX5zKMIV/AhLdB5jKzV2SjUt+990ZtmQH6PPadKtlajeaLjtYbu5wiDMjk9iM7NCa XVI/AaVVSNu7PtKtEgw+Xr0x4tgNnGTj+BYal0hKVXBMMg2H3GC9Zhq7pku5KIkzqQaF+N fCNXPjmSb7mTfhCQVMGd+R5SqrM1h+WHFP2fnzQHstvsEIXASVAAuITiNZDM/DnMKHfIsK b/Pn1u097KcPqLyhku9r7EFVL9+ycKxGE0IZcqAoizl72jVaPtowBFiyTtXszVwAOlXtXv 6kmX8x8FpHYDKTnkTWq6vKjlSBbduSwfOQNT6+UbTx2AZNCaLRD7Y0byodj7GA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046791; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=a8OSRKIZGBdIHFE3SvEYpbWYrl/ff7HDFDWSQWYfkxA=; b=LaaPdv4lWHJcLtNHUKv/N5euOnjxJd7exYx1BjroFvO+D6XWWPfXD3nQ5r+AgGnEHA0UFe S6zCv5zd9x+Bw+S3K7D8RHt72Sw8vYFGDUpMkVURWKAB7S6S0qNKR/acgU3Hj6F8GQgtYT 3BtXTiyG4H/fdIKCu1fsHzHfr8qMPsn0WX3g7GV0xV0zWb5xr8ljSFXoOacBVIwpzYBfq6 YOAWZGspRFXk/DeyFwFZ5Jzil3YtnDma/czlvJgfL1lGzhNXP8PSAePborNBFiQ9Yr8XJB TdCdeAanClucPSizpKJ4pewhPSMgzy+MGh4/NKa6iuVXXqoQWF/rOk496jXUQg== Received: by freefall.freebsd.org (Postfix, from userid 945) id 7E26A1FD21; Tue, 09 Jun 2026 23:13:11 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:26.ktls Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260609231311.7E26A1FD21@freefall.freebsd.org> Date: Tue, 09 Jun 2026 23:13:11 +0000 (UTC) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security-notifications@freebsd.org Sender: owner-freebsd-security-notifications@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:26.ktls Security Advisory The FreeBSD Project Topic: Arbitrary file overwrite via the KTLS receive path Category: core Module: ktls Announced: 2026-06-09 Credits: Bumsrakete Affects: All supported versions of FreeBSD Corrected: 2026-06-09 19:17:28 UTC (stable/15, 15.1-STABLE) 2026-06-09 19:20:06 UTC (releng/15.1, 15.1-RC3-p1) 2026-06-09 19:19:43 UTC (releng/15.0, 15.0-RELEASE-p10) 2026-06-09 19:17:46 UTC (stable/14, 14.4-STABLE) 2026-06-09 19:19:05 UTC (releng/14.4, 14.4-RELEASE-p6) 2026-06-09 19:18:35 UTC (releng/14.3, 14.3-RELEASE-p15) CVE Name: CVE-2026-45257 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Kernel TLS (KTLS) moves Transport Layer Security (TLS) record processing into the kernel, allowing applications to encrypt and decrypt socket data without copying it to and from userspace and to serve TLS data with sendfile(2). When a connection uses software KTLS on the receive path, the kernel decrypts each incoming TLS record in place within the socket buffer. II. Problem Description The KTLS receive path decrypted each record in place, assuming that the mbufs holding received data were anonymous and safe to modify. This assumption does not hold for data placed on a socket by sendfile(2), which can reference file-backed memory directly through non-anonymous M_EXTPG pages or EXT_SFBUF mbufs. When the sender transmits such data over a loopback connection without enabling KTLS on the transmit side, the file-backed mbufs reach the receiver's decryption path unchanged. Decrypting a record in place then overwrites the backing file's page cache instead of a private copy of the data. III. Impact An unprivileged local user who can read a file can overwrite its contents with data of their choosing by sending the file over a loopback connection on which they have enabled KTLS receive. The write modifies the page cache directly, so it bypasses file flags such as schg and is written back to disk. By overwriting a setuid binary or other trusted file, a local user can escalate privileges, potentially gaining full control of the affected system. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:26/ktls.patch # fetch https://security.FreeBSD.org/patches/SA-26:26/ktls.patch.asc # gpg --verify ktls.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ a51345704403 stable/15-n283882 releng/15.1/ 48c1c5e3c348 releng/15.1-n283550 releng/15.0/ 540a315cdb46 releng/15.0-n281052 stable/14/ 333bdd7e9427 stable/14-n274311 releng/14.4/ d43259dd66b3 releng/14.4-n273714 releng/14.3/ af3398862ac0 releng/14.3-n271514 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmooiUwbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv6hQP/3x8lGHZpLeT8PjB5NMF xCfwzKQlu5vlkOqSv+9uEGsh3FQa9gHE/68SwZYa01waeFbTSKpBvrf1X4kRKGnE r3z8DSAPnVqSRzp4k0PNTxPLtF09FfWiMEBA+PIedL91WkG24gQ63k3fORVjkSvs a/uY1DQnmypV2mdV/S/hWmrtVCmi5itZKsVedZFoZHZ04GKwIObMoqXgtbUxdfhJ XvjSCqGgvpsUPVpE72nKYAbbL81w344tNOGtjoC07utitkLoHtMlYqMTfXCv0dY7 Oo3RZ408afAl1CalUdZ64KXJWqjCZt3FWxtn4ugZkewLc3cDyO5Y2ZUDMAb71P/V Sdq6+GRIC5wMOmd2C2Wb4C72FODhh4o4+n/E7qeIojT5jozWNFAFN0ugzNcqzuM9 b8ekwLWK9MbtjZWF1A0OhsLqQoYuBcwX4RymVJCfpEnlPEDwaf0fv/Sx/OyU9MBx zbT/Thqa9cB++4U6Obodcj55mXM9p23b9OpEnSD5FKlhxXPxCYW5gc2mK4k+yoKd 5ZCzzcdzbMoNgqyHnvrBgFGMsPggXJxaidsRFtVSb9E1GWQUweyN9hR10Gr8wX5j QL18EHe3Lcgg2Z+mi8NQ8lrqPoGpTIjZ8enEYHLrILe/p8JMjNU5fe+YqQTE0tyD pWQqqx8AYbHJsnCDELTeqt96 =lD4w -----END PGP SIGNATURE----- From nobody Tue Jun 9 23:13:17 2026 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZl7x5k1Sz6gq5P for ; Tue, 09 Jun 2026 23:13:17 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZl7x1L6jz3P1Q; Tue, 09 Jun 2026 23:13:17 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046797; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=/xrqJjBwzZKo6uk2HN5I3zYauz/WFlGJC8NRs9pYiF4=; b=SF6qOpjyZvxYDdPe7oUHMx+uErlReGEIUE+Q04FfWOEdSjhOfZNP2/h/gT6Ve95gGyrw87 eREnB4fN+e/vaSFX4WdwxsHkw1Rfg7Gxwz/z+7cnuu3G8kGKMLYo+2SvvJAVdEyu/uaIOD aP5Kjl5AK2VE7NphJdorVv5jjOpGP993qABTB7c5qTTjNb+FeIiLe5J6sOWMexqEqEMQlz c/60yGRf8HTdaWdJQk93z+yTBq0fbOtHfQGfo8ZEKmDHHgj3PDzEx0cgIJYRLUNN57pn9T C0JIMNhPOcmP5M4Aboyq/FminLSOcH8I18lQf9cBy39HzQqzLLcz2WBCc8cn2A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781046797; a=rsa-sha256; cv=none; b=pi44fBXatxbsd9mEFDXTiEURLtFzFh1HIO2AxEqp0tjcTMMEc05d65dydMaXQ+NHsKVKhj 5zHL4wtjBoiLcBK/b24UnybHQiKQCunDaYQbeA6M2eGj3p+MuCPkl76V9tVRs+uzR2ncbx BEAWqwhjwuMxn/V6Rmt1//fDU3So930Ra0jP3RsVtWyfTxF6h9j0BKdS1bQj128QtTA8v8 5MqxyC5ep958yapWiV32MJuaPEls2R/onYp+tCCTDR34O8pYv/Ekk3lzb81DEYucMVS06h 6eiC+e/IOjlgSzlwIDOxvVAyeM/XtZYpBv4UwbjIBDqvRtIakKN7p8yL+SEDFA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046797; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=/xrqJjBwzZKo6uk2HN5I3zYauz/WFlGJC8NRs9pYiF4=; b=F1+buWJ6YI4y4kpd1KnfB+NY4LsK3yxiiv6/fV9fLzcPG5aoUiH+AL/ShfKL7gdRQGaZoB 1TysAoSIARWCD51eZ5gVs5MKr3nB1MPH9tFn0+kd1nH5YYMcFzuxxkiSyK1oMwdd/DUwVc 6eo6ROFHnV/qzalesaKrAtyWjtcCic7kmbFHv4ed110dNGAORmwJLGd4iVZYRJYQ0q5a/2 XjEYKJ1Ac+SLExFRrhX0gPxa+p9daNFJeo12MpnU2IvMT5ZCMCKnatPJzRVlJKo/Skgzmn WWsRnpzZq9LKct71HG8G+cD8eaN+UQqFnTWL5Yrnd4bs9ki5d8BKoYgwqGAXaQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id 105A41FBE4; Tue, 09 Jun 2026 23:13:17 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:27.sound Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260609231317.105A41FBE4@freefall.freebsd.org> Date: Tue, 09 Jun 2026 23:13:17 +0000 (UTC) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security-notifications@freebsd.org Sender: owner-freebsd-security-notifications@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:27.sound Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in the sound(4) mmap path Category: core Module: sound Announced: 2026-06-09 Credits: Lexpl0it, 75Acol, ch0wn, zer0duck (CVE-2026-45258) Credits: Emmanuel Genier from Quarkslab (CVE-2026-45258) Credits: Hazley Samsudin of GovTech CSG (CVE-2026-45258) Credits: Lexpl0it, 75Acol, Liyw979, Rob1n (CVE-2026-49417) Affects: All supported versions of FreeBSD. Corrected: 2026-06-09 19:17:31 UTC (stable/15, 15.1-STABLE) 2026-06-09 19:20:08 UTC (releng/15.1, 15.1-RC3-p1) 2026-06-09 19:19:45 UTC (releng/15.0, 15.0-RELEASE-p10) 2026-06-09 19:17:48 UTC (stable/14, 14.4-STABLE) 2026-06-09 19:19:07 UTC (releng/14.4, 14.4-RELEASE-p6) 2026-06-09 19:18:37 UTC (releng/14.3, 14.3-RELEASE-p15) CVE Name: CVE-2026-45258, CVE-2026-49417 CVE-2026-45258 was independently reported by multiple parties prior to publication. For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD provides audio support through the sound(4) driver, which presents each audio device as a set of character device nodes such as /dev/dsp. Applications can use mmap(2) on these devices to map a channel's audio buffer directly into their address space. II. Problem Description The sound(4) driver contained two memory-safety errors in its mmap(2) support. First, dsp_mmap_single() validated the requested mapping by checking the sum of the user-supplied offset and length against the buffer size. This addition could overflow, so that a large offset and length wrapped around and passed the check. The offset was then narrowed from 64 to 32 bits when converted to a buffer address, yielding a mapping that extended past the audio buffer into unrelated kernel memory. (CVE-2026-45258) Second, the audio buffer backing a mapping could be freed when the device was closed even though the mapping remained valid. The freed memory could then be reused elsewhere while still accessible through the stale mapping. (CVE-2026-49417) III. Impact The /dev/dsp device nodes are world-accessible by default. On a system with an audio device, either issue allows an unprivileged local user to read and write kernel memory, which can be used to escalate privileges, potentially gaining full control of the affected system. At a minimum, an attacker can crash the kernel, resulting in a Denial of Service (DoS). IV. Workaround No workaround is available. Systems with no sound devices are unaffected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.1] # fetch https://security.FreeBSD.org/patches/SA-26:27/sound-15.1.patch # fetch https://security.FreeBSD.org/patches/SA-26:27/sound-15.1.patch.asc # gpg --verify sound-15.1.patch.asc [FreeBSD 15.0] # fetch https://security.FreeBSD.org/patches/SA-26:27/sound-15.0.patch # fetch https://security.FreeBSD.org/patches/SA-26:27/sound-15.0.patch.asc # gpg --verify sound-15.0.patch.asc [FreeBSD 14.4] # fetch https://security.FreeBSD.org/patches/SA-26:27/sound-14.4.patch # fetch https://security.FreeBSD.org/patches/SA-26:27/sound-14.4.patch.asc # gpg --verify sound-14.4.patch.asc [FreeBSD 14.3] # fetch https://security.FreeBSD.org/patches/SA-26:27/sound-14.3.patch # fetch https://security.FreeBSD.org/patches/SA-26:27/sound-14.3.patch.asc # gpg --verify sound-14.3.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 7628e1ddfd52 stable/15-n283884 releng/15.1/ abc077216bac releng/15.1-n283552 releng/15.0/ bda153dc04b4 releng/15.0-n281054 stable/14/ f8f9050d61dd stable/14-n274313 releng/14.4/ 0e8cc8d8a49f releng/14.4-n273716 releng/14.3/ de5fd56985c3 releng/14.3-n271516 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmooiU8bFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvWEsP/0Ge9wC58QJLIkykVAHl hZoU1NU0DaY6L03B4dDiQkbX03CZK4taPmOE6Wp4AjxJztw0gF2SyWY1xHeUafPY NzNGJFhSA+Y6yGiBhffDtewUdfFnHg7JVvmU5KYj5xfKrxSksYOnv8KOuGeI1Vw0 A25TIrP5bKVFu45s2SCNrCHeXMl2Nm2ObMFdd0ZF04abcXyMQbSLlWDA15ZvtSXB e1nOKZTrfHFSGXIx83SqtkTMY0SRbNvGZk3uUAlIXeQR2q4kInyNy42R3j/av4fh 0Il0ZLapO6lTfJwwl9E+ZB4OpE3LJdMap1rrspGo/XMFZOACFCkyrBiKSQHkhkDU WAHtGNOvKXCll4O0LZfEjQkQnGsBhJtmhthF95O8cADXZG+G1crj3+IBL8TLRUWw QsH9dGrD4rNUWaAueztPUEza4zJdbTAgEfSHvauuAlq6LCmrjiyJFmNYvPsNlRGG JMJa5PKEgguR/8054XHlsN8GdxYup8b8bYp55KcTbAjfyj+HAQIJp17tpZKiJjR5 wfaMtkNhCgzM44oGaWbVpwOMeWB/YtrkR3h+ROzAwVallVBoIuUWzu4as3sSOB+a GSwkPy+lD5m2qojRtXuGw7bzvdu2fx6iEeMt1XogXbHxiNxi1tDg0QJDNaWTojk2 Nh8uk5rUl64eHOU4DH+ztFLl =eTyF -----END PGP SIGNATURE----- From nobody Tue Jun 9 23:13:23 2026 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZl843DGjz6gqDs for ; Tue, 09 Jun 2026 23:13:24 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZl835rP7z3P2n; Tue, 09 Jun 2026 23:13:23 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046803; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=3HzqdQupoOuFctlhZgwa1RQauoOO/dKv5Bx0XIdv9fE=; b=VHqoU1zopynHVzuwRNj/qN61ww1kojXnoqKTHnBWaVK4F/fQa1oLMMcivkE1sPtF3zjQh+ sQ1MBwhiS1vhvpv40pz+0SUo11vVg6Au02XWNTYVm+A8H3Qv/USU4tYn2pWtfCxQ6qsLGm eWREICCU8bYQIlRDkDO5s0ELtSUjykIG361lUeKAg5wmOzxfxZ71jcNKnC8MVYmmN55xex 5pDImzMxmq/Z0v54WuLzkb2B/Ej9IHNuwfpUFhIyMTqdk4wf8bXABnfHHciUC1FLI967ho l46x8t4n1ISO1cir8JY+bGsbtPi9hGpCIVJMaEwl+toGV+CQhLdlDeOzDJJkQw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781046803; a=rsa-sha256; cv=none; b=R75kiKnylv18UzKq0HiUHBESfXTXO+uljTYN4xdJ+PsWQBmza5jyTRY9cePa5ykwE49WF6 OkSXU3GKQN39/KKF+gTbTaNsnFn6TaWG0/k9CT/X8Kijz50nNqV2K4Eg4BqvfgSYeg3lRV ZvMZNMbjBFU3QlfxmfWCVyYC13PGQ55TTIfF58cKM77nZgLZLs9G/VL6R5WwPSmUuk/XCy PmI9oGztfZbN/FRaslnw4BZfCOqR0l0xEsL0eurYUIkBPzpaiC295FChrf4WCxD2EvU5s9 uPNTQSHuVt+7YsFjK8e/3yi7VTO8ycWaqpxEA9F+MQHm8FFwzFsdfDH0/eeOdg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046803; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=3HzqdQupoOuFctlhZgwa1RQauoOO/dKv5Bx0XIdv9fE=; b=uIvfrr3ZTQZYAfO9LvHVOIsI/YPAiFyZpodhLNQXmg2VJGLewqqLdys3BYRbGCVdXVMV1T C9Xz1FgO572AHFFiIsbTrnIxjzJqgS45DF9aKjHyecXNzTwBZuNBJxOU+GlZgxvAbTDdGM pudkT72XvwlMSUAlLjWrzWYRcVRLPCdv99CWXxfwSzVoNFwJtBX1cqporv1s+w6Kj7fs+5 XZO1qZt/mznayZqwjabma/NrDVOmWBGgCB9rdYKZ3E9wJihyn8VQn0iI0nn35THCklimmW /l7d5s3hg1exreMzbR0PsP07Ipw3sRzmHmV9kKR4bg8GAZogjiI+foeaRs/TZQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id B1D1E1FAF5; Tue, 09 Jun 2026 23:13:23 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:28.capsicum Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260609231323.B1D1E1FAF5@freefall.freebsd.org> Date: Tue, 09 Jun 2026 23:13:23 +0000 (UTC) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security-notifications@freebsd.org Sender: owner-freebsd-security-notifications@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:28.capsicum Security Advisory The FreeBSD Project Topic: sigqueue(2) missing capability mode restriction Category: core Module: capsicum Announced: 2026-06-09 Credits: Ed Maste Affects: All supported versions of FreeBSD. Corrected: 2026-05-29 19:11:40 UTC (stable/15, 15.1-STABLE) 2026-06-09 19:20:09 UTC (releng/15.1, 15.1-RC3-p1) 2026-06-09 19:19:46 UTC (releng/15.0, 15.0-RELEASE-p10) 2026-05-29 19:12:58 UTC (stable/14, 14.4-STABLE) 2026-06-09 19:19:08 UTC (releng/14.4, 14.4-RELEASE-p6) 2026-06-09 19:18:38 UTC (releng/14.3, 14.3-RELEASE-p15) CVE Name: CVE-2026-45259 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Capsicum is a lightweight OS capability and sandbox framework. It provides two kernel primitives: capability mode, and capabilities. Capability mode restricts the ability of a sandboxed process to interact with the global namespace, including the ability to send signals to other processes, other than via capability-based interfaces. In capability mode, kill(2) restricts signal delivery to the calling process only, preventing a sandboxed process from signalling other processes. sigqueue(2) provides similar signal delivery functionality, and is similarly permitted in capability mode. II. Problem Description sigqueue(2) was marked as permitted in capability mode with the introduction of Capsicum in 2011, but the implementation of kern_sigqueue did not include a capability mode check restricting signal delivery to the calling process's own PID. III. Impact A process in capability mode can use sigqueue(2) to send signals to any process it could signal following standard Unix permissions, bypassing the Capsicum sandbox restriction. A compromised sandboxed process could interfere with other processes, for example by sending SIGKILL or SIGSTOP. This could be any process running as the same user, or any process, for a superuser sandboxed process. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.1] # fetch https://security.FreeBSD.org/patches/SA-26:28/capsicum-15.1.patch # fetch https://security.FreeBSD.org/patches/SA-26:28/capsicum-15.1.patch.asc # gpg --verify capsicum-15.1.patch.asc [FreeBSD 15.0] # fetch https://security.FreeBSD.org/patches/SA-26:28/capsicum-15.0.patch # fetch https://security.FreeBSD.org/patches/SA-26:28/capsicum-15.0.patch.asc # gpg --verify capsicum-15.0.patch.asc [FreeBSD 14.x] # fetch https://security.FreeBSD.org/patches/SA-26:28/capsicum-14.patch # fetch https://security.FreeBSD.org/patches/SA-26:28/capsicum-14.patch.asc # gpg --verify capsicum-14.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ defd9b86ef99 stable/15-n283744 releng/15.1/ 871d33e8a66a releng/15.1-n283553 releng/15.0/ 77ee83d12625 releng/15.0-n281055 stable/14/ d11ff01b3aec stable/14-n274231 releng/14.4/ eab757f954ed releng/14.4-n273717 releng/14.3/ f56e8cb94df6 releng/14.3-n271517 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoolxAbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv9xQQALSpP1xklc9UjGzlSpTo 2owWykX02TVDqd7a57jEFpak6F9sJ1B83jrkEQVIGjBGQpTIWYt/C34QEzeo502F +dqfqXr32MyudPDq+lsWB7HhafG/gktTDpibJrQkqPDdTc+TwzzhoHxGAdckAMsr vCqnUF6UmtmTzQEyoQBqPGPWbVnyVboOQ0ZvKouMZdMBVlC7IvWPDlbpMEOLePTE NPHeuxFYbFHMUkOLq97Dhg4XTqdIG0t3n/0jA1kjCDvJWDbXpR1bPy1USTNxHO35 xjeZshL2IWXDJSxLFBNE+cNFwg4dyp5vXcQXh3HtyMC9PMPMyIbJT7zQluV3CVI7 9gC6MMH7QiLssj5hJqMSXccrNzkag6Alu9ET5A/NtoGjyogbXmIPsQ9hLAqf/c9v 5m4O86dlHBL/JsGcPqsGw3+gucqgso2gy4yQ8h1GqGwNGv440TMAHRz5eAu+qOZq tDxo3OqK3HIEoChiQaRZp5bc/p0L1Rfka10J0HmIxB2KkdHEjdMn5SBsEYRsIv5v Sp34rl0cLm0oHraIQ0jNVTwZetrxl4CMIAexHYO1hJ+jZDRdBQ5CC7S83+t2Tbnu JgRsm6A+1TZfWsaflIx9ga42DEndXgqpmdrtjIFoO1zNQjrvcd3sqJH6GTMNdywg 2woyv6Bb/bwINWDE7EhicoJl =WJPW -----END PGP SIGNATURE----- From nobody Tue Jun 9 23:13:35 2026 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZl8H4JB9z6gqHg for ; Tue, 09 Jun 2026 23:13:35 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZl8H27DRz3PNN; Tue, 09 Jun 2026 23:13:35 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046815; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=ijLis1D3PnaXPGRkb/gipWkcZRP3C7Z8qoyPSL/kqfU=; b=mInof9AL/twra6uNHF4+/qhpU4+zQDRvHiibcYPwNMClcixhcOz9KIz6xzbFAiRWDbz6Kn w51ZyfjGOz3MPmOv7C/dL4knCHLFy5tsFkJtBEet4lxlfMH3ROAkyirkZHXVj3um2ha72r EJ0YU21+KO7MsGBcx4x3SIrtY4kanWkpDZ8dsbDNSmWDVV8x+QdncfHIr+sY5jfOS+j8aX D2Mv3SWJ0xWfbm29TFDVYYf+jefvZm5+k0jcuyXgZ6v3iVGk+H9p8iQRxp6+J0BQdg67WQ qxB/pKFza/AD5dAZeGVGkfFBWHmspMbtt+s27gz6PTmTCnEIodZ8CPa+oWAD/w== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781046815; a=rsa-sha256; cv=none; b=hx3iz6K58qBE2UYels2LuWGLNViyCv6ORJEICVEyE2kLqOWLjMfJ8qwhu3Le6DRbm/0go2 QnZYw5O907Tl37MjQPsvbSbvSHLkhooLwYElqIY+/t3SPTyidy8JT8MvfmBks4sC+KH7BP C8jqZTCAfr03+y3Gf8b7fSlVmnfU6NHGot/fVtrriC1AINc0LLHXuqG2LhpoVbRilcYjHu uvRjy7dDhLK5t/Z9Dv+0vKWhUmCeK77haR6puOSLxHNfzjAn3iINi8SwEz9klIJgSGvmyh c9//H9NdUzN8Z+yFplGTDEhpQRDoMqKk0/8Az2CkbZDtdMOYNnl+FVYuVLgtaA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046815; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=ijLis1D3PnaXPGRkb/gipWkcZRP3C7Z8qoyPSL/kqfU=; b=CDH78y0UtrdHOBXTk3VK9/Mff7XuuJkp/u1mQST1X9Bb4E20D7qEA2TnXJozq5JcQ3TgVI Cq4jUzUDsbsmonnmo7/dkuf/bFN36a/f+kKZDlQYagNWSBF2iflT+rMvoyYK54k8rZscV5 jlacbX0UrcXrgCO94ddVJlz6T4dijJFYADlsm8dtWmlEFkchSHYDwUxjkfEvXcb2rsh3sW 6bSc22xpmvG/7X0AYlLJvlghdv2qRwAzUZH9FvlnSVxqKC5ZXwq/fA+LL8qBMjERsWjYb4 iFJulJ0s0N/zVbFrdl5EdF/qf1rI6tnwtdWB43INa6Thvh8SVQmyMLPf+jbHmw== Received: by freefall.freebsd.org (Postfix, from userid 945) id 3FCB11FDA3; Tue, 09 Jun 2026 23:13:35 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:29.ip6_multicast Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260609231335.3FCB11FDA3@freefall.freebsd.org> Date: Tue, 09 Jun 2026 23:13:35 +0000 (UTC) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security-notifications@freebsd.org Sender: owner-freebsd-security-notifications@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:29.ip6_multicast Security Advisory The FreeBSD Project Topic: Use-after-free bug in the IPV6_MSFILTER socket option handler Category: core Module: ip6_multicast Announced: 2026-06-09 Credits: Andrew Griffiths at Calif.io Credits: Maik Münch Affects: All supported versions of FreeBSD Corrected: 2026-06-09 19:17:32 UTC (stable/15, 15.1-STABLE) 2026-06-09 19:20:10 UTC (releng/15.1, 15.1-RC3-p1) 2026-06-09 19:19:47 UTC (releng/15.0, 15.0-RELEASE-p10) 2026-06-09 19:17:49 UTC (stable/14, 14.4-STABLE) 2026-06-09 19:19:09 UTC (releng/14.4, 14.4-RELEASE-p6) 2026-06-09 19:18:39 UTC (releng/14.3, 14.3-RELEASE-p15) CVE Name: CVE-2026-49412 This vulnerability was independently reported by multiple parties prior to publication. For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD's IPv6 multicast subsystem supports source-specific multicast filtering via the IPV6_MSFILTER socket option. This option, set with setsockopt(2), allows applications to specify which remote hosts are permitted to send to a joined multicast group. II. Problem Description The kernel handler for IPV6_MSFILTER dropped a serializing lock in order to copy the source-filter list from userspace, then reacquired the lock. During this window another thread could free the multicast filter structure, leaving the handler with a stale pointer to freed memory. III. Impact An unprivileged local user can exploit this use-after-free to escalate privileges. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.1] # fetch https://security.FreeBSD.org/patches/SA-26:29/ip6_multicast-15.1.patch # fetch https://security.FreeBSD.org/patches/SA-26:29/ip6_multicast-15.1.patch.asc # gpg --verify ip6_multicast-15.1.patch.asc [FreeBSD 15.0] # fetch https://security.FreeBSD.org/patches/SA-26:29/ip6_multicast-15.0.patch # fetch https://security.FreeBSD.org/patches/SA-26:29/ip6_multicast-15.0.patch.asc # gpg --verify ip6_multicast-15.0.patch.asc [FreeBSD 14.x] # fetch https://security.FreeBSD.org/patches/SA-26:29/ip6_multicast-14.patch # fetch https://security.FreeBSD.org/patches/SA-26:29/ip6_multicast-14.patch.asc # gpg --verify ip6_multicast-14.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ ce2b95932ec2 stable/15-n283885 releng/15.1/ 3d80e4aec3c1 releng/15.1-n283554 releng/15.0/ ed4692b8226e releng/15.0-n281056 stable/14/ 522182827ea1 stable/14-n274314 releng/14.4/ a7062a6de005 releng/14.4-n273718 releng/14.3/ e6859453de61 releng/14.3-n271518 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoolxMbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv7wUP/30Oo0Z61lnOg4P7VBtk K6bljtcQ0SoiW++eWtX2TFHqCrcNS0qPSxQFVKDkkUf2Wx9M/zfkhUWnTpAwbQdB m+8bUN8CGEjhvAihfKgCAQZGSqcVq8A2km+JgFpc9ehZ3RjnjFQ0DYZTOh1goZiQ TPsWf8NwKQfed1LhQcDLp0hw7R4//wBICfluzFvLDqPG7TtcAvcJN04jrmd6XCaY zddGXzWvrPGuRPY7/xgiwg26B4yK/OwzOJ0uBzBGLGzkuUKJjZgzot3kVy7WmTVw iWKRChKQiakM+hkf/xi3CZiyUVGdlxd5GDWxJ8HvaNkYtk/iRzvalVMkSrZNdnaJ rVMCmt0d+PxD6+2xORikqn+FiYNc+5gUB64O9t74+L1/XMtM0IWz/g2Zs66qding 0gABccQX5217YvZK8fubpihEPF7NCNblfikIZbdWYwmMk7azQ93tTO0ySCpuzIVX +OJWR2QRrz004ohwgl9peBfcDEvbxN5KEovVDt/QTZ1JGKQ8AeiJCd7JZsNP1zMw SAOof6EyOEzuilT8JDmOXhnXptOVwCG470bD9rYL3O6apFfcWqFVh+5njEaGMrBf 8W381AnPDmkEROxj3fzJkM7Xik64aJrHgLGFuHZAQ1Yjpr+SrJRKcdHx295qFp4a m+8DOaIYeHuOhRTGRLMubJIj =uFAo -----END PGP SIGNATURE----- From nobody Tue Jun 9 23:13:40 2026 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZl8P2qwJz6gqVr for ; Tue, 09 Jun 2026 23:13:41 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZl8P01x5z3Ph9; Tue, 09 Jun 2026 23:13:40 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046821; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=4vPtQJOFqlvPEYNtA2P7eLcsN2Cgf85xqBn3mPKjsIY=; b=xBDNh1Yy384tsa9kiESyuGXmgGifpyiqbxWpeeXyaxX2vcz9ovcUZYEOfnZWbLoYELmNCC EhK0SKmgKgn7lupxGYuSrkxuV6fKnh9AX+DZIZd7661DXNzfIzRpK4vZj1S9slF5m0cXlm GR3beRFTqN/FPGiJSqOhgdzUzjOzIfqUdd+7RcsJqfTBalVhyR+kb73Nx63rYlTZGsQR/F fu+tg1rjhlNGO8Fk8+2FE2nWffI4kTeSyg+Stf5RzRcpks9iRfOzLkTxWuY/2SKLU2ErZ7 XWf3iEqYanLD5bSEbmjzsE/czq9YhQIyOn+3jsPhet676mx36PjahUyXGnHjZQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781046821; a=rsa-sha256; cv=none; b=GvL4BoB4WLPL81qoWWHYuL8A3SSTaqrSE1czNUSmGroXobMCGvu8B49+OT20F0+iXGwLqy SpJdNdc+f4vMZIDWz6PGP+ZHJEeNIAlPS5C7UYweTIsN21mXPJ9liHxncfGrldJqIQTqB/ sIwGUXwZN3rTouRS6Eyg0FTViuuuu+5hkYCwZQgwN6K4usauhrVR4gyHZND4kKskDdjdeP GOkm+XYGfX+ThIBp0NZFCqF2wKDUS0ThKET/Ln8oQqeeA7RHScSfhXWT5gdJnJxZ0NHRFm MNuw4qQAAxbpAHyKTbbdG7K+NUvjq9RxXeDcr9PDjwMMQ7yIK7PukoKda6wduA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046821; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=4vPtQJOFqlvPEYNtA2P7eLcsN2Cgf85xqBn3mPKjsIY=; b=B1vHf+PDqgVufEorRzR3k75PTV4JONARQPlEQUdkEoLoE3AgoncbuV6DbyP4kd3FKEJU19 HHBsrkeFFTCmczZSIxKdJmrPh8vrn5SLUST2RqqHOPqHipP9GmbiB08IPkKk9DJOdW4C2X rko0Z/Pb5U9XI2DFiWpq9XStDXDePYB9Q4vEAIjwH2AlZQHZ1u6YTwLHpOfCiGFtk+Yi2G rHqfH7C3qQbO8Vm6k00IK5LQPV/3t5EZINXpFS3caDs6SSoMMQh+SqijR7q8L0aE2zCyPc LIKLNHgCOpudDOR1Y6VVJvNNEpqwCRxBUacvw90lSJgVykilQyXyw//YYvHWRw== Received: by freefall.freebsd.org (Postfix, from userid 945) id D23031FBE9; Tue, 09 Jun 2026 23:13:40 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:30.linux Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260609231340.D23031FBE9@freefall.freebsd.org> Date: Tue, 09 Jun 2026 23:13:40 +0000 (UTC) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security-notifications@freebsd.org Sender: owner-freebsd-security-notifications@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:30.linux Security Advisory The FreeBSD Project Topic: Flaw in Linuxulator execution of setugid binaries Category: core Module: linux Announced: 2026-06-09 Credits: Minseong Kim of NSHC Red Alert Labs Affects: All supported versions of FreeBSD Corrected: 2026-06-09 19:17:33 UTC (stable/15, 15.1-STABLE) 2026-06-09 19:20:11 UTC (releng/15.1, 15.1-RC3-p1) 2026-06-09 19:19:48 UTC (releng/15.0, 15.0-RELEASE-p10) 2026-06-09 19:17:50 UTC (stable/14, 14.4-STABLE) 2026-06-09 19:19:11 UTC (releng/14.4, 14.4-RELEASE-p6) 2026-06-09 19:18:40 UTC (releng/14.3, 14.3-RELEASE-p15) CVE Name: CVE-2026-49413 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD provides a Linux system call emulation layer through a loadable kernel module, referred to as the Linuxulator. This allows users to run unmodified Linux binaries on FreeBSD. When the kernel executes a set-user-ID or set-group-ID Linux binary, it passes the AT_SECURE flag in the ELF auxiliary vector to tell the runtime linker (typically, glibc) to disable dangerous features such as LD_PRELOAD. glibc's runtime linker relies on this setting and in particular does not query the kernel to determine whether it is loading a set-user-ID or set-group-ID executable. II. Problem Description The Linuxulator determined whether a binary was set-user-ID or set-group-ID by checking the P_SUGID process flag. During execve(2), this flag is not yet set at the point where the auxiliary vector is constructed, so AT_SECURE was incorrectly set to zero for set-user-ID and set-group-ID executables. III. Impact An unprivileged local user can inject a shared library via LD_PRELOAD into a set-user-ID or set-group-ID Linux binary, gaining the privileges of that binary. IV. Workaround No workaround is available. Systems that do not have either linux.ko or linux64.ko loaded, or which do not have any Linux executables with the set-uid or set-gid bits set, are not affected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:30/linux.patch # fetch https://security.FreeBSD.org/patches/SA-26:30/linux.patch.asc # gpg --verify linux.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 3ac9726c4269 stable/15-n283886 releng/15.1/ a4d36c975be0 releng/15.1-n283555 releng/15.0/ 0b18ec59972b releng/15.0-n281057 stable/14/ ff411cc40cd4 stable/14-n274315 releng/14.4/ 3fe092282025 releng/14.4-n273719 releng/14.3/ 0dcf9bba4b9f releng/14.3-n271519 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoolxUbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv0MEQAI764nJgo/wT5iqrDJrx F4G4LlMCqgxEB82jU48GEvy2/vbjp+nsB7hpQW/LnANWBmbbZzFUutXEqLcZKZp1 eE8ZoSoqTbCw82t7GJGcNrIt3+woBgW8IGb/onL4VxiVuFPEU/0GnJ8nwwOa9LGL LjdtvRcXaKVnWWqIDUq25cuz6+yBu5UIDWTbSHFeWr8swVhKA5Vjt1wKTXekFJhy qtEVWv8Jm5nb0C17eRYo8AY/nGh1DZv7LdJNc4dAZyy3H+QNDH7P7atYvyU06pvD Q+YNH6HENqqkGvg0YAYqrol+5me82oIK/Sz66b3VBYiBLD4FX8LaJePOfhSoKof4 f9Tk6lvpouJOmOETwZX2sAYrGDh/LMd+l/Np7vDMhQSrow4+0CDNHSI3yur8Kfkf I6pyEC3iCVi6x/xsQ2AjInMCz+Pw+YpKLKGJLyNT9hKqidQq2ebTBe86GMzPZtAM OdJ7rRMIXt2QNJmovverYVMBVBd8rXBVn//gB8Uu5CyjHG3jN/f/Rc1BhADgBS3R H1KOBxIOl3CzXU5GLxSEniI7czyeY2q9paWwddPR0BK0mqF6IP31OEekc0irRmjC damqozUiNlFFP7rC2fj2eVbhrowrtVSpo4D4oEsI6EPkVB3A67+Pq0untDa096gc X86EUvnyRijJsIl5JXb+OJoT =4LUk -----END PGP SIGNATURE----- From nobody Tue Jun 9 23:13:46 2026 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZl8W11ZXz6gqSn for ; Tue, 09 Jun 2026 23:13:47 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZl8V5xyDz3Pd0; Tue, 09 Jun 2026 23:13:46 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046826; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=eklNOUy52+TaTE+SmqSuZiXSHwTe2b9EFjl6nXX5btg=; b=krVhBGcO6l9vQpta3+q4gme4dzfNAB/RcIhC6bbgww6wH8Ft9vHd6S9b1v1VOTd5K5CwJb 9EkqUekj6M/aqbVJfQgKozLupIRdoxgic3ky7jUskr+oBbz6dPfi+l3f3SA/M+tDcWvnGx BBzVGiCOcghwoFBRIuW+xUc0+B8xvi/PenyipuSfY9Gl6Xq7u2IzDtdZti6oIcq3nD1VNm WGvAdj4vV8VqUUH2AphjiBH8QpXo3t/YQx05/DUNrKAMJFUG+X/kpw9acIrRfAI9asyTlJ vQZaWDQM1m+7FmfD8zFSZI/NDpldssmAXyQI6WofFeVzGE9D7HI2OtxM88WJvA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781046826; a=rsa-sha256; cv=none; b=OHsHdWDGTuHn/uG9DoomaENy9/RdPLADPIilOnf/+X/WKcrtqH4R4i7EFD+yHVABoLPjOb 1narqe2oqFkrieTmqqNfl3unVdROqCkEjw8/RkR2enNFeIg5Tyt1g81rNryR1Tfj7R8X6B KHmd+dgGBXFmxTmQLEvzc8IcUjiJ7Za69cQgyRAxgln7xtTmdYflzvWhHXUigwsesjfSKW TuiI+WrE8+jM52aqoLy4s9s/iP23GeDkjtx3QhkkSsQJJSPmSFoHu+g4FMjL2dWVllofk0 ern+Ue+K4FSDVFZYDRjx3H+XHb7Hfhb9U9o4346uWY5dSstpDFKPUrmzY9kgXQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046826; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=eklNOUy52+TaTE+SmqSuZiXSHwTe2b9EFjl6nXX5btg=; b=Zj+lgQhFJanlGca9MBFMGm1oVDf/oPit73EAf9ISi9HoYGx9CE5DbPqbJtsV1B7ZKZrhOL 2wl/hzZK+SsA/6EjOwucX0cosTWKnF8PPRZT7VdblvpfC5umbtH+6HrQaPlwi/KD2jkGlm xVQMTjXmiR0VW1/eL5iiBoZt8obZ0TgKEEO0TYn1MrZVBF2+zewe5Zn2+pVBTj4CKHdLo2 fUPYVxqH0aWepvY5xqxikTgs4xfkHAVCU/XKTVAt5MYvFM7xryB/DqswOccBz563DVRJzQ rMKIfWWdFPiz0tMJpxeV/Vy81WKTDVFGLAJQtN56vTlNeWHTsAQlAGVaYAlHng== Received: by freefall.freebsd.org (Postfix, from userid 945) id B2FCA1FB6E; Tue, 09 Jun 2026 23:13:46 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:31.arm64 Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260609231346.B2FCA1FB6E@freefall.freebsd.org> Date: Tue, 09 Jun 2026 23:13:46 +0000 (UTC) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security-notifications@freebsd.org Sender: owner-freebsd-security-notifications@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:31.arm64 Security Advisory The FreeBSD Project Topic: Arm CPU errata may bypass page table permission changes Category: core Module: arm64 Announced: 2026-06-09 Affects: All supported versions of FreeBSD Corrected: 2026-06-09 19:17:34 UTC (stable/15, 15.1-STABLE) 2026-06-09 19:20:12 UTC (releng/15.1, 15.1-RC3-p1) 2026-06-09 19:19:50 UTC (releng/15.0, 15.0-RELEASE-p10) 2026-06-09 19:17:51 UTC (stable/14, 14.4-STABLE) 2026-06-09 19:19:12 UTC (releng/14.4, 14.4-RELEASE-p6) 2026-06-09 19:18:41 UTC (releng/14.3, 14.3-RELEASE-p15) CVE Name: CVE-2025-10263 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Page tables control the translation of virtual addresses to physical addresses and the access permissions on those addresses. On Arm CPUs, when page table permissions are updated, a TLB Invalidate (TLBI) instruction followed by a Data Synchronization Barrier (DSB) must be issued to ensure subsequent accesses observe the new permissions. II. Problem Description Some Arm CPUs have errata where the ordering of stores and the TLBI+DSB sequence may be incorrect. If one CPU stores to a virtual address while another CPU invalidates the translation for that address, the second CPU's TLBI+DSB may complete before the first CPU's store has been globally observed. III. Impact This erratum may allow software to write to a previously writable location after the page table is modified to forbid writes to that location. Consequently this may allow software to write to memory owned by a higher exception level, possibly allowing software to escalate privilege to that higher exception level. IV. Workaround No workaround is available. The following ARM CPU models are affected: C1-Premium C1-Ultra Cortex-A76 Cortex-A76AE Cortex-A77 Cortex-A78 Cortex-A78AE Cortex-A78C Cortex-A710 Cortex-X1 Cortex-X1C Cortex-X2 Cortex-X3 Cortex-X4 Cortex-X925 Neoverse-N1 Neoverse-N2 Neoverse-V1 Neoverse-V2 Neoverse-V3 Neoverse-V3AE V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.x] # fetch https://security.FreeBSD.org/patches/SA-26:31/arm64-15.patch # fetch https://security.FreeBSD.org/patches/SA-26:31/arm64-15.patch.asc # gpg --verify arm64-15.patch.asc [FreeBSD 14.4] # fetch https://security.FreeBSD.org/patches/SA-26:31/arm64-14.4.patch # fetch https://security.FreeBSD.org/patches/SA-26:31/arm64-14.4.patch.asc # gpg --verify arm64-14.4.patch.asc [FreeBSD 14.3] # fetch https://security.FreeBSD.org/patches/SA-26:31/arm64-14.3.patch # fetch https://security.FreeBSD.org/patches/SA-26:31/arm64-14.3.patch.asc # gpg --verify arm64-14.3.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 9d9d6c6e6081 stable/15-n283887 releng/15.1/ 81435fc0882c releng/15.1-n283556 releng/15.0/ a53619675cdc releng/15.0-n281058 stable/14/ e99aa8682dba stable/14-n274316 releng/14.4/ 889e306ded21 releng/14.4-n273720 releng/14.3/ 61d0cea4c00f releng/14.3-n271520 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmooiWIbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv4nwP/3M5KElYqojhl044KzbV UyoCXW3MoTm+aXnjlkf2f6+00EHtEkmboe3fYGwsUGFOp9uk0iNgDCE1jMmAhDY7 AJSegcxbUVhCcZwxfaUkIDRtv3iYt4vkN59se62/QrgA/2UiyBRWMJLYvLN4ZF0C 7xuwJVyJjHq65Z1jU4noaXQ/UqaCQgPJBmZ2XL+OMfJtdHZdproN3vL/7BLXaPwv wuiZSc/agrBQgnbv4IFlNWc/LtXo+Hh3/vSSw3U2GUnNHARLxb62Kj2vaMz9HWP3 ObykAXru4hpLXdRndf+dsqHCow6slbb89Iqzn93axbmvhxvuOdNNkNkS0Yfj+B9Y kMuDMqTR8Q+wXFY5JlTsTGGH8paDdyYWeZUHsI+2HqgYWS8CMQJwal2hErT4TG82 gU0xIIpZKHc09FMsw+z/TjNZO0aLQbbZAN45qpqdvZoQ174jX/ZVtkIGEOSQXyQA YT4O/yozBjNABBTYtCTVwdnJjM6L4sva2mKbtGnCTS/3tC2dVgEhsgE2zwzHtGPv lAtJwTbqyLBOP+aUFh2w0OaNwy0c5bB88AxyS/EKcliHtyAveedbXYFjLLVIMhLY tpodoCSwrM6PgkddWy6+YVCbcoD6JfS1U5T2IH0EJXPSQvV8SPbs3LRY4F7O5zDi x+jJy5JL/2hjps/C/581Iq5y =SmlG -----END PGP SIGNATURE----- From nobody Tue Jun 9 23:13:51 2026 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZl8c41z1z6gqcH for ; Tue, 09 Jun 2026 23:13:52 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZl8b6vhxz3PvF; Tue, 09 Jun 2026 23:13:51 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046832; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=RoNN8RCs1wM7XAfR3qVxg8oQM+5tmWCaXkVhwBhrD3E=; b=WKW/aHeq0LUj/sEajHDPni8xzjZLyqjvQLda7WUpTB6KFjqmCE5yGzq5IaZT24CQmeAnbu dkrLJTG7+ER/mOVuR98IOG6FKmow+qZe19HNWOsfpprcUWD/MlnPC6NZFjVRO3ZflZKLCe CC443yWNBZUY12EmAIhPQGiUntG/AHrBQiseBuaG/0snndkt0oiwR3m+szAGPCE/vax+Me dy1vc5Z5IyrGa29I7qIYYFZjRsaAZEgsD9mgczzVZ2wHUWlRWzzoOO555Dxnb4nypMZN6T T1V5Dh4unJB5YQNRIeV3iyoU+eCxTH7CWrXdxJHYh2zGOVgDg0o36weHkU4qcw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781046832; a=rsa-sha256; cv=none; b=FWct9+6OX5VtP8X8b/4aF0XuEaJoJgcmC3SeOsz+O9Vgjags2bXpOL//EwwFKRTjVQ3vUh Yq/bH4lJacU/5trTa20FowIWxX7lfRcae4xG2ZucSQYnVwA/PPyblrufoQrVFURWLmYhtb Mjztrfn2n8sKQsjTO9kil0O0pCq9DmULZclGygCOfmN7fRwkNqGHP3SgtA00wCMNrJRD05 4xta0W93gkUGWSV6H80eBgVFN3ubjaq6vpPP0MzfnZ28Upyumayo05O0YfOTnIrgR4cczx HetEeJsJcvzVUnXsj19WEbKyClFmXd6X+XLpMxZFAcT/Jjc57LAvaMcBSTp7OA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046832; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=RoNN8RCs1wM7XAfR3qVxg8oQM+5tmWCaXkVhwBhrD3E=; b=PyMxLFsfjm3kEq4l67ZftX3G74jWfCB+O953tMHVngn0UCkT7wQ9/GKateICb2wkbdD0io WlpnFb9uefDJiI0bbNw/lZFMWW1vAZfW4dkdMeMlRvV3hci4uVybyd7zUP3/2n0LeF6JHv c7wKRknrzoD5AIG2Ynb8x0FjF+fkrRkrP4/J3KJrEm1Z5GXw6ZmIg1syy2U5ml18aYypg0 62aMAS5gjWengGv3pdNEYkro91syQwCYSpiN04ceBaAXpSDOhbbptwRWys2b47dkUR5kEU 1kmUHm8hfUkdfXwBgB7szKO4vM17s25IMZdlmX4qNqh0FXlGoS+PCu+5PfAnpA== Received: by freefall.freebsd.org (Postfix, from userid 945) id CA1F51FC5D; Tue, 09 Jun 2026 23:13:51 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:32.elf Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260609231351.CA1F51FC5D@freefall.freebsd.org> Date: Tue, 09 Jun 2026 23:13:51 +0000 (UTC) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security-notifications@freebsd.org Sender: owner-freebsd-security-notifications@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:32.elf Security Advisory The FreeBSD Project Topic: ASLR bypass for setuid executables via procctl(2) Category: core Module: kernel Announced: 2026-06-09 Credits: Synacktiv Affects: All supported versions of FreeBSD Corrected: 2026-06-09 19:17:35 UTC (stable/15, 15.1-STABLE) 2026-06-09 19:20:13 UTC (releng/15.1, 15.1-RC3-p1) 2026-06-09 19:19:51 UTC (releng/15.0, 15.0-RELEASE-p10) 2026-06-09 19:17:53 UTC (stable/14, 14.4-STABLE) 2026-06-09 19:19:13 UTC (releng/14.4, 14.4-RELEASE-p6) 2026-06-09 19:18:43 UTC (releng/14.3, 14.3-RELEASE-p15) CVE Name: CVE-2026-49414 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Address Space Layout Randomization (ASLR) randomizes the base addresses of executable images and shared libraries in a process's address space. FreeBSD enables ASLR by default for Position-Independent Executables (PIEs). The procctl(2) system call allows a process to set per-process ASLR preferences, including force-disabling randomization. When a setuid or setgid binary is executed, the kernel is expected to ignore any such user-set preferences if they come from an unprivileged user. II. Problem Description The ELF image activator cleared per-process ASLR preference flags for setuid binaries after the code that computes the PIE base address, rather than before. As a result, a user-requested ASLR disable was still in effect at the point where the base address was chosen. III. Impact An unprivileged local user can disable ASLR for a setuid PIE binary by calling procctl(2) before execve(2). This makes exploitation of any separate memory corruption vulnerability in that binary significantly easier. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.x] # fetch https://security.FreeBSD.org/patches/SA-26:32/elf-15.patch # fetch https://security.FreeBSD.org/patches/SA-26:32/elf-15.patch.asc # gpg --verify elf-15.patch.asc [FreeBSD 14.4] # fetch https://security.FreeBSD.org/patches/SA-26:32/elf-14.4.patch # fetch https://security.FreeBSD.org/patches/SA-26:32/elf-14.4.patch.asc # gpg --verify elf-14.4.patch.asc [FreeBSD 14.3] # fetch https://security.FreeBSD.org/patches/SA-26:32/elf-14.3.patch # fetch https://security.FreeBSD.org/patches/SA-26:32/elf-14.3.patch.asc # gpg --verify elf-14.3.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ e1cdc49846c1 stable/15-n283888 releng/15.1/ 796579bcfbc4 releng/15.1-n283557 releng/15.0/ 6e51dfc401e7 releng/15.0-n281059 stable/14/ e417948e6139 stable/14-n274317 releng/14.4/ 547fc2a98a24 releng/14.4-n273721 releng/14.3/ 744f62ccbf82 releng/14.3-n271521 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoolxcbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvzjAP/izsPLlrhPmUVbO6pLVA 22HiuxV4URIIzMe4SbVa8ALyWM85TNAKjRUyr7VwAslFvfzRCtL0o/w0Fypsvoss a4jpiC8QHjeUFlRz6fmYq4sgHZdi/sz0zOmGKHVYiCA1Jdrp1tM4NxkKeDquc61d iD1yulnjkr8axb4gv4Y/C1McT7fvECbiaK9ni/vgwwluy0cqRIz7rPe8NrAD6pYn 1WPgkHmGeNwpIhPHbBd9WCoQNiU+BLyNyuFASWjZWiIMiMwCKQdvm0qVJ1fPWxeP 2GxxpWfoftwDkRy1/tURs0dVuI+Ko40sTFKiUVUMyOu0ndnyuR8VGICWlwA903yY N05s8R65FpXJbERu3Bc4HO+fKzQxCqWocgcUHBI9VO9QGIcNRR1S1PgkltNUI0wI KTJith+ru6XFRK5ts74cBR7i2p2r+cVFs/FyzXXP1v4A1U+Fe6PwwdhWdwJy9r4s aOJPh5b5Go2BvRayptPt+18vdXm8N4L1xk94lk/h9X6lrMe9+WhWnH1BUnMD3dVm m8mSczWkkveFNiEfj3WGdbTlpVvXUqHdwIx+v2obj0fBUDkg9r1M2ZZjaW3DEPM9 aLOrjdK9t+ntJyNBQCnNCRZFaiFGHK9bdEjm9WhyfMAnxoKg1hNhzhq+jyxrPDZY OY6FBpNTQ9NhGUkgpkgArAEj =unW5 -----END PGP SIGNATURE----- From nobody Tue Jun 9 23:13:56 2026 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZl8h5LwSz6gqhw for ; Tue, 09 Jun 2026 23:13:56 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZl8h1ZsVz3Pvq; Tue, 09 Jun 2026 23:13:56 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046836; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=azjBhPsvt/6KSQk3EbILQoe0jvt/cSjmP1RS10cW3QY=; b=lCYM7lJRis431EcVkyVJV+X3n7ocydLHBYqSi5Kuh+qEYYzvlj0a7pr+msrFp/0OAjvYyC yYfd8W7gvlpfLe4yBjPG12v43qDy90DqgjYbT2b1vWn9s3bIuQB6DeD/qspqCiek4s8UY7 ft1a7CBae3J+jTivBg+w9fum2QM0MgEW26Vxt7tS11FklkZU4Jhd0u0i4H2jwcXKG1fUjG KG4HwwmnjXIdXsNMa3iJ5wbFrF6DnfLsyLi+lOvG5/5u78wTCUeVKjI73qVuvi2yyeYn2Q 4GczW7WHBxAgbuaVioJIlQ6GuGFERg6bkhs7VMfdcg0O/cdoyHyO900nFtnRZw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781046836; a=rsa-sha256; cv=none; b=HiOQqyTGX7+VzfR71wwVa1TbVRa1nQjKKJ3EKA7pMsCIt8EXp02uPchxjyr517O2Ct9cnb rv1KcfXrUCK4xuzJNjX2fqVEKwqvc5UPCSkGE8cIL0wi/zYUuQeX4xG4izeMfbvGp9/KH/ QTB2SoyBC2b3Otm9XA9Faw2pQu/FASCYM78TTX1tHKWfl0yR+l6cyi2O3ER7E6fW9Ju9N2 filkbLJZVCsZP200+diJucEwLW7BjN9KYkekr5jGtyfrREY5y331hT4PMv9QQLTZOmN8X7 DcngAL1IM1+GriLdw5FYkS1929waLpMLm06JBzqCXLyuk279QVOcQ/ql+IInTA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046836; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=azjBhPsvt/6KSQk3EbILQoe0jvt/cSjmP1RS10cW3QY=; b=WyUPlc3M2f3BPvhCJxHVBddogAo5NGI1UqRebtnWjOWVCYxC0b+LL2wk4Qr/rE0iggtJx/ 8rh+O8vDZywpHSIXwJk1o9VP/SQoo4Ta3c7izJkbrKBnmfsktKWESlfnsVWq/HkYpElj4m GSMFvPbHfb3JQ3hgYrIfDsZEMf5pRD3KBDk+WXqi/anDcNrT/01nTU0k3Ncq38vmvkmQcd E4o64Yq9qNA++sUQIAFOyqmi+lTsssX1hCfQbEAziMt/ulWsjbqsxpKsNekzmhWCXiWGMG CB3haIP5U+nPMYicxMFWTQ0SSaERfhmv4oxJDkPpAwdcz1Pwh+rSlNPJdvOp3g== Received: by freefall.freebsd.org (Postfix, from userid 945) id 217461FB70; Tue, 09 Jun 2026 23:13:56 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:33.unbound Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260609231356.217461FB70@freefall.freebsd.org> Date: Tue, 09 Jun 2026 23:13:56 +0000 (UTC) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security-notifications@freebsd.org Sender: owner-freebsd-security-notifications@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:33.unbound Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in unbound Category: contrib Module: unbound Announced: 2026-06-09 Affects: All supported versions of FreeBSD Corrected: 2026-05-26 16:48:51 UTC (stable/15, 15.1-STABLE) 2026-05-28 22:16:07 UTC (releng/15.1, 15.1-RC2) 2026-06-09 19:19:52 UTC (releng/15.0, 15.0-RELEASE-p10) 2026-05-26 16:49:56 UTC (stable/14, 14.4-STABLE) 2026-06-09 19:19:14 UTC (releng/14.4, 14.4-RELEASE-p6) 2026-06-09 19:18:44 UTC (releng/14.3, 14.3-RELEASE-p15) CVE Name: CVE-2026-32792, CVE-2026-33278, CVE-2026-40622, CVE-2026-41292, CVE-2026-42534, CVE-2026-42923, CVE-2026-42944, CVE-2026-42959, CVE-2026-42960, CVE-2026-44390, CVE-2026-44608 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Unbound is a validating, recursive, and caching DNS resolver included in the FreeBSD base system as an optional service called local_unbound. II. Problem Description Multiple vulnerabilities have been reported in Unbound. Instead of listing detailed writeups for each issue, please see the upstream advisories referenced below. CVE-2026-33278 - Possible remote code execution during DNSSEC validation CVE-2026-42944 - Heap overflow and crash with multiple nsid, cookie, padding EDNS options CVE-2026-42959 - Crash during DNSSEC validation of malicious content CVE-2026-32792 - Packet of death with DNSCrypt CVE-2026-44608 - Use-after-free and crash in RPZ code CVE-2026-40622 - "Ghost domain name" variant CVE-2026-42960 - Possible cache poisoning while following delegation CVE-2026-41292 - Parsing a long list of incoming EDNS options degrades performance CVE-2026-42534 - Jostle logic bypass degrades resolution performance CVE-2026-42923 - Degradation of service with unbounded NSEC3 hash calculations CVE-2026-44390 - Unbounded name compression causes degradation of service III. Impact The issues range from Denial of Service (DoS) through resource exhaustion or crashes to possible remote code execution during DNSSEC validation. See the upstream Unbound advisories for specific details. IV. Workaround No workaround is available. Systems not running the local_unbound service are not affected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and restart the local_unbound service. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:33/unbound.patch # fetch https://security.FreeBSD.org/patches/SA-26:33/unbound.patch.asc # gpg --verify unbound.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ d2a10ff4cb84 stable/15-n283689 releng/15.1/ 1b6c85cfac36 releng/15.1-n283539 releng/15.0/ 6160bd311a1b releng/15.0-n281060 stable/14/ de9d7a2ab8f5 stable/14-n274187 releng/14.4/ 857abc12945a releng/14.4-n273722 releng/14.3/ a68c183e0ad2 releng/14.3-n271522 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmooiWwbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv5ZcQAMqhP1F0oVdGJ4ZlTusj An1CAKA3CO3TKt6jrbnTbnw4s1+9kKjwABGcrZw/0sdoq+e0DzhlG8uI9Pol46d8 ANgWVa0T2d4rTDxCRJZZsqxqDfd3PwpGbUPzNNptxnJxWSR5j87m0N6PcMddCBFc BKg8vdeOJDPky+khcNwXG/g52HcNheXPqzTgq1IMuYrNId4Xrp6pnKbpIPeEYXgj 6+GWIBz20B1qtEwNnjkDdqoHYK143SZcZzapO9QFmo+Su/tVJ+/ymEtFcY7Ze7JB Hm8jiBIX3S7emFLyUPvAAiY5Oh84IgpazGXhljDGc8R9Wt/ipoDfBSYmGUl9ZNFH 0haadzi5JdQmbqCANURXc7t81miGEI4LDKTcJaIkP0ITVxktENyr5YIpSh/OQEI0 NbAI+ASPp8eVI15YxVaKd0HIdjsGZPY0eRQymMAC55yponTu35aKFc+RG2xCVZat JPzrp50ZjmTxNMFt1MMPgZTZQxQC14iONT8LVymnG7cgAsjXGw2X7gjRWRMdC4Hb EezcuwDnHwYAWzD41+1W7WpyMXXdCW8gaIpcLzl41egTpTe932J++9va7RU1R86e VlqcpvxmEtu7shIvepFHi12l2JNsqsYLmhsYVoUJsMAOHQck2eUXOqfZ4+aQGwye cL48Uk5LxTjYEHENCtOKOm3e =7uMj -----END PGP SIGNATURE----- From nobody Tue Jun 9 23:14:01 2026 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZl8n5DGHz6gqgP for ; Tue, 09 Jun 2026 23:14:01 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZl8n1X4qz3QHD; Tue, 09 Jun 2026 23:14:01 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046841; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=Vm+SqV7N3mqFN2q6T8hiC3FY/oljTsgurocxAreXDOo=; b=w9GGgfPxxq4CP7MqJzRIiQSAjU1rfdg/D8MigtQWZ/B1VMkuo8g7KdQiV9rDckIZEEnlKc 56CroQfglLDYZ3sU6+K+hK2x70wso5Bp4zGDD2dPIX1RwjvxMIWqohU8oeJUDO4HVl5z4T 7kwBLjuCoTgeX8bncAoN8zA7UMlg0p9eF3qoFvuRUJbpy88LtS01DesPYr8knxeTd0zXCL 9Ui72C+eDPM8POocS7TbyzdNNGvCbyFNlpadzCUMiGDg4en3E8G8a6XVhpVVruOWVluwL5 bjfMnRHuGX/6VmgGq7mR0TIzJYak2XXXBVUNWlKdwSbmMaleQsaKgHj3S+Gq7g== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781046841; a=rsa-sha256; cv=none; b=nhQkoDTzdW365Ll1oEg/wW4ucsR4fUX9IPpy+5kRelNH1ekwaKVp1pjJb8QMoeXlSH+KaD e2mJEeHVYopOv8NnRabEIzxVugrSUFa4KGSDt20ojGBtKvI8cAiP7rDlTGWiiScsTvQ/0u jrwfyDD477fpF4gO4pXw6Lx0slluWpfmD5Jr2B2qU2i8vRE9w34qdXx0Gdm8vfu3HGLJmk hC28QSL1yQVCBe1YH8+GAKwLNaoKF0D37vWWLTX46mQ0RsWUN476ByrvuMFQo0/dEqmbgz 9S+lNaCPHtId9UXscoWKTFcqdhKjJUIAsj8uG8q5xt1Os1ny/jQAATkC/CAQ9g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046841; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=Vm+SqV7N3mqFN2q6T8hiC3FY/oljTsgurocxAreXDOo=; b=A4yaaLCB+v7wnAmBARxJQEWsxjibUNGGYmaDOIZQ7LhTlWiCo8OHcb2StXhn1AKL6Lye4h 0qYCHuZMSsq5ZIoEN8sBEoGNes/+8jZkG0i1kcgKbsU10fXHimG49qe5eyebyJ85BDixIB 9/6dZSkZAOIsMVRmGgsLOMXJ3N4TTlpjMvqkE2k5oAyf6MJwdiP+rt55qC49iHhtxhJq0l nA2Crh1nq4/LdAvc2IoIKVGGACAVtHRVkv9MyG2lRi35zGeYkVY2Wbp68RtBG9bD7z/1kq NS9Ikryol07hQvjlJmrhn7+iVnzYIdRLDHAKqefktRj90GfBMTS8/6Ox1wf5JA== Received: by freefall.freebsd.org (Postfix, from userid 945) id 28A7D1FC63; Tue, 09 Jun 2026 23:14:01 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:34.vt Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260609231401.28A7D1FC63@freefall.freebsd.org> Date: Tue, 09 Jun 2026 23:14:01 +0000 (UTC) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security-notifications@freebsd.org Sender: owner-freebsd-security-notifications@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:34.vt Security Advisory The FreeBSD Project Topic: Integer overflow in vt(4) CONS_HISTORY ioctl Category: core Module: vt Announced: 2026-06-09 Credits: Ed Maste Affects: All supported versions of FreeBSD Corrected: 2026-06-07 17:10:53 UTC (stable/15, 15.1-STABLE) 2026-06-09 19:20:14 UTC (releng/15.1, 15.1-RC3-p1) 2026-06-09 19:19:53 UTC (releng/15.0, 15.0-RELEASE-p10) 2026-06-07 17:12:28 UTC (stable/14, 14.4-STABLE) 2026-06-09 19:19:15 UTC (releng/14.4, 14.4-RELEASE-p6) 2026-06-09 19:18:45 UTC (releng/14.3, 14.3-RELEASE-p15) CVE Name: CVE-2026-49416 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background vt(4) is FreeBSD's default system console driver. It provides virtual terminals on the physical console, including a scrollback history buffer. The CONS_HISTORY ioctl(2) allows a user to resize the scrollback history of a virtual terminal. II. Problem Description The CONS_HISTORY ioctl handler did not adequately validate the requested history size. A large value caused an integer overflow in the buffer size calculation, resulting in a heap allocation smaller than expected. Subsequent initialization of the buffer wrote beyond the end of the allocation. III. Impact An unprivileged local user with access to a vt(4) device can trigger an out-of-bounds write in the kernel, potentially escalating privileges. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:34/vt.patch # fetch https://security.FreeBSD.org/patches/SA-26:34/vt.patch.asc # gpg --verify vt.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ deaaddf1d3c4 stable/15-n283854 releng/15.1/ 8ed11b21e544 releng/15.1-n283558 releng/15.0/ f4cf977dfe92 releng/15.0-n281061 stable/14/ b5a4f4bfbc95 stable/14-n274300 releng/14.4/ 799e830134d5 releng/14.4-n273723 releng/14.3/ 9cba21c2de16 releng/14.3-n271523 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmooiW4bFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvpd8P/0WOqL3COrZKAvzgZO+u tOfo4MhWYDw+jMAHtFLU5qH6GNfgUA8j5OaLaN1Rf+Z0+UNyy6CC5wehumdzRHm8 dPdfW9mKA932rsrOMM5/RtgLmBjVok4VjzC+KZbpO2b2cEJN5Tq1ZIYqZyvhbUV5 ZXjgdTZ1w2osE7IzPK2v0OOCRh+uiVLjpBiE4M18K0bmsnEytHm3xOpUUIkSNGWe gwunylrC0FstCKI778agymVHf4LX/xzEm7E62B4Ydk21GbB5QEx8ZnOOWWY8OehJ O48CBQILxnsIYSySx258nO9K8SwrZ45IonJmxb+N1OTTl+qDeSQo9Wfw2zTR4YZl qBBXpl9Ra/dL4zOGM0HOBEwlOXruCC4vm84vipZowJwO5e97/XZVdhNhkU8HHNWO 256nEIRwAFx/KqJ63AseOsq6REIP6hhCLo8NyWqLYpdp0MGClZ7UBQ5ay6TvwVHD Qf+KyZrfGh6q7pU2ADmLdzf0H6FiUASsbPiRjcd5o/T4qPY9vJKJGOfd8EVHqzsH Rh2yhdtbsbCqTvfOjnUIuj5vJnk3sr/HG9wJXNqEgLcBz33/jmNaNhHXcyc2Yw9N 7lBHW20nj3jDFhK8MdKSvBUZ4WSmr8yBYb85v4L6kb9EKDiUQMa7eJ6cCaHYYRff NH418v0qjh1t7fJRdmx1HtvQ =ZGXy -----END PGP SIGNATURE----- From nobody Tue Jun 9 23:14:07 2026 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZl8w0ZHZz6gqmf for ; Tue, 09 Jun 2026 23:14:08 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZl8v48Djz3QD4; Tue, 09 Jun 2026 23:14:07 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046847; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=nf3omi+2yT46rq/4o3Rt/re84Zi1lv0VpkGJhD+zI6A=; b=rDOD/AB3MTNNwA5nJU6+WW2V7e2FdjAM/F3CX9xfBuRB3smF5FdjKoRHub1pzq6P9hWS1x NKk+LCpFdI3EgUwde1dbC2TvlfKxaBYQ5H4n9R/wNcsvc9izPzkp0Fe6iAWy71U+7NOoci oAC4dmNb2+4n7ZD6PsPyu3PmqNsCmzoquob0gh0IvT+13UYJBiDvkmEeyrEsAIyZrBjt2F siQrnMfi//t49+YdOGTvZNCWa7g0yjh6WxiprhWjmEBom7U1duTEs5ffvOrLyg+s4m1iyq X/AirsIfjim1Z5H9bsmWDlqVOoTUiYZvCJPniRP+JEusBNbP2h1yrngK25HJxQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781046847; a=rsa-sha256; cv=none; b=r4khwLOjgweBXUOv1f6dtFzsGI25de6SSjA1/y64dmViTr92jzV55lqz/3f0wtYdXev66y pkceeodwohgOxlWnN2tTDi631y4lJxBJHyOaqTKXlk8R19spaMMiNtECIWmjqEkq9DJPyo BqCODo9f5Dk9TV+Ap8reAbrn1nq6mP7tHV4J83s0jQ9cri7eeyIydptuAQ0iyplYabz0S2 AYBtMxIhCZF7EuzEj9PDNZD2+UuXEDq9gn6obtdLiQyce6jrXTT/ugSAwMawciOReJHvlI bm1P/0ebeS6u63AYouEK7RVd3TLRTSvcrz6o/BV37PLBHEPONX2ks8I1hN3sWg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046847; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=nf3omi+2yT46rq/4o3Rt/re84Zi1lv0VpkGJhD+zI6A=; b=Vbdd8USlp5iFgf+PVGlxAvYK99G/n0zlksBCDAx6bBKt6tDE/BaDW5cvFd51wTg9fnFXIT QTBr/1ay9YhoQJhbKN/uOuiRjlc+qL104cq5Fq/4uLngLTCydWBJUNlNiRTllZ3XRxfNke c5FzP7IBpdBvzTUU82cTAoRKSDQkCyZ99QPwYjkLR0n92c+Ef7ANRDzXrueHPD8Z1pgWtA vpgCD2NaAH9wBYHy9ltD5s+33fIDTE7/zkNKvcfYXL5VPWP9vJJCBR4+LPVcIm05LyuDW2 Rp71I59AcYXdlWGgl5NWQU07KoOApR0KVveFBrL7xrunAkzj2eh+9XL5HkxeaQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id 7A6561FA7A; Tue, 09 Jun 2026 23:14:07 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:35.openssl Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260609231407.7A6561FA7A@freefall.freebsd.org> Date: Tue, 09 Jun 2026 23:14:07 +0000 (UTC) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security-notifications@freebsd.org Sender: owner-freebsd-security-notifications@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:35.openssl Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in OpenSSL Category: contrib Module: openssl Announced: 2026-06-09 Credits: See linked vendor advisory in References section Affects: All supported versions of FreeBSD. Corrected: 2026-06-09 19:17:36 UTC (stable/15, 15.1-STABLE) 2026-06-09 19:20:15 UTC (releng/15.1, 15.1-RC3-p1) 2026-06-09 19:19:54 UTC (releng/15.0, 15.0-RELEASE-p10) 2026-06-09 19:17:54 UTC (stable/14, 14.4-STABLE) 2026-06-09 19:19:16 UTC (releng/14.4, 14.4-RELEASE-p6) 2026-06-09 19:18:46 UTC (releng/14.3, 14.3-RELEASE-p15) CVE Name: CVE-2026-7383, CVE-2026-9076, CVE-2026-34180, CVE-2026-34181, CVE-2026-34182, CVE-2026-34183, CVE-2026-42764, CVE-2026-42766, CVE-2026-42767, CVE-2026-42768, CVE-2026-42769, CVE-2026-42770, CVE-2026-45445, CVE-2026-45446, CVE-2026-45447 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit for the Transport Layer Security (TLS) protocol. It is also a general-purpose cryptography library. II. Problem Description Multiple issues have been reported as part of this advisory with different issues affecting different OpenSSL versions and therefore different FreeBSD versions. Instead of exhaustively listing detailed writeups for each issue, please see the referenced advisory from OpenSSL. Issues affecting FreeBSD 15.x (OpenSSL 3.5): CVE-2026-7383 - Possible heap buffer overflow in ASN.1 string conversion CVE-2026-9076 - Out-of-bounds read in CMS password-based decryption CVE-2026-34180 - Heap buffer over-read in ASN.1 content parsing CVE-2026-34181 - PKCS#12 files with PBMAC1 accepted with short HMAC keys CVE-2026-34182 - CMS AuthEnvelopedData may accept forged messages CVE-2026-34183 - Unbounded memory growth in the QUIC PATH_CHALLENGE handler CVE-2026-42764 - NULL dereference in QUIC server initial packet handling CVE-2026-42766 - Possible NULL dereference in password-based CMS decryption CVE-2026-42767 - NULL dereference in CRMF EncryptedValue decryption CVE-2026-42768 - Bleichenbacher oracle in CMS_decrypt() and PKCS7_decrypt() CVE-2026-42769 - Trust-anchor substitution in CMP rootCaKeyUpdate handling CVE-2026-42770 - FFC-DH peer validation uses attacker-supplied q CVE-2026-45445 - AES-OCB IV ignored on the EVP_Cipher() one-shot path CVE-2026-45446 - Empty-message tag bypass in AES-GCM-SIV and AES-SIV modes CVE-2026-45447 - Heap use-after-free in PKCS7_verify() Issues affecting FreeBSD 14.x (OpenSSL 3.0): CVE-2026-7383 - Possible heap buffer overflow in ASN.1 string conversion CVE-2026-9076 - Out-of-bounds read in CMS password-based decryption CVE-2026-34180 - Heap buffer over-read in ASN.1 content parsing CVE-2026-34182 - CMS AuthEnvelopedData may accept forged messages CVE-2026-42766 - Possible NULL dereference in password-based CMS decryption CVE-2026-42770 - FFC-DH peer validation uses attacker-supplied q CVE-2026-45445 - AES-OCB IV ignored on the EVP_Cipher() one-shot path CVE-2026-45446 - Empty-message tag bypass in AES-GCM-SIV and AES-SIV modes CVE-2026-45447 - Heap use-after-free in PKCS7_verify() III. Impact The issues include heap buffer overflows and over-reads, NULL pointer dereferences, a use-after-free, unbounded memory allocation, and several cryptographic flaws permitting message forgery, integrity bypass, or recovery of a private key. Security impact ranges from a Denial of Service to a potential remote code execution. See the OpenSSL advisory for specific details. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.x] # fetch https://security.FreeBSD.org/patches/SA-26:35/openssl-15.patch # fetch https://security.FreeBSD.org/patches/SA-26:35/openssl-15.patch.asc # gpg --verify openssl-15.patch.asc [FreeBSD 14.x] # fetch https://security.FreeBSD.org/patches/SA-26:35/openssl-14.patch # fetch https://security.FreeBSD.org/patches/SA-26:35/openssl-14.patch.asc # gpg --verify openssl-14.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all daemons that use the library, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 865c8ff56693 stable/15-n283889 releng/15.1/ 083bb80a125a releng/15.1-n283559 releng/15.0/ 0d6ccbb7524f releng/15.0-n281062 stable/14/ ec6bfa889b83 stable/14-n274318 releng/14.4/ 1929d9e173e5 releng/14.4-n273724 releng/14.3/ dd3096b4efe6 releng/14.3-n271524 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoolxkbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvIjEQALlvtT/r8WJ72cw03AZP 1qPNWibqFxrMccV/fEtVq2csUzMkSq6PvgK3ZZoKgh8e2whpJkEULxRJ5Th8IEoD McbPdU4+zgqcehfmH6mvuv/yshDJLe0U2iLFSTbzgbx8xe0XRyWJlutlNXSZmLvo N87HGEtO/gXCXJxZuWFDE4JfO/bECn8wgZ468AD+OMwKRnx13hszmqKnp4cn/bZ8 764BqDsyweCBSVbW7AC0A5/BP7e+S+eOGHDSDqm48Jxk8eVsEVvw5wEo7DMLQgQw /kHc9BSiQ6HPgMvjDryUzX/FhF3El3sKQxkUXNFGcYk8yChTEVtD1C+zf3FACQJA ZTeDNgJelmeJdK7uzrJtX/8Laozma0+x1+2+YrY+Y1aCqOZ0iicmlytZHRHgZc3R riEEJdw3nlV6r43WtwBYjJNyOIiqPusYK8K0/RLnMeMtS+mwjjNjGxqcHdFPbSa7 Xjs4zSAHgkg9NHMwD4S+F+upRZ3yVoZOvIDtqUKO85Mf70OYHHoaZJE4Q7mIPDyE CbtpeaNpjSkujTR5/Us4JgxRfDqDGyyER/Ub1yZl8uuhKNU7QuOWRQMTeIXp42Es uClHfLQz5Dvmwy7muDfg5cY0R/F9whvpwSOmILrsViBjcygkzFY9lE1ufW685vbH 1srvsOXI5oN55cZrX4+H6G17 =UV/w -----END PGP SIGNATURE----- From nobody Tue Jun 9 23:14:11 2026 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZl903WMZz6gqyC for ; Tue, 09 Jun 2026 23:14:12 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZl8z4PLBz3QJl; Tue, 09 Jun 2026 23:14:11 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046851; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=l97L0f41JwybpEP9Y53mzGi39jXG96CYfLdpkSSpjOA=; b=nYMWlHmEoLkSbZp98RbjPJXEhu4W35HFYJkgI83UPASBiw61RrrhErZfh95VW8/T5n3Vjc JbvXbJ530QssgLJGETHtSO/Pm4nawL902UW6vwvsN1X0UcZfUpMKj2V/LmAOxoJrgj2Nef TXf96cXPxSdN/um2NSx7bfhxt2hsyQr05vZvlWBre2cNDuR0x6GGq1Qexo/k9+p8YZ7oYP 2V4se9ueKteiiuQxKPI7dK93coC6JL5YEHBlgSG65GYto6HtIDLwU8wFc0MH7F2lQJ84GS TgoQvWH/SL7ueBLoYgZTV3xQy+aCgwX1Z84JE+TFQjveTW08CMkZt1r2Nu1eig== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781046851; a=rsa-sha256; cv=none; b=LrUQqKXJk7WP76hUQlTznCDy4r4AuntknaiXxqAX76mrVD6jmxVYw6k5ikQ4GxCtxA4rAG Xy8jQ/0xKPR8SkuGtGOPE8NvxATWqt0vdC+XVDpZToFJi3hL9cxY/qPq27o+JowPwJmgO6 iu7fAkJQ4OKnCkiHXzCYbMlkppjGrla2vK0AQzJJ/A8pvnsNjv+mIpeHaNj2RazhQXepsy delqhN6dJrBqkfYsGM/qLozuoI3ZCwhDPUSy0ps16C+ceJ6f2EOPfGU9fpWaXVBLcc+L7N OMflAYZS+1TI1+bt6mrrNNLfW4uakZMQli5oP9jh8nwsiauvp6x4zwbm29ByxQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046851; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=l97L0f41JwybpEP9Y53mzGi39jXG96CYfLdpkSSpjOA=; b=j5teshB89vSSzKT1MdPd0mxhfhLj90fk8y4ye96fVsXmmtA+v/HVz8rCqdBhnrP9Kikp+7 R+tFIB3xhCVQA7CoVBAOvLylE1s7VwmHsYv6jw6R3/SPSkJ/IKhZ1llxIBnEkcUEU7hd4F WTBcZwcUR+ddais3LrD3mgYcnhMSdBTTXAs9H5w4O+XpY2FTJNQ3bNHdMkspQjAmuxIO4c TtEk7lYWEoggby5XbI70uzUzAkGq0pbS3mey6ZwnBhjGue3nL8e1fLoT7MyHIFHqWL+C/P bJPIxFASwmD+fokiDlXX/nP63gdVOaQBGF1uMCDTjueKduCmVgzbf5BTtjX6Bg== Received: by freefall.freebsd.org (Postfix, from userid 945) id 5A3D21FC64; Tue, 09 Jun 2026 23:14:11 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:36.ldns Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260609231411.5A3D21FC64@freefall.freebsd.org> Date: Tue, 09 Jun 2026 23:14:11 +0000 (UTC) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security-notifications@freebsd.org Sender: owner-freebsd-security-notifications@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:36.ldns Security Advisory The FreeBSD Project Topic: Insufficient response validation in the ldns stub resolver Category: contrib Module: ldns Announced: 2026-06-09 Credits: Pablo Ruiz from 'codecome.ai' Affects: All supported versions of FreeBSD. Corrected: 2026-06-09 19:17:37 UTC (stable/15, 15.1-STABLE) 2026-06-09 19:20:16 UTC (releng/15.1, 15.1-RC3-p1) 2026-06-09 19:19:55 UTC (releng/15.0, 15.0-RELEASE-p10) 2026-06-09 19:17:55 UTC (stable/14, 14.4-STABLE) 2026-06-09 19:19:17 UTC (releng/14.4, 14.4-RELEASE-p6) 2026-06-09 19:18:47 UTC (releng/14.3, 14.3-RELEASE-p15) CVE Name: CVE-2026-10846 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD includes the ldns library from NLnet Labs, which provides DNS functionality for programs, including stub resolver support. Several base system tools are built on ldns, among them drill(1), host(1), and ssh(1) (for the VerifyHostKeyDNS feature). II. Problem Description When used as a stub resolver over UDP, ldns failed to verify that a received response belonged to the outstanding query. It did not check that the response source address and port matched the query destination, that the transaction ID matched, or that the question section of the response matched that of the query. III. Impact Without these checks, an off-path attacker who cannot observe the query can forge UDP responses that ldns will accept as genuine. By injecting spoofed replies, the attacker can return arbitrary DNS data to any program that uses ldns for stub resolving, including drill(1). IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:36/ldns.patch # fetch https://security.FreeBSD.org/patches/SA-26:36/ldns.patch.asc # gpg --verify ldns.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all daemons that use the library, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 20bfab98f8ae stable/15-n283890 releng/15.1/ 157d99d7ec9b releng/15.1-n283560 releng/15.0/ fbb19baa29ce releng/15.0-n281063 stable/14/ 5719a342555b stable/14-n274319 releng/14.4/ 410ab2bff36f releng/14.4-n273725 releng/14.3/ f61d7fc2ba85 releng/14.3-n271525 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmooiXQbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvuJsP/1G2bXjQo/HJ2aNYP1+h Ffz307olEEslY/xUlmulwuOdhh5A2gx0vZmh8gtUiMON+SzXN9+LxbzVnASfSj+o TFPJQNc55LUwdK/2m4i9UoW1dmEP5gIJk9uVDbGxMNgclkCWxJYvurT4DaCdf6fw a0lWUAOVpdk/pY0CCEYoyP85VaW9yroXowC5S/QSWLXoHOw6Rv5HVwd5Me6SvFir RChUVM77yyb6O+pCHyNhjSzksPrj8NzpdQyPeJeNOz3uNciRbloKPhUtsvEuppjp IQaa3P5pBw/Ivcyc+gHYZU1TlnQvHnyqIjRHmnmJCmDLwSwrD6+/sRrR5i1vVArZ DXyYK4rz/QstTXkFjZIV5SSVM6GT3CsavfnoCJzlTyOO7lQzNWUHunWFDFSdvWxJ FzSOI62+/0ZwHw0m2aLCpGXi1T5MS5Q+c4lK2zwdUdlnHTDhGLUv3hinavYYV7Bh HUzs+Hf3tVWzyi3+HVOv/zIPr3C2F6jXibVsSWD3omXRcNzei7dSkYJXKZigrpD6 7lrurOoq9ujboXBdBGimvW8sPTI+/GWfRm/pUJQUjYhl0gUmTB/MEWGpisYYwDMM bwTUTTDx97j5UYtBVvRZKz0k54DmGQAh5I1PVepszkUDTnfX6v5aSLnTnTlcxHhB jwJiXCvdJUX0Djnm0vXDSXzL =tsVt -----END PGP SIGNATURE-----