From nobody Tue Feb 24 16:37:52 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fL3L84fMlz6ST77 for ; Tue, 24 Feb 2026 16:37:52 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4fL3L823kpz3wZF; Tue, 24 Feb 2026 16:37:52 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1771951072; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=Fs0FFJ6UOSceDQ2DEhPb5Zhmz1bEPSPUvZvDKW/qIvM=; b=QKoRnsFg+1UrleiDzSGlYlD1HWvlQ5phLUuPd7ZfvfE+zFcOeGfsnqh+b9GSj6Q3kQPPJP NbryxiucLtuwZkI5KFEWbrwlwuVjWRnaXG7lgL9koTDmncZ5YZAQUR0eJLcRtZtQFYeiUC sjeI3youpt1L8zXAryemtlyUBgiDH8pbimFuTIl6l6V7AaUBLqDyI+sXSLmKA1yzAy4nvq 1CrQ0mY7l7P3OXLZNxvQEy5z4o1ih/jo7gLTB88bd4XEpM/a51PkkR1OdfrgOXgY3wBcCJ bg7rBWjJ/DVlrrwF47uKsCXstV3PZQgf8PxbtNj7B9s7w2B7T0s/23/Vylt+Eg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1771951072; a=rsa-sha256; cv=none; b=CEl7WcDBKyuGTgF6XdUeUkAl8h7RKGCAV+CP4EWVUHRbHEVWvqEpJH4lHSCCDQIuIGkrl7 BDMVWbpfHQX0Ndye9cPJSq3MdRbTuiBwrb2TNkWJUGe3cpxRj2QLhTMgwjZ6AuNXtEJsHu pw5Hgud6XcqLSPIlfXzAYEU6ki7pcgAPM8Y73Jw5vgq0+m5TMR/DxDqVxHg1OcCytCZK8B V+e96vGnOM2u+l6L0fcusiZqj6PqMWIFeiOeSwizOogAmO+AeK8lCE+t/VzqGjMEcJ30Mu m53xCNuc90WNiKCYqUxu/EDud6QzkJck/5i8oiTcYkWT1flltzyGIO4MonVl3Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1771951072; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=Fs0FFJ6UOSceDQ2DEhPb5Zhmz1bEPSPUvZvDKW/qIvM=; b=dKSaAO8bGeFPy1U/iPi1IdYhOCXsJijDYbhY6KnwZHpmxH4IcgBAzzGIa9m7VdLDCASX1A YThPdeUDY+X2jXuIYPENwJFgT6v4mIjqItJ+TFvBw/K7vr0zmjfD+B08ytD+/km/zcXMAl 4JI49ruetZJLfs+B1LJ6Ak4etmVSS9UyT9LiA/GEj6E7ziZ7irgIQDFK6YdhQ4L3tF3Cu5 87EYjXOc8FfMD6vR5jTnvUIMtnYRYBBnqHBJfqbt+vgRU9ii6V256+wjIQ9PWH346F93t5 oNHatGUmCILLLAP3GyMJXXe7C6AfWqvhdXM5Ss5sisCvYV9UG7XJs5/LHYrZeg== Received: by freefall.freebsd.org (Postfix, from userid 945) id 3342911CE9; Tue, 24 Feb 2026 16:37:52 +0000 (-00) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:04.jail Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260224163752.3342911CE9@freefall.freebsd.org> Date: Tue, 24 Feb 2026 16:37:52 +0000 (-00) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:04.jail Security Advisory The FreeBSD Project Topic: Jail chroot escape via fd exchange with a different jail Category: core Module: jail Announced: 2026-02-24 Affects: FreeBSD 14.3 and 13.5. Corrected: 2025-07-29 12:49:03 UTC (stable/14, 14.3-STABLE) 2026-02-24 16:01:32 UTC (releng/14.3, 14.3-RELEASE-p9) 2026-02-09 20:44:00 UTC (stable/13, 13.4-STABLE) 2026-02-24 16:04:42 UTC (releng/13.5, 13.5-RELEASE-p10) CVE Name: CVE-2025-15576 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Jails are an operating system virtualization technology which allow administrators to confine processes within an environment with limited ability to affect the system outside of that environment. In particular, jailed processes typically have their filesystem access restricted by a chroot-like mechanism. nullfs(4) is a pseudo-filesystem which allows a directory to be mounted at another point in the filesystem hierarchy. unix domain sockets are a mechanism for interprocess communication. They behave similarly to Internet sockets but are identified by names in the local filesystem. unix domain sockets allow processes to exchange file descriptors using control messages. II. Problem Description If two sibling jails are restricted to separate filesystem trees, which is to say that neither of the two jail root directories is an ancestor of the other, jailed processes may nonetheless be able to access a shared directory via a nullfs mount, if the administrator has configured one. In this case, cooperating processes in the two jails may establish a connection using a unix domain socket and exchange directory descriptors with each other. When performing a filesystem name lookup, at each step of the lookup, the kernel checks whether the lookup would descend below the jail root of the current process. If the jail root directory is not encountered, the lookup continues. III. Impact In a configuration where processes in two different jails are able to exchange file descriptors using a unix domain socket, it is possible for a jailed process to receive a directory for a descriptor that is below that process' jail root. This enables full filesystem access for a jailed process, breaking the chroot. Note that the system administrator is still responsible for ensuring that an unprivileged user on the jail host is not able to pass directory descriptors to a jailed process, even in a patched kernel. IV. Workaround No workaround is available. Note that in order to exploit this problem, an attacker requires control over processes in two jails which share a nullfs mount in which a unix socket can be installed. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, which were not installed using base system packages, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 14.3] # fetch https://security.FreeBSD.org/patches/SA-26:04/jail-14.patch # fetch https://security.FreeBSD.org/patches/SA-26:04/jail-14.patch.asc # gpg --verify jail-14.patch.asc [FreeBSD 13.5] # fetch https://security.FreeBSD.org/patches/SA-26:04/jail-13.patch # fetch https://security.FreeBSD.org/patches/SA-26:04/jail-13.patch.asc # gpg --verify jail-13.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 3ad3ab5f9b6e stable/14-n272076 releng/14.3/ fbc35b3e6615 releng/14.3-n271471 stable/13/ 73530e4c2ea9 stable/13-n259752 releng/13.5/ e6b96891ef7c releng/13.5-n259202 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmmd0NwACgkQbljekB8A Gu9WrxAAzgjxobnwhy+3RrD4XSOViKv7Dk6va/cqZtiP+SEv1lwM86P4aeUbqCOL XPGItri1El9gQoBYsLS/b5ODbevV/CBaTeZbGwm129B9xdrJ4lQgQrDBh3qgo55k OxQTnZbJgnF0YtjcSnkC+oWs4selpADEevEe2ohVUrV4OjXjVoCc3hVibPPwFh+8 G5lPqcI26kXXimjb+zC+5yFQwNy/an9sYeiVnYceCuAOxxoV0Uf23Z5Ndc5oPBUD lYMfrfuqmuhX6AtxTSU7x4BDx4MGTDIMYjU/LXptzMI5bpvqUy4F4lqx0t8vXV8F T8vpbzGt8uhyRoD9Wp9LCIS7PpjBNm3YINY4Zd9z46tiC5ItTSV5mkJzatDB2zW+ 4iMcFQxHFGksHyrGn3epYKm1C3NtbKc5lEVHnKZqg11H2xUtDkTRn8AVcy8a9Bh+ FDo1+yAb96W5by9UGA7nCdF8xwr9+ea/k6JDDfHxgVsOKzOgXsh7wmJ686kTIT2I 2REIMLY79xs50Lii5EMvN1oSjXxb7+WFphe+XCoH39JDTI3ekg7EpnFHcXLzMaVt rciDlmPBU8h5A8U8GyI359DbIlha2IY5R2yC/opHUkOq/wBDJUZcL2y41BEH11jb uFxRavagcRePVrSHSuXOH1vSdmsdrtl/h7HBP83J4X6ZG3nnr90= =cwB8 -----END PGP SIGNATURE----- From nobody Tue Feb 24 16:37:55 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fL3LC4JqQz6STb6 for ; Tue, 24 Feb 2026 16:37:55 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4fL3LC21MCz3wdC; Tue, 24 Feb 2026 16:37:55 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1771951075; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=Zum/L9ZyrXBzq2zCxkOptt9cnYpmO/y8o5N9oHZWuOQ=; b=Wb/KYkhPzanu1n+7IIAqiM9I1EDp0N75oJ4gObSdStr/FrHs6WpEh3vxo4LQt9Qb9JS58t O4wbvkk0zUNsnpDh4zG5n9G8KMq+QQVf3FV+NGTviOJArK6V7FLZtxMLPNcsDjVXhuuM3n EZ6El07zAWe3GzcCAXOCgxtwFn7vSAxosweKPD7SGm/BHcDmuR1K3PmWsA2CaFTmhpFFCQ gXUCSlb2FekZXmHWKxG5/5knDhoeUhJpeztNFcKQrlF1n7i5Q5rhQrai5ANDdY5p0nWLBq jrnjpqLG47V0/HJkbAUpx06zjwfbWKRCepDNJZ2Niz+D6hbCA4nDuJCx/cMWEA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1771951075; a=rsa-sha256; cv=none; b=kWCFu1KUdghZpsKGRmnMCrQ4ayQb8dFa7K8305A9P3QoVHMtjdsNr5XqcTpvsSvdOY5MhI 8Jf8RkJ6WwbvP4/qC05ipiBzmZJU3Ibalwy2qiz7wNKL4v19SHUMgMQO+NN0L/Kelq/+we xPMP9VluXYf4mH0caXJ9MXvUPXuMaJB2J3e1iGTECTNRlobos7TW8kmCJLQaZQfzRCjsT1 VfTuqHOlLB7UcEKJilA0UIHLbpB6ReoM8UU6RVdgOgvoL46mZcZNncneUSb5L2dweEQ2wH C0j2W5ohOrF/tNxhyM67fLpBRrj2fcIdxSgVTAHULYSlC0+h9Li2DZlMQnkf3w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1771951075; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=Zum/L9ZyrXBzq2zCxkOptt9cnYpmO/y8o5N9oHZWuOQ=; b=KE8S2Yc696dGARU5wYk4OzU3Fs27ZEsYxEoAvX8XJs37+CvCGQMaXLUD8GgQrCmbFFi0Pp Wf4eN6/kBa+I9oaaN1YYL8i3yg6fGq71eM3DlWwBd12LMgzddF7IXXfbsQYgFjs/fQ95LM dkQEgCaqgtPOckF+J1Vay6UxCl3G26ALlZ1mdyUq/VQNQ/y2gH0J3vuB7FwxUshPpceCRT NgzEdNMtnfS4OKrUd5x3IzdDryFwQd+mGsqnCNKZ8rk9QQzl/jj72qCWRjlHRQ+O5bmICq B8yGDtEggdIbZ04GRXhkQJS2K3JjvYd5ForDUuVyx++tYmVKSnB7aooHG8uQPA== Received: by freefall.freebsd.org (Postfix, from userid 945) id 3CB1A11DE1; Tue, 24 Feb 2026 16:37:55 +0000 (-00) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:05.route Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260224163755.3CB1A11DE1@freefall.freebsd.org> Date: Tue, 24 Feb 2026 16:37:55 +0000 (-00) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:05.route Security Advisory The FreeBSD Project Topic: Local DoS and possible privilege escalation via routing sockets Category: core Module: route Announced: 2026-02-24 Credits: Adam Crosser of the Praetorian Labs team Affects: All supported versions of FreeBSD. Corrected: 2026-02-24 16:00:26 UTC (stable/15, 15.0-STABLE) 2026-02-24 16:00:39 UTC (releng/15.0, 15.0-RELEASE-p4) 2026-02-24 16:00:56 UTC (stable/14, 14.4-STABLE) 2026-02-24 16:02:31 UTC (releng/14.4, 14.4-RC1) 2026-02-24 16:01:35 UTC (releng/14.3, 14.3-RELEASE-p9) 2026-02-24 16:03:17 UTC (stable/13, 13.5-STABLE) 2026-02-24 16:04:45 UTC (releng/13.5, 13.5-RELEASE-p10) CVE Name: CVE-2026-3038 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The routing socket interface, route(4), lets users query the state of the kernel's routing tables. Most routing socket operations require root privileges, but unprivileged users may send RTM_GET messages to obtain information about routing table entries. II. Problem Description The rtsock_msg_buffer() function serializes routing information into a buffer. As a part of this, it copies sockaddr structures into a sockaddr_storage structure on the stack. It assumes that the source sockaddr length field had already been validated, but this is not necessarily the case, and it's possible for a malicious userspace program to craft a request which triggers a 127-byte overflow. In practice, this overflow immediately overwrites the canary for the rtsock_msg_buffer() stack frame, resulting in a panic once the function returns. III. Impact The bug allows an unprivileged user to crash the kernel by triggering a stack buffer overflow in rtsock_msg_buffer(). In particular, the overflow will corrupt a stack canary value that is verified when the function returns; this mitigates the impact of the stack overflow by triggering a kernel panic. Other kernel bugs may exist which allow userspace to find the canary value and thus defeat the mitigation, at which point local privilege escalation may be possible. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, which were not installed using base system packages, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:05/route.patch # fetch https://security.FreeBSD.org/patches/SA-26:05/route.patch.asc # gpg --verify route.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ df932377e7dd stable/15-n282455 releng/15.0/ 5de6a55c70ba releng/15.0-n281009 stable/14/ 1eb2beb3686c stable/14-n273785 releng/14.4/ 7465d0b094b7 releng/14.4-n273667 releng/14.3/ d521badafdaa releng/14.3-n271474 stable/13/ 8b476ffc4ea3 stable/13-n259798 releng/13.5/ c2e2bfbd9e09 releng/13.5-n259205 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmmdz7cACgkQbljekB8A Gu+9ehAAziBGPEv4RtXdh5OPqRkmJrZbxYNsiDmsqCO1alaEq/P64uLSI3ShOEf7 K51oW4P+pukw13mJ7koDfWIFcJ5Jr4p+4vPIUenHafgXzOB9i6prn9kF0RFJN9zX ziUaz8DGKd7B01eUoFj0p5l6rm00Z8q9l47ePOXfa+CS90lZxV/9z55UbmmCioQv Ar98kPvaRmrmUqifuj72Jh1Wf69XLMDv4CI7BRumXIQnrHJ1xco4T9hHrHzPyNCf cObfVsYMew/OGL2WgqfWvOEbmmC4mSW080kjPNmJxA+WG5fc0xQWaF41Kq1YDSWD 23SLqgjzTEP7zcsN/bW1k/7maf7lkKUWjtC/sjcqJRPfgWfHjDCVcMTKSjje65ld Ml4sw4Ea2+jbOZqNcQhtFLo69atTu3oOgN2Gc677rvpkLl+HSivrX7D/1ULYfE0x TbtW8Y8fqyNaPPOc1PktUcvQsZ1Sq8OKghOd/JAv1sKLZnxs61fWEMJKTJZEMHQB NOnvw8PO2JPNMgJhPJz1CuD0pUCyTDqHYvfEI6TQikJmqKfrhAOBl8ccfNMyMmje ZPW1f6hXud7c11OQXJ/u3QyBe7E+3v9MOf7Tn/mbFviwMx/xmG2VbgAuBBOVx6qb QnHv9Ce+szmMV+9i0dj5KlsxhuFfUaDIIc9+iZ/1k8GkjkizDjE= =V8QD -----END PGP SIGNATURE-----