From nobody Thu Mar 26 04:27:45 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fh9js3c6nz6W3hP for ; Thu, 26 Mar 2026 04:27:45 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4fh9js2H2xz3nJl; Thu, 26 Mar 2026 04:27:45 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1774499265; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=3Mf1RpguGasSRGV0l2AQeL6eUOl/7Ohgbk0Yk1DLNkw=; b=WTSC4Hp4TDLP/vIlT8hGSKQGSWA5Aq1KJ9Xf+/WV++KizI3AUJMgfj3kSnbcVz6Zj34wSq 7LG/GVqacQgxGwYmQdQJiwdxwaazTsPYwEpw/r+xUBE6a1nUwFBguSNZPB9h/w9bHAudqo TOb35lSEUoGJZdtgMd16QGo8mXKmZj8i47JXdoHj74Q3XUJ8YSgOFnUs9+kh6H8HdDcQeE M5QFIC4jPmZdjlAKq9xKuc7qroGdEcZhhYQQEjB/m4LNg9OELOOwj/q9OFO2ZXSRqHVg/z TG+Mj4Fl2oheOcQyUbRnnWMa+aW/nSB0tJk/a2qpr1cHVbN4EVNqm1LtT0FRnw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1774499265; a=rsa-sha256; cv=none; b=TCfe2RWNq8G48ls4CjMJy41t/A5+yNK/h61Sa9siALwPKlir6L96h1dGrcTR+HT4Xx5H0+ dkvHS3oV4jKE0hmnNCTcKFuWLwyGIUos25cOupUTs1lB7HUS1bN/IdvAlvg4ejSqoUEtWA gilRxjaGO2BMTPkuKn8GO4cqLiQMgOxiTcMe3Em4IUcwUljNksNTIlXuihpNbjIggBZ6Cx rA6FjEgbrRMgjS/NDYmHAS4cX0WC2w8qEBbkbVKbs6gTPlVZ3hfjMEQ2r/QlivrrhHtFUt II5uyibwKnYn93GhLMgWOfXN5cR8GT4DPdpW+U5gZudqIH7+vKA35TIRgGpdCw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1774499265; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=3Mf1RpguGasSRGV0l2AQeL6eUOl/7Ohgbk0Yk1DLNkw=; b=wEtRFhiAc/HT6SYwrOL5ayGYoimvIKGDGpIRjJCsG+lChYAVyH7EqEtmSFrcJcndMTTSkQ UMvd9pTFHIxHYxjwYZ0lEiR/nCzji02cf1qv7o3rTEspBudkXoJIlksM5YLqqViWp2pvAD OtG2RnMx/ElPv2izJkfdRudC6AjDkT3Hk/BaKuUGGj+SLuZ5OaB+UKiEkdqclwSHKhC8EY QNcaumUi7CLgzxLnhAkEs5OcW1iPZ72iawgbKB9yvQKMgft2zczPcNqfnrxuHQnJhD8RB5 cZ7aiA0CD0Z/CbKiOQtBvMq4MZMHQLoCLv8KMel3Qvyj4hMhiZc6ZW1pRQyCaQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id 133D812D0; Thu, 26 Mar 2026 04:27:45 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:06.tcp Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260326042745.133D812D0@freefall.freebsd.org> Date: Thu, 26 Mar 2026 04:27:45 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:06.tcp Security Advisory The FreeBSD Project Topic: TCP: remotely exploitable DoS vector (mbuf leak) Category: core Module: tcp Announced: 2026-03-26 Credits: Michael Tuexen (Netflix) Affects: FreeBSD 14.x and FreeBSD 15.0 Corrected: 2026-03-26 01:25:22 UTC (stable/15, 15.0-STABLE) 2026-03-26 01:11:18 UTC (releng/15.0, 15.0-RELEASE-p5) 2026-03-26 01:28:46 UTC (stable/14, 14.4-STABLE) 2026-03-26 01:14:54 UTC (releng/14.4, 14.4-RELEASE-p1) 2026-03-26 01:16:00 UTC (releng/14.3, 14.3-RELEASE-p10) CVE Name: CVE-2026-4247 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The Transmission Control Protocol (TCP) is a connection oriented transport protocol, which can be used as an upper layer of IP. When unexpected TCP segments are received for an established TCP connection, so called "challenge ACK" segments may be sent back in response if certain criteria are met. Challenge ACKs are rate limited to ensure the remote peer does not waste too many CPU cycles or outbound bandwidth on the local peer if large numbers of unexpected TCP segments are received. The rate limiting is controlled by the net.inet.tcp.ack_war_timewindow and net.inet.tcp.ack_war_cnt sysctls which default to 1000 (milliseconds) and 5 respectively i.e. challenge ACKs will be sent for the first 5 qualifying TCP segments received within a 1s time period and the rest will be ignored. The handling of challenge ACKs is common code in tcp_subr.c shared among the different TCP stacks available in the system. This includes the FreeBSD default, RACK and BBR stacks. There are differences in the behaviour of the different stacks; e.g. the base FreeBSD stack sends challenge ACKs to a larger set of unexpected packets. II. Problem Description When a challenge ACK is to be sent tcp_respond() constructs and sends the challenge ACK and consumes the mbuf that is passed in. When no challenge ACK should be sent the function returns and leaks the mbuf. III. Impact If an attacker is either on path with an established TCP connection, or can themselves establish a TCP connection, to an affected FreeBSD machine, they can easily craft and send packets which meet the challenge ACK criteria and cause the FreeBSD host to leak an mbuf for each crafted packet in excess of the configured rate limit settings i.e. with default settings, crafted packets in excess of the first 5 sent within a 1s period will leak an mbuf. Technically, off-path attackers can also exploit this problem by guessing the IP addresses, TCP port numbers and in some cases the sequence numbers of established connections and spoofing packets towards a FreeBSD machine, but this is harder to do effectively. IV. Workaround The mbuf leak can be mitigated by not rate limiting the sending of challenge ACKs. This can be achieved with immediate effect by setting the net.inet.tcp.ack_war_timewindow sysctl to 0: sysctl net.inet.tcp.ack_war_timewindow=0 This mitigation does trade off the leaking of mbufs against additional CPU/resource cost associated with responding to all challenge ACK eligible packets received for established TCP connections. To make this change persistent across reboots, add it to /etc/sysctl.conf. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date and reboot. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were not installed using base system packages, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:06/tcp.patch # fetch https://security.FreeBSD.org/patches/SA-26:06/tcp.patch.asc # gpg --verify tcp.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 1fddb5435315 stable/15-n282699 releng/15.0/ de9e5d82581e releng/15.0-n281011 stable/14/ b45e7530ffb9 stable/14-n273839 releng/14.4/ 44dd8b58394b releng/14.4-n273676 releng/14.3/ a9cba5321021 releng/14.3-n271476 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmnEkVIACgkQbljekB8A Gu/sWRAAtGouQg2M2RuF4+EFK1fpDKyDgBpbx88kH/y2ToHQ/voEwpeC3OOulfQ0 kM7vluUY2yf/yITXJnX/czqxX4flpC9fsAIZtSjXwI27V+xrvWwz/LTgmBumJjgC VI0i66c6ajie8JC6h4Q2yYpF7M2ymYo/rLXXFM+nq/UpOWLEXbEzzDv6hwvwYqJd h7pvoNUDWRjbxHykilUQ+KrnEDRz4cdmulil+1aAS1af2WHdROHfOSsVmSY/hQJh MPA9dJxESzHAjYhjQrLFoWiuSt1JFOt5k/Y6FI4ix1UElJVEvwF7NEj6VxTW9/UX 0sWGmKt23ckfBG6fwBjW2e9NVnqIU4NNMbR0vJghtVsi0K4uw4b5/9n2WbfYYHQZ eoZ8BiFRdrbRwFgk7NK9UG5r1B0l7O9rJWob0ZUt2/tGYpC7sLz9kOWAptD7JPpE XkrK354K0KIBPdoVj7QDsK7njYkvnjxlHwWX148gQ1maEX/zWHD6x5RXS+QShzjL kmp/h5Eiz977qHzotXkK7Le/4EnHQlLYO7n8NafoRrCRszPPlLv1/gaEHYYlTU+S GMJpvsV9ENd15BhcZRCoLRxwa94D9beDhw89RTgPZ8ItpRO7z1cCfZrNC4aE0x3P Q+BVMF18lrU/UB4jDW2/BmoGdZSjJMqxHaDGiHZZewQX/dVP2BU= =a5LJ -----END PGP SIGNATURE----- From nobody Thu Mar 26 04:27:53 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fh9k16sq5z6W3N3 for ; Thu, 26 Mar 2026 04:27:53 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4fh9k14lp5z3nXf; Thu, 26 Mar 2026 04:27:53 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1774499273; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=whKzx+DUnMiNN6X7430Vkj4D8V0cEZ+G5nLbggsEaAo=; b=cQXrFjJlNthESDfudtCLJNOKZGomYgYEbjeU8oVSx4rVrOYKjNHgD9VgksBOrFWrXYVEcz UEv+R9SwgeERGiGnpGpxz1blC6tyB2p9ntFgjRsoeaZSZxWjB1t4JWDfLKOqLt2IUIVXSE 0W6DP2RAE8pp9O9NI/9AKDApI8ntN+/vVW2dbxIZp+Rvbp9GeqBOSJFrta7QZOzeu0b/hD Nb0sLdXKOPJ1lL8y6zvl+KwYZHq52Orgqn3GTxXv/+064R8GmlqzcMbekueyvTNVDecP6B Z6bWfgar/AA7xzzTh3B68MAD+1+hw4KSORmfZEQx7Q5LuzXq/y2cqR8rUZaF4w== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1774499273; a=rsa-sha256; cv=none; b=OUun62BYHI7H7GgbA75UBv7z0rg8jNyMJjkpjGOlh6Bygm8F+gW0zfdNThGmk5WFXlJc6K lfuaO/v96tAC3qFCkMY5hKuM1fwvDfHRElTZic3A8NiKnVA73HkWwuVPIBdKXfzl2quIpR zdofWBWRjyv9tLKujHnLqoQxA3KmyIYle5Mr7/4YUu0mzy7vCsuuzzImfUQcg53aNQJb45 5hFsBD+J8eioxmKXEkg+ZQnnwoW+p95JNZB0tZoMwmG6auW3je1KzlWoLbzFEUVT0JmSqR IyyIPZTlc0Q7QBczqnTkHpaA+RpmBnt7zZ9jqtKxmAYTFaqFQm3sQMYzRxuTbw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1774499273; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=whKzx+DUnMiNN6X7430Vkj4D8V0cEZ+G5nLbggsEaAo=; b=Y0UCRyk0HqCWPNyOF7YWg9Afrq776P6L3O5iIGraRbmyUj8bg39ATodapKAleS3oD7QA4T Oe58xiixa4nV8M3ZMdOBMYSNV+oM61dJr7OGIsWcXxnxzC23cdicJY1YdauR/wAK0swE3C QRDdJI8eF1neGZrKegWZbhakAWA09QJKE7yJXugDymQoXkpC309XAY84UkZZd/Dt2WE2WQ Pf1QZZu1xJ5VqQXSbIKkpTsYO95E/JF/1WESG4uFWIuzgK6uLVDb8dGM+D/Hy4cNLtTvKI jDadOB5U2bDtjm35CQp02/IpKgXn/r7laKStfz9Yf28wN3adhvSqnThTbQ4gRw== Received: by freefall.freebsd.org (Postfix, from userid 945) id 607941508; Thu, 26 Mar 2026 04:27:53 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:07.nvmf Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260326042753.607941508@freefall.freebsd.org> Date: Thu, 26 Mar 2026 04:27:53 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:07.nvmf Security Advisory The FreeBSD Project Topic: Remote denial of service via null pointer dereference Category: core Module: nvmf Announced: 2026-03-26 Credits: Nikolay Denev Affects: FreeBSD 15.0 Corrected: 2026-03-25 01:29:47 UTC (stable/15, 15.0-STABLE) 2026-03-26 01:11:19 UTC (releng/15.0, 15.0-RELEASE-p5) CVE Name: CVE-2026-4652 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The nvmf driver implements the kernel component of an NVMe over Fabrics host. The CONNECT command is used to create connections (queue pairs) that carry NVMe read/write commands over the network. For I/O queues, this is commonly referred to as an I/O CONNECT. II. Problem Description On a system exposing an NVMe/TCP target, a remote client can trigger a kernel panic by sending a CONNECT command for an I/O queue with a bogus or stale CNTLID. III. Impact An attacker with network access to the NVMe/TCP target can trigger an unauthenticated Denial of Service condition on the affected machine. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date and reboot. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were not installed using base system packages, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:07/nvmf.patch # fetch https://security.FreeBSD.org/patches/SA-26:07/nvmf.patch.asc # gpg --verify nvmf.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ b1d32521747f stable/15-n282694 releng/15.0/ 48766013063a releng/15.0-n281012 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmnEkV4ACgkQbljekB8A Gu/KVBAA0QPwISRLuInGilUGPkO0fjXD5teeufdqHOABQJB+YgvelArfgd0odN4S b7OXiDIdUsJsJF5CDFm5FVkAuQe0PnhakuXnxEMrDxpNu+H9zFBWrmCVtflWRay3 APB3EGqxghhez/pNx+8M/Tf//QZjOmZSsu2C3om7mfv5jGetjRY/3jLkWiMx7ASu lVFYue+PRSKf0jl0fjsxjvJMosTtgmM6xkB2cpDF+z6HKK6rtt0YUhw+/v0plLxa jBQNIT3MCJ8OJU75LB5K/84iF3c/PTFupZQIMenejPt1FfC55CDKmta88LGUPxRn u67tyidS+C7BLMnOn3mlgx3Vst1NxLc5to7KVYr1S3V17na5jglnnE3Av2lE/CMJ v9UT7IsLG5AsHusY1iYvkiReLfJgeouOlSJkQoiVfJYuT5G0ERdC+Sp3G9X0q8sp 2Q/YA0+qt0Fqdc8hn25Qus1pvWSvg+RBUuDDLsWsC9FbUbyjBNB2Og34dmW46t38 EWoCFHZ0u/PRPZ7YnwpIE6xx6mDOc7XcVtK9fFc6VKjtiP7sDk42W5O2wyAKBcRl oTZl56h/g+Kutmnvj1vHAcntX4IbTfXw7S5SVnzPBVD2W6yOKas5R1GBK9O2S4IE CU69VbcPD51vJY/mY8w6oefZXLoxHE2WH0eAwz3/NJaFRwtqT1k= =l61h -----END PGP SIGNATURE----- From nobody Thu Mar 26 04:28:04 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fh9kD5gYWz6W3rC for ; Thu, 26 Mar 2026 04:28:04 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4fh9kD46Nnz3nks; Thu, 26 Mar 2026 04:28:04 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1774499284; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=iyjGHjYywg3Im0S/G01zUZTDf6MdAfH9rccc+Vk6RCw=; b=n2Fqm1Ij/ZOBUaB3uez4if0PGuscMl6RX2xNEyn1V/ZtLOyYyl7T69t7h/rroXhiIZZkI/ u1pTalxAyO4nXcqlOBSWR1M9RgSGXXRvRdDyyGXKDPZZu/2G7IyOsYsvLMv8/iJtbk7ak7 5itnC2mpJAA/KCp2Kkhg+1lIGCg1Re8jzROOS3p3T/TRxlXPYutwIhdAKoqEoLQEJDyOC3 8MJ3BhrLN/J55Rt93MQxndo4x4QiiCsjD6jpvS1NpBYOTcRCO3U9rxr9I0nbgJKW1KKFQy 5fakdpJ+XdVk1NKlNm4F/pZhGMUluolUyQp7D9BeYuHOejR5kr34Gj9aH11zxw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1774499284; a=rsa-sha256; cv=none; b=gh/MSgTqkTBebAsrcU4cVLljFRtmdp77Ym8MVpUPFvBSQjgQytat7sjawQ74AuhyBluz1d brfeKlg+TFKSHfH4+nxMlCHZqFRKB7VawDz3dWKHxXEUcMAhVMDk7PacvExip/uG7PkpBe VuK4VbXh+YvMq5TY83QthzSlr/wTl0H3sW301o5OST/NeWQtR7JDg1gvx3nRsCylOydvWg c9gOS0D9Lceq+FUym1VjXi9lhKBZxYCQ+YKFFhoeYoxf8LA0M7gJigTtfc3aGigMuTIw1U rhXy8Mogw+iZP+H5aGSyCjx2SxWqBmiSPVlID+Ko0QYyZSx1COCz5F6lsknmDg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1774499284; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=iyjGHjYywg3Im0S/G01zUZTDf6MdAfH9rccc+Vk6RCw=; b=ap1iSuw0hNKjyOX8fFhIlcG2uz+pKqCEu7ccNHTxrRAWxpxDDDqIHb0xmZ30gAxcRwjTMw 9E+nzuZN4DAkqbKuwVhqCfO5qg3Dad8SbDdwx1Q13Hwa8Lsd/2HldLNYiVbB+rM3w/PIwQ 9FX8/W/9lIWyxOAyU9qNl5CJaEx0NqhS8E/R1CY7AxR48KcvD6XbUtl3GVN7xtmX2ESX+Y yHOMA5yw2anxmmIH7auyLiLDh2HFFO3f+WJe3w7z8o6TlfWdD8GzXeXWD2GBnqQQQ11HSd IUChiA5TTMP+/SAYwtHUbcmg4v11ruN67xB34S3ErFCMeZ0XAXrvkCBu/uwojQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id 84FB7148B; Thu, 26 Mar 2026 04:28:04 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:08.rpcsec_gss Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260326042804.84FB7148B@freefall.freebsd.org> Date: Thu, 26 Mar 2026 04:28:04 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:08.rpcsec_gss Security Advisory The FreeBSD Project Topic: Remote code execution via RPCSEC_GSS packet validation Category: core Module: rpcsec_gss Announced: 2026-03-26 Credits: Nicholas Carlini using Claude, Anthropic Affects: All supported versions of FreeBSD. Corrected: 2026-03-26 01:25:23 UTC (stable/15, 15.0-STABLE) 2026-03-26 01:11:20 UTC (releng/15.0, 15.0-RELEASE-p5) 2026-03-26 01:28:47 UTC (stable/14, 14.4-STABLE) 2026-03-26 01:14:55 UTC (releng/14.4, 14.4-RELEASE-p1) 2026-03-26 01:16:01 UTC (releng/14.3, 14.3-RELEASE-p10) 2026-03-26 01:30:12 UTC (stable/13, 13.5-STABLE) 2026-03-26 01:34:10 UTC (releng/13.5, 13.5-RELEASE-p11) CVE Name: CVE-2026-4747 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Generic Security Services (GSS) is an API which lets applications establish a private, authenticated communication channel with a server, such as an NFC server. RPCSEC_GSS is a module which enables the use of GSS with Sun RPC (rpc(3)) servers. It is implemented in the kernel by the kgssapi.ko kernel module, and used by the NFS server to enable Kerberos-based authentication and encryption of traffic between the server and clients. In userspace it is implemented by the librpcsec_gss library. II. Problem Description Each RPCSEC_GSS data packet is validated by a routine which checks a signature in the packet. This routine copies a portion of the packet into a stack buffer, but fails to ensure that the buffer is sufficiently large, and a malicious client can trigger a stack overflow. Notably, this does not require the client to authenticate itself first. III. Impact As kgssapi.ko's RPCSEC_GSS implementation is vulnerable, remote code execution in the kernel is possible by an authenticated user that is able to send packets to the kernel's NFS server while kgssapi.ko is loaded into the kernel. In userspace, applications which have librpcgss_sec loaded and run an RPC server are vulnerable to remote code execution from any client able to send it packets. We are not aware of any such applications in the FreeBSD base system. IV. Workaround No workaround is available. Kernels that do not have kgssapi.ko loaded are not vulnerable. In userspace, any daemon linked with librpcgss_sec and running an RPC server is vulnerable. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, which were not installed using base system packages, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:08/rpcsec_gss.patch # fetch https://security.FreeBSD.org/patches/SA-26:08/rpcsec_gss.patch.asc # gpg --verify rpcsec_gss.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel and the operating system as described in and and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 1b00fdc1f3cd stable/15-n282700 releng/15.0/ 4ec1b6213463 releng/15.0-n281013 stable/14/ e5ed09ffd592 stable/14-n273840 releng/14.4/ 7ea03a4238e8 releng/14.4-n273677 releng/14.3/ b6ce88ab9a5f releng/14.3-n271477 stable/13/ 99ec7f9b9e48 stable/13-n259823 releng/13.5/ c4f53a1adbd4 releng/13.5-n259207 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmnEkWEACgkQbljekB8A Gu/LsA/9EC3I0xFSAJpbHLVpV4dmCpzhMUn5CU3iJhXOsV4hWip6fJvjHmiRcVDC luJ/udrLS6izmx4dmZBcEQMSOt2hXK/P/5JgVQCM0f3hXfkLFWGPnA1/wG4hSqjd nsbHfExgqs4ToWhgfQDaEwgc5d9FQfnQUTk3noXal1FA6o10+9PAA5nmj74ZGtYC 6umspzzJNR8+6EaTftY8nb40DMAAyNMTBu3S2KikiuiqLSuMETyGEHS0ceMZzX0C D8rWRlaXpNOyVrRPhEuVurF9SB9EghEB1K587Xm0cqpCLT8GsW5FeSkp4VD2Ir0v 7Ghu693vLbmVwm5pQUNr8cf7uO/kLg6Gce3FWlqYteRN+PeuOkx2DRAChm4QMEK2 8Xjix/bS3HT6GkRmHCtwS7IU8L1vw/kAt4uvSV5uyEzRbpGKEbrdZOXFUSjPrY3R xHAKGosZaZKYJ4rveQOhsS1OoevN7ghhEJJ6PJf1wdYOSwNl41zq8R9LVqos4A+w fJmIQwoSMPhT7E+XCjrsOrt5TuBHrv5O7871IFxk00rsgJN3W2vTw4epEwRiWpJm mqv40zoarV4L4Gq3P4PAT8VaiWXTo44qyvu9LV+fnEArtlyfYPNLglC7NJKaeI1D Ou89dG/+L1GeJlkIVbRj4DUfcpLO0yV1LG/KYvQqr4TCILaddzk= =K+Bc -----END PGP SIGNATURE----- From nobody Thu Mar 26 04:28:09 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fh9kK743Jz6W3rf for ; Thu, 26 Mar 2026 04:28:09 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4fh9kK5rPNz3p6Q; Thu, 26 Mar 2026 04:28:09 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1774499289; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=3BOwWn6FSmmzc8CsOVIMwKqYHeI66I/K9hGk6EZRhM4=; b=cV+BAfeEdr6XxsgSoE+sfVof0Dwo+OQ0S+J6kyOO0SeFn4bXOpga+uVvlzcDKj5RJqaSMJ 4e84wRZkkMNA7yOIqlczZUqsfAwf/sJHrjLTmggZQMxSsoarh3g8xcy13FUzFtk0Dg8Qli XhwnXiAF8TqJMGUwKbj6Br9w619oq/AdmkINtcUZV/41m9wchI9PAlrnXZ/RwBeddVCXjR l5XuQzlBLw/D0urwLZHjLkjUQLNaWeQg0Y5HeV3dOQ06oyqLDqNhIbUSnFXgtb6uxGjUUv kJzgKbSdFjntqsXc4UBvX0L9C4eiKs2mlr5GfSLNh6vXJJR9PWXE65QqTEoQeA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1774499289; a=rsa-sha256; cv=none; b=XEyD29swL3geU7OuR8mTy2jWXkH05SScbXWkUTyftRfBpwLKI995N4KXuDBjpbl2xod8Uz FvLhM1dVRmHxrTWqtqnn/MNkpnV9lBcctTPeFDUQB9MVJGZIOBQiGnch+xuD/XyOV3n+yn LncFR3AIAc7z5PrabqsKPgDYP5g/QEzDMsn1WXaje/krEzH7WE61lbq+QnHvc5AeYPWE7G 2B1hOsPZSE2yLxBwvUC88TvJJ873SA+XooWeESbdXcg+F7GaG/mGaxrYr6jDQGONy7sQcW JIHFKHKq1I6Pb5hnkix0hBR9yCxRyRSriwwLSb1IMpPNHUgJCi7diTy9kdI9ug== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1774499289; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=3BOwWn6FSmmzc8CsOVIMwKqYHeI66I/K9hGk6EZRhM4=; b=AbiGj6KTVJCPuledkGhCofKBDD680p2fJ4I4y2p1UOslP4gS+BDIMgzue8+k88srXYkjAM AF+IKV0gga8igIh9DsM9D055bAhWR/iiPOoGH5g1IVhcwVsdB3v9LKPefVNjGZUVraCE7G A7uGMVMaZiiE0+GUbCkXz2nO24SXPFRP/+prYYVqmHyx8HQCYkS8mfm0LqtOsWtR7ALq0Y aV52xBlzX/C4H/OOSXIC6BHL6kyLzuFR9t4mgbgsGOblqkRlVhWM80idneNeq+eexOTGbv drZnVUvKaA1QAgtwmdyZQ+1Wd5/IOrUSpppbbEuvg3JC8oNch7VnY/434ig/Kw== Received: by freefall.freebsd.org (Postfix, from userid 945) id 9955E135F; Thu, 26 Mar 2026 04:28:09 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:09.pf Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260326042809.9955E135F@freefall.freebsd.org> Date: Thu, 26 Mar 2026 04:28:09 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:09.pf Security Advisory The FreeBSD Project Topic: pf silently ignores certain rules Category: core Module: pf Announced: 2026-03-25 Credits: Michael Gmelin Affects: FreeBSD 14.x and FreeBSD 15.0 Corrected: 2026-03-25 07:11:58 UTC (stable/15, 15.0-STABLE) 2026-03-26 01:11:25 UTC (releng/15.0, 15.0-RELEASE-p5) 2026-03-25 09:58:28 UTC (stable/14, 14.4-STABLE) 2026-03-26 01:15:00 UTC (releng/14.4, 14.4-RELEASE-p1) 2026-03-26 01:16:06 UTC (releng/14.3, 14.3-RELEASE-p10) CVE Name: CVE-2026-4748 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background pf is an Internet Protocol packet filter originally written for OpenBSD. While loading its configuration, pf hashes rules and silently drops duplicates as an optimisation. Only the first rule with the same hash is considered. II. Problem Description A regression in the way hashes were calculated caused rules containing the address range syntax (x.x.x.x - y.y.y.y) that only differ in the address range(s) involved to be silently dropped as duplicates. Only the first of such rules is actually loaded into pf. Ranges expressed using the address[/mask-bits] syntax were not affected. Some keywords representing actions taken on a packet-matching rule, such as 'log', 'return tll', or 'dnpipe', may suffer from the same issue. It is unlikely that users have such configurations, as these rules would always be redundant. The verification described in "IV. Workaround" below will find these as well. III. Impact Affected rules are silently ignored, which can lead to unexpected behaviour including over- and underblocking. IV. Workaround Only systems using the pf firewall are affected. The operator can determine if a specific system is affected by reloading the configuration verbosely: # pfctl -vf /etc/pf.conf | grep already As a workaround, affected rules can be rewritten, e.g., by using tables or multiple rules instead of address ranges. Another option is to add labels to rules to make them unique. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date and reboot. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, which were not installed using base system packages, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.0] # fetch https://security.FreeBSD.org/patches/SA-26:09/pf-15.patch # fetch https://security.FreeBSD.org/patches/SA-26:09/pf-15.patch.asc # gpg --verify pf-15.patch.asc [FreeBSD 14.x] # fetch https://security.FreeBSD.org/patches/SA-26:09/pf-14.patch # fetch https://security.FreeBSD.org/patches/SA-26:09/pf-14.patch.asc # gpg --verify pf-14.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 4311217a039c stable/15-n282698 releng/15.0/ d91cf52e31ac releng/15.0-n281017 stable/14/ e3b801edded9 stable/14-n273835 releng/14.4/ b6865bca4ba5 releng/14.4-n273681 releng/14.3/ c03577d99d2d releng/14.3-n271481 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmnEp+AACgkQbljekB8A Gu84/Q//cIBdAEmzD04kjglaG1X75rULWJ0fsD26RW89Y3IEvLnUa5yoWV0dKUeW wRta0n7cvpkLiuDVqSfasVrkVM0EZ70toWcd0JXTRwaJ+i7IhHMByXjvSwTzhS/d OL2uDzjJ1nUyUqangNM+99Mpr3UQOEIMY9Scq5E0NNr/x6NdWXN4psiB/RCSFU64 abRos56CPkWbfVQLVZ3i2FihGhYQ2JLnqvP9DgCT6xy6MU5uTDWF57sxe4ciYWGw 4ZRydr/oyTkpthetm9xPFoFkaBiOiGfdTnsOi58f7mcWln+AgiKLzT0KdOd6XkEy RH22v4254P4nquDXfBTIJUVyDFd8SVIk7Ol78BzRNdEYOEog6KEI3fTjArFMIiy6 CLPS92ph3xq4aBWMdxnZ4cvfW7Ktm8Zp9xrXCvdRaUGfl+wawzjfjgw62eXaec4x pFxip2jLziZUDAvpzg1ywK0ajJE+RYh7HlT7CG2pTEcCaaIC0rJ7B2eEIaoO48Ho Uez92JN54P7xBRLy/rLVfUHz7Td11toAg6wwBTEAQPKssDHh1DQZMLSDKZcGanlt waUCybHeaWkMZvoHtLlEJjZ8hL/67Ivz2Huv5KCZ5CtpoEqe5ZHmGGS3iOCiuLvQ 9k2F3fkJN4w1zpGHE48JJ03FYQA7cTHwEro7TCRzeM6+KnqgAzE= =cGmd -----END PGP SIGNATURE----- From nobody Thu Mar 26 13:07:35 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fhPFz5XHWz6FX3V for ; Thu, 26 Mar 2026 13:07:51 +0000 (UTC) (envelope-from alice@freebsdfoundation.org) Received: from mail-yw1-x112e.google.com (mail-yw1-x112e.google.com [IPv6:2607:f8b0:4864:20::112e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4fhPFx71C5z3TwH for ; Thu, 26 Mar 2026 13:07:49 +0000 (UTC) (envelope-from alice@freebsdfoundation.org) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=freebsdfoundation.org header.s=gfnp-20170908 header.b=BrttTvRZ; dmarc=pass (policy=none) header.from=freebsdfoundation.org; arc=pass ("google.com:s=arc-20240605:i=1"); spf=pass (mx1.freebsd.org: domain of alice@freebsdfoundation.org designates 2607:f8b0:4864:20::112e as permitted sender) smtp.mailfrom=alice@freebsdfoundation.org Received: by mail-yw1-x112e.google.com with SMTP id 00721157ae682-79a40fb9890so9691627b3.1 for ; Thu, 26 Mar 2026 06:07:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1774530467; cv=none; d=google.com; s=arc-20240605; b=OaErJO2jBH6d007xvvakPWo38YG14Ia9YUUvMX/UerG6gO7RiYd0sjbEtyzxpDCe6m +xYRSbSPwxO2JIi0JwZjNGIFHLi3vH9SBFsJ0xQHU9D7iHUDFvsVnsoZJXNBLH0o9dd/ 52wk1aVFGDH4jmuIcB8DVZEVeX55QfUkkW7oGF/cOKnDxeLZHgPkNe2ThQavuEvdPJYC 6aYpNa8RxVykke6gLyYIGoNIL4vs+e4jvu123vxUXcxoJv0TpXlVIpoCppKNzev7yaWM fYMm+g6bmOapi5fOz1hZfVr3Q0xyMoNN8XHLHM+oqwb+99VC0C/onrRnXPedpf/meEz8 4ShQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:from:mime-version:dkim-signature; bh=1L0qYMXWC6cALFUw1Kc4BhwzgTzjRsmpR5PnoX7tU1g=; fh=ApDyrKfsk3RtInV6IhIPoGFrCv0hHV0Ln77TyKzGBSg=; b=UDonfQ51vuXXjwb7ueHSkfxE151SkgJS9vC5dbFkfjE47/Jr2lwkXIK7HatFaL4FoA apeWnBbQGaGk1Iz6oRaV7NhFhRcjlFWAsDWtsah3C2JEThcxS4EXzr99I7Kkbw5VsSzN 0RKnx52uRna2l11a6u15IlEtjTqodC033cW41ESYsQVXAe5Gz3+NfhjBTZufXfp8Bwnq 5yoJxpZlDMXkQ59oqbSZ3y7DvnzJ62nipRerJ4UxOvbZiriciUcwmEt5DHaKDxu04WvZ ea2tbaM+UU019rDRuLd1dfugWr2/KAs8v9QnO92ZjZosmws652GzvsUdpjQYQx9nasrt 7FHQ==; darn=freebsd.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsdfoundation.org; s=gfnp-20170908; t=1774530467; x=1775135267; darn=freebsd.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=1L0qYMXWC6cALFUw1Kc4BhwzgTzjRsmpR5PnoX7tU1g=; b=BrttTvRZ3Mn2mSBZbPNSv3gAYt5RFqgCF1mvbVWFWVRstajLQh6XnrDyeRZPsJRiyI 53o8dnwq8p83eijzuAT26xa+EJwJ5awS8z44jHRM/fywSHGWYoaYzXErwNpHk2mBb+Hb LXvLBoPoF9JsAkS31l3ppVL5W+2kDx+N6IK9QwX+UF848T9BU88FZVrQMDSHJkXRsUCJ HV6IJDuilgJTorjIkE2CE+xZwNiM+Igz7nv6Fbmc+GqYYqEJmzNfJ6j1D177kgjtcsm1 gWuIy3nR04UIo7rcZDNs3xkVY8kK1GBH3Al4ROK9iHqjfqCjmUIqkVN6PeqUVrFtXYAS 6slg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774530467; x=1775135267; h=to:subject:message-id:date:from:mime-version:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=1L0qYMXWC6cALFUw1Kc4BhwzgTzjRsmpR5PnoX7tU1g=; b=A/mHFUDFD158fRxKtwqNklW2J0ZF5PD2r5cP1BPsZ2tiOEdZzyesZa/G7Q5rUPBJlQ bidi8zWPI0y8YBKu5gYkwpeFSXqV1/enQwgkIkuQAiVzdRMqHJZAwpKuhSyd+n7Qpu6/ wauQr6GNSljhoEoeX1D4O10CIRt3lDHJI3tVxV6b5I4eFWbBxreUn4QdjAsRDZrkzJkI JLpFcNEIoeB8rtF1TDQwozEKz3SXssX6/7DW9hd/vUO6N13LIDcUW5N4u1HjIDy7ch6f YQnXH2fbNPBr31aOUjPc+6KovB5wdixfoXEc81Ritp+SuYmqAjEbyehcEu0lMh4bXmE7 zvKQ== X-Forwarded-Encrypted: i=1; AJvYcCU+n2WtqTGXu9vcq0/htHxLw62CRVkaTMRkhOIwBgs9rjafvZsYIdobvR0xnUjjYlCNHw0l1m/WVbu7reGWiBZv@freebsd.org X-Gm-Message-State: AOJu0Yz/ul6wDF5dZX1vU13YNnINqvmtJB2QzeQCMK1l4dBSu68idJjK oTwqik7nOSmExMa1VJSRG/za1ZyICYkKZcjjO9crrtJX9GethnGSOa+iBZ3WNl1A71/4/SBxRZn jhuhmO7eeM6MHT2Llct8rOTdx9icFWo6Zn7EOIbcaBxwN X-Gm-Gg: ATEYQzzZ2O0brSi76q9CPmDQAngndmdSXU9LZ9t7CQrFp41+fGqTDw2vxb7nABjRZhn S0YV9JLpDnFuy8JoMNVOzOzk/Jm0XPt2mfNi0CxP4+Qt/BFs5dAq8osN/BEOJ/KOMqkpwXu1oSw xSK8EJh3rKrVm+0C6U0RUjFn8wFCwMV71jw3OEryQwMXAGVrZKaYhKptWXCiLIo5xISM8xodjo6 5yjADfrS7RBIaAod/g/9fsNzuV2JIleqV/ylqMqec6wnux0XpEbtS3MYjwg/45Ph+ZMDVBCLkVK /oYnI6E/9Wkbic1iwXO9aa4rdKw+3uqByCTmFKmJFS0EfJNiKIjYIazZcci/Kq7VnwGrlxwQgKo GPzKIa/Kf+d+nT1/eMwQ54aB2ThTK8JPLHww/JlBiufMpspxJug== X-Received: by 2002:a05:690c:368f:b0:79a:b409:b62c with SMTP id 00721157ae682-79acf39ca9fmr81939357b3.22.1774530467187; Thu, 26 Mar 2026 06:07:47 -0700 (PDT) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 From: Alice Sowerby Date: Thu, 26 Mar 2026 13:07:35 +0000 X-Gm-Features: AQROBzDNfIKnCVFCMAk6OaaevElKYu37M-Y1fkodb9xBFZPsnsb6PV7n-_EkOtg Message-ID: Subject: New Open Consultation - EU Cyber Resilience Act To: freebsd-enterprisewg@freebsd.org, freebsd-security@freebsd.org Content-Type: multipart/alternative; boundary="00000000000023dcbd064ded12e1" X-Spamd-Result: default: False [-4.00 / 15.00]; URI_COUNT_ODD(1.00)[9]; NEURAL_HAM_LONG(-1.00)[-1.000]; ARC_ALLOW(-1.00)[google.com:s=arc-20240605:i=1]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; DMARC_POLICY_ALLOW(-0.50)[freebsdfoundation.org,none]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4864::/56]; R_DKIM_ALLOW(-0.20)[freebsdfoundation.org:s=gfnp-20170908]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; RCVD_COUNT_ONE(0.00)[1]; MIME_TRACE(0.00)[0:+,1:+,2:~]; MISSING_XM_UA(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCPT_COUNT_TWO(0.00)[2]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::112e:from]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_TLS_LAST(0.00)[]; DKIM_TRACE(0.00)[freebsdfoundation.org:+] X-Rspamd-Queue-Id: 4fhPFx71C5z3TwH X-Spamd-Bar: --- --00000000000023dcbd064ded12e1 Content-Type: text/plain; charset="UTF-8" - Hello everyone, There is a new open consultation relating to the EU Cyber Resilience Act. ___________________________________________________________ - *Category:* Standards - *Title:* Open Consultation on the Secure by Design and Default Playbook - *Organisation:* ENISA (European Union Agency for Cybersecurity) - *Description:* ENISA has released a draft *Secure by Design and Default Playbook*, intended as a practical guide for SMEs. The draft is meant to spark open dialogue, collaboration, and identification of priority areas for future work. Stakeholders are invited to contribute feedback, perspectives, and suggestions to ensure the guide is practical, reflects real-world challenges, and incorporates diverse community experiences. - *Main link:* https://ec.europa.eu/eusurvey/runner/sbd_public_consultation - *Relevant to:* Manufacturers - *Who can respond:* Anyone - *Shared in:* freebsd-enterprisewg@freebsd.org, freebsd-security@freebsd.org - *Foundation response:* N/A - *Closing date:* 15 May 2026 - ___________________________________________________________ NOTE: this information, along with information about other open consultations, can be found at https://github.com/FreeBSDFoundation/all-projects/blob/main/Cyber%20Resilience%20Act%20Readiness/legislative-engagement/requests-for-input.md Thanks, Alice. -- Alice Sowerby Part-time Technical Program Manager M +44 7787 953393 --00000000000023dcbd064ded12e1 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
  • Hello everyone,=C2=A0

    There is a new open consultation relating to the EU Cyber Resilience Act= .=C2=A0
    • _________________________________________________________= __
    • Category: Standards
    • Title: Open Consultation on the Secure by Design and Defau= lt Playbook
    • Organisation: ENISA (European Union Agency for Cyberse= curity)
    • Description: ENISA has released a draft Secure by Desi= gn and Default Playbook, intended as a practical guide for SMEs. The d= raft is meant to spark open dialogue, collaboration, and identification of = priority areas for future work. Stakeholders are invited to contribute feed= back, perspectives, and suggestions to ensure the guide is practical, refle= cts real-world challenges, and incorporates diverse community experiences.
    • Main link: https://ec.europa.eu/eusurvey/runner/sbd_public_c= onsultation
    • Relevant to: Manufacturers
    • Who can respond: Anyone
    • Shared in: freebsd-enterprisewg@freebsd.org, freebsd-security@freebsd.org
    • Foundation response: N/A
    • Closing date: 15 May 2026
  • ___________________________________________________________
    • <= div>

    NOTE: this information, along with information= about other open consultations, can be found at=C2=A0https://github.com/FreeBSDFoundation/all-projects/blob/main/Cyber%20Resili= ence%20Act%20Readiness/legislative-engagement/requests-for-input.md

    Thanks,

    Alice.=C2=A0
    --
    Alice Sowerby
    Part-time Technical Program Manager
    M +44 7787 953393
    =
    --00000000000023dcbd064ded12e1-- From nobody Thu Mar 26 13:13:06 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fhPNJ2xmkz6FXb1 for ; Thu, 26 Mar 2026 13:13:20 +0000 (UTC) (envelope-from alice@freebsdfoundation.org) Received: from mail-yx1-xb130.google.com (mail-yx1-xb130.google.com [IPv6:2607:f8b0:4864:20::b130]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4fhPNH0qcRz3WfP for ; Thu, 26 Mar 2026 13:13:19 +0000 (UTC) (envelope-from alice@freebsdfoundation.org) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=freebsdfoundation.org header.s=gfnp-20170908 header.b=LcUOM8nJ; dmarc=pass (policy=none) header.from=freebsdfoundation.org; arc=pass ("google.com:s=arc-20240605:i=1"); spf=pass (mx1.freebsd.org: domain of alice@freebsdfoundation.org designates 2607:f8b0:4864:20::b130 as permitted sender) smtp.mailfrom=alice@freebsdfoundation.org Received: by mail-yx1-xb130.google.com with SMTP id 956f58d0204a3-64ad79df972so1308330d50.1 for ; Thu, 26 Mar 2026 06:13:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1774530797; cv=none; d=google.com; s=arc-20240605; b=ZTzISgRkAUf2Lp/7b6KjeeZ9628HrEUT1fzggsjr0fCgkI9wjJyshDXBWGrCWxYvS2 ualm9++mbmzYSa5wPaWbUH1iuzbiHGaStsUwXnAtL+v577z+HANCkyqGLEoQxLK4iAcv qy5QOgYZ2sRKO2Dr7eL7NNdOZhTN+WGCeo528yZX+P64sE1ThbmnBxjvBlyA8129Ad8k k/MkZqrslrIMUoQB/IQgRoGptYHjs01k1izfHDLHwmwP1vmLq3aMscdUF0hKJGZ6AJFs /kUGLV5kFnK1XxJ0fpbR0mOIeEu356uVh/kcXRenvZ2TX81jBLcmoOrSMuH4lA+ry494 Jalw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=lT2valZI5NtjuKH8Wx2tW/Sj19fR+swy9W/UpSO44GM=; fh=8X/fzy6oRkinpO/u1+30mH2eQUCHV465yZU8zsG9ReM=; b=KhsRNimu08dVJp3ay/UbPn++bfdNWa17SsucarlRuSKDUEFp4A/IJ3BrrUR/WpLzAT VUPSpP5GSGdmzdULQ0m7HZ1nRLRmHgYdkrhIQt2U3HL5nV2Esm0cRphKhpaYjVvwHdim mvw+23NPu5uFRAFUMAbZNap6a8kZgV64ktZUTAXPDCViYogQcrdy17IzZKuWPPv6w8Gi ZMrdAFBQaZyY8IS6C+uI2PnfYKXMPNCgp58Wv1uHH7fBWxlUexCe62AJ+BSGBEJYL3Rk TF3pPVA8sRKAL1fuIf6AOOf/0dLB5Zyv73XbQ7RE2T9JwLyhfSLahNJHxI4P30tMjtbf 1oMA==; darn=freebsd.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsdfoundation.org; s=gfnp-20170908; t=1774530797; x=1775135597; darn=freebsd.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=lT2valZI5NtjuKH8Wx2tW/Sj19fR+swy9W/UpSO44GM=; b=LcUOM8nJocm4k6IV1TmrxJvr1KmALL6iKpiq+ugPR7sbj+JSuwuF3vWqaQv8t5cEoo XMjIPx+0eD0zXoifxANsbE30s/374C7KRxGvFMv2NlXsVlkMslQFvIp86SCX4h9lN52E 1DzXsPDPLD7OTxydgTBsSlKS44DxzlnWMoMQgwvYfABpgHHA2lSUwOh1RBTxFRGO+4S2 RI+0IXBcMx+vWViVLGDSRm/lXt3H6wbh861XgpNCAgPCvrShitIM4935UoXeUzRDXTZ/ gvfewIAeHjla5KkZnsb0Es982pBjwV+9FITx4DKaagG5BbwkgXzCXk8W6yEfhVOjaNNC vYDQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774530797; x=1775135597; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=lT2valZI5NtjuKH8Wx2tW/Sj19fR+swy9W/UpSO44GM=; b=nMCcpxMeW5kpVfjOEktlhHfDZZmgRqYRlhS2C3D6Va3omOVQSiw4xmLmCUBUjqCdDZ qNr64T83QHIMXaSfq75yPN+00X8nxRFVt/kaxxLq6ngyrsj/1GTaFUlAJalEqQqcOxPL ozSqUBJ656Kn/LPCeGnep/bjk3S0NcelTpuEYlZ37RzPmPldIKO8mlzhefso58ejoVsu 4fQU6xPuMSBpJf0BYCbjCLHXtUdeqvIkttF6OmMCAj0AD3097osnkSpgyYz4Y4paINcj 1lAA/BzWfrKV98hV254uZXt362x8yqT8sVBYRiC8sS2gS92bTrQRalI3tSH6+M1V6ZkX xvFg== X-Gm-Message-State: AOJu0YygSsS58bdaHa0+8nnFjbRWHXog4nwwaHD8kGEm12EvJfV/ZOiR G5jO79ZsWp5O32qiKHTVbX/jhPc8KcJ+TQwHJzPXLvg2dLQOoMl3iS/axCpWeK3HzokH51u6TKm 75KhXfaVWlTXfJLIwkkNoK28F54B/xg6qCBV8ra0Hu8sGQn5ewPdaI7c= X-Gm-Gg: ATEYQzxNkcvBEcbWXE9AvyUL+QCNLSDDcRzXfZoDP7unyFt4HU24E3WUpWEVnEBCaDL nctsJ8FzA73N9waY8M8CTjfz1BHgihx5gfqOfY6O/xAQafEeoN3fjNsT4wVIBU7V9TVS4dNpSUf 7wxI3aZBLLMbfd/mUel0zG+TR28wfUctlmJ12fUFoU8uDTwMk8/YP9y1BZKihHAeNcWKjhJFCZ5 9Goch2J2K1z7Ch1Y/ydUmcdvVHfCYYLMwTLL3/UUwRS49r3FpGBxwbQYkpWNyWrUmOkGqALPszK rJhQ96ztA3MKk0DztZw5t3d5Npvo5ZdYMXrd1LMq1iybRSxKOT5mcbUGw5frkI1Ro4zo39Guqn2 keWLl0DQ1RCAWIlFU60JpEq6VzubW54wJZiT2fy1JvyDH57tpfg== X-Received: by 2002:a53:b2ec:0:b0:64c:985f:9d58 with SMTP id 956f58d0204a3-64ee6183169mr6044063d50.56.1774530797107; Thu, 26 Mar 2026 06:13:17 -0700 (PDT) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 References: In-Reply-To: From: Alice Sowerby Date: Thu, 26 Mar 2026 13:13:06 +0000 X-Gm-Features: AQROBzBs7GUaKhAI8-2GomQINfk76LPCdrRi1g_KIETcixHJzt6CBwhgyHEAg7w Message-ID: Subject: Re: New Open Consultation - EU Cyber Resilience Act To: freebsd-security@freebsd.org Content-Type: multipart/alternative; boundary="000000000000ce0e4d064ded25ff" X-Spamd-Result: default: False [-4.00 / 15.00]; URI_COUNT_ODD(1.00)[9]; ARC_ALLOW(-1.00)[google.com:s=arc-20240605:i=1]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; DMARC_POLICY_ALLOW(-0.50)[freebsdfoundation.org,none]; R_DKIM_ALLOW(-0.20)[freebsdfoundation.org:s=gfnp-20170908]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4864::/56]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; MIME_TRACE(0.00)[0:+,1:+,2:~]; MISSING_XM_UA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCVD_COUNT_ONE(0.00)[1]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCPT_COUNT_ONE(0.00)[1]; TO_DN_NONE(0.00)[]; RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::b130:from]; DKIM_TRACE(0.00)[freebsdfoundation.org:+] X-Rspamd-Queue-Id: 4fhPNH0qcRz3WfP X-Spamd-Bar: --- --000000000000ce0e4d064ded25ff Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable The deadline for this is now April 13th. On Thu, Mar 12, 2026 at 11:27=E2=80=AFAM Alice Sowerby wrote: > Hello everyone, > > There is a new open consultation relating to the EU Cyber Resilience Act. > ___________________________________________________________ > > - > > *Category:* Standards > - > > *Title:* Draft Commission guidance on the Cyber Resilience Act > - > > *Organisation:* European Commission > - > > *Description:* The European Commission is preparing a Communication > that will provide guidance on how to apply the Cyber Resilience Act (C= RA) > in practice. The guidance will help manufacturers, developers, and oth= er > stakeholders understand their obligations under the Regulation and ens= ure a > consistent approach across the EU. It will clarify how key provisions = of > the CRA should be interpreted and implemented. Stakeholders are encour= aged > to submit comments using the attached template to facilitate feedback > consolidation. > - > > *Main link:* > https://ec.europa.eu/info/law/better-regulation/have-your-say/initiati= ves/16959-Draft-Commission-guidance-on-the-Cyber-Resilience-Act_en > - > > *Relevant to:* Stewards, Maintainers, Manufacturers > - > > *Who can respond:* Anyone > - > > *Shared in:* freebsd-security@freebsd.org > - > > *Foundation response:* The Foundation will respond through the Open > Regulatory Compliance (ORC) Working Group > - > > *Closing date:* 31 March 2026 (midnight Brussels time) > - > > ___________________________________________________________ > > NOTE: this information, along with information about other open > consultations, can be found at > https://github.com/FreeBSDFoundation/all-projects/blob/main/Cyber%20Resil= ience%20Act%20Readiness/legislative-engagement/requests-for-input.md > > Thanks, > > Alice. > -- > Alice Sowerby > Part-time Technical Program Manager > M +44 7787 953393 > --000000000000ce0e4d064ded25ff Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
    The deadline for this is now April 13th.=C2=A0

    On Thu, Mar 12, 2026 at 11:27=E2=80=AFAM Alice Sowerby <alice@freebsdfoundation.org>= ; wrote:
    Hello everyone,=C2=A0

    There is a ne= w open consultation relating to the EU Cyber Resilience Act.=C2=A0
    ___________________________________________________________

  • Category: Standards

  • Title: Draft Commission guidance on the Cyber Resilienc= e Act

  • Organisation: European Commission

  • Description: The European Commission is preparing a Com= munication that will provide guidance on how to apply the Cyber Resilience = Act (CRA) in practice. The guidance will help manufacturers, developers, an= d other stakeholders understand their obligations under the Regulation and = ensure a consistent approach across the EU. It will clarify how key provisi= ons of the CRA should be interpreted and implemented. Stakeholders are enco= uraged to submit comments using the attached template to facilitate feedbac= k consolidation.

  • Main link: https://ec= .europa.eu/info/law/better-regulation/have-your-say/initiatives/16959-Draft= -Commission-guidance-on-the-Cyber-Resilience-Act_en

  • Relevant to: Stewards, Maintainers, Manufacturers

  • Who can respond: Anyone

  • Shared in: freebsd-security@freebsd= .org

  • Foundation response: The Foundation will respond throug= h the Open Regulatory Compliance (ORC) Working Group

  • Closing date: 31 March 2026 (midnight Brussels time)

  • ___________________________________________________________

    • NOTE: this information, along with information a= bout other open consultations, can be found at https:= //github.com/FreeBSDFoundation/all-projects/blob/main/Cyber%20Resilience%20= Act%20Readiness/legislative-engagement/requests-for-input.md
    =
    Thanks,

    Alice.=C2=A0
    --
    Alice Sowerby<= /font>
    Part-time Technical Program Ma= nager
    M +44 7787 953393
    --000000000000ce0e4d064ded25ff--