From nobody Wed Apr 29 18:40:58 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g5R2g1f1Dz6Ztq5 for ; Wed, 29 Apr 2026 18:40:59 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g5R2f23XFz480c; Wed, 29 Apr 2026 18:40:58 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777488058; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=v4skgfLChW/sRDkqlzs4LFG1hA6MSu7RFCaDuxlk0fw=; b=INzXKNHW69fZROjfJY6oz4AgSqBpJy9gQQb/Z8VvUw5LiT3BhPpW/4CymFHFEY7UANMcoq QR7j6Ksc6ufeQsoi09AKGmYpWFQ+vijfeQ47y602gFufW+F7eKJW3VCsUXj1h+L7zD1ePV MP+WX+CrhnS8i3XFaQLOWTMBh6O4nnanvzKeh31sc9ZwwSd0B6IpivN6qZc4QTWrJbelBo pcKFc2SrkzBdbXIejy3ZZvNNe1zIh/3ks54erqPevdMjhvuR3RsytGF76dSsKYIHcgA9Xi MTRoDFRFLJ3jpFos/P7ZZG5ZmBPNEfdQNNuGkYdhn3i7E5hh9KXOxtp341rOtQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1777488058; a=rsa-sha256; cv=none; b=W4bYWyTGusVdwk3tCWG45OQ8VCMuxHcoQCNkFWZd/W1USTjs6wkoT67y519yeEHuqgHkTe fkzqnLBZEdWgGbWZKEDqiLeQP7ykmK9MN1H5dQgXxa7KhVyZjw9RjR63TIltrVtUFQXSFS E8EmGRWHn9R3MGt8b6dQlg1t/Es9SFtzS/NPRwTv4eGdfw8iZ+aUqWlZmWxUvImpYV6UK7 11X1ml/LOrmfBWlepE81vFCtV+td/4whGByZ+559pP690FFo3rOaILBF8b501a/zAeiMcE NraTx/HHk0zGHcMqAdPtqYkmTUjmcxmBYykFNPmGSxJjpK0buDlNRt8kKjV+fA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777488058; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=v4skgfLChW/sRDkqlzs4LFG1hA6MSu7RFCaDuxlk0fw=; b=REeuN6FwwktzTjppb8ycT4njRH4Bt5MSgukRFDM6qNVcO8DUnK4ZtGCJBGEkzb0tegKSyo KNarae4fCi0FRZ+m3Yp0LexPtEQtD367cJ0oYHRyr2VnMTDmcHhYScUGrQeRUXmRh+dDDh iaYxjSeWTC6qdyYFjgWgJSXLFYeee9v9x1ukUkCFvU3r5yJa+sRGZJMXUmOYU5tJWIEUW/ 9aRehoT6F6hJUvmas6/glw2WqLsW1u795T5+bfSUaM0LY5h9ulxRx+ujyLH1aaDbANImva Ht2HuZj6Wvd+Q0HiHh2CSHCFuZTPcJb5UEwCrr85dlA+A1npqXoH3QzepPezSA== Received: by freefall.freebsd.org (Postfix, from userid 945) id 387E69904; Wed, 29 Apr 2026 18:40:58 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:12.dhclient Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260429184058.387E69904@freefall.freebsd.org> Date: Wed, 29 Apr 2026 18:40:58 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:12.dhclient Security Advisory The FreeBSD Project Topic: Remote code execution via malicious DHCP options Category: core Module: dhclient Announced: 2026-04-29 Credits: Joshua Rogers of AISLE Research Team Affects: All supported versions of FreeBSD. Corrected: 2026-04-29 14:47:47 UTC (stable/15, 15.0-STABLE) 2026-04-29 14:48:28 UTC (releng/15.0, 15.0-RELEASE-p7) 2026-04-29 14:48:50 UTC (stable/14, 14.4-STABLE) 2026-04-29 14:49:41 UTC (releng/14.4, 14.4-RELEASE-p3) 2026-04-29 14:49:22 UTC (releng/14.3, 14.3-RELEASE-p12) 2026-04-29 14:50:06 UTC (stable/13, 13.5-STABLE) 2026-04-29 14:50:18 UTC (releng/13.5, 13.5-RELEASE-p13) CVE Name: CVE-2026-42511 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background dhclient(8) is the default IPv4 DHCP client used on FreeBSD. It is responsible for contacting DHCP servers on a network segment and for initialising and configuring network interfaces based on received information. II. Problem Description The BOOTP file field is written to the lease file without escaping embedded double-quotes, allowing injection of arbitrary dhclient.conf directives. When the lease file is subsequently re-parsed by dhclient, e.g., after a system restart, an attacker-controlled field from the lease is passed to dhclient-script(8), which evaluates it. III. Impact A rogue DHCP server may be able to execute arbirary code as root on a system running dhclient. IV. Workaround No workaround is available. Systems not running dhclient(8) are not affected. The attacker needs to be on the same broadcast domain and respond to DHCP requests. A well-managed network will configure DHCP snooping on switches to prevent rogue DHCP servers from operating. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, which were not installed using base system packages, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:12/dhclient.patch # fetch https://security.FreeBSD.org/patches/SA-26:12/dhclient.patch.asc # gpg --verify dhclient.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 2621f6c5d4ae stable/15-n283377 releng/15.0/ e7b4fb41aafa releng/15.0-n281029 stable/14/ b3087e05e848 stable/14-n274076 releng/14.4/ 73b801e3b5b3 releng/14.4-n273691 releng/14.3/ dda71167a101 releng/14.3-n271492 stable/13/ 46c01e4dd102 stable/13-n259859 releng/13.5/ a2d45189b9ee releng/13.5-n259215 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmnySScbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv/HEQANr71RMaW0408Cp2xZ/n DN8DsU7vCXPDcZWF/HAl+COurXipEycxnP6pBdm2uCqRGWXmNPkjyA5nyoAM2qYP 9b3rXQHKdrqc0vvbjJuahzqfttwcv1jFQp+8Z8N8TYWUnETprai5VOwZ+7p2caGC gZg3UkS8qx7+qUZn1c1nOpYgW7AE1cxuBzSM3O/4pyaSnnMGgeUcz/utv+F272rn /rdDaC1nvH09OKIJOqBxOQ7m7izTBu70P1zhuWmGDAzmvy1sNCUpv325iFBc7B78 fRvINps878aSqheJqIx2jpeykW+nBjbVpsh++0ZUNjoWQTbZM7WaxNJxD4KjdInW zvK24qX34aMrY4pS0BjpQ46RTkEIDFnzSYTUAN+33LQ9rQ+1DaUF0UJAlO10XBQ+ 6J1ZDXnSmqOsXu2pnRyXWKrsliz6+j3LOzkJoc2gQFwiDzex20ZJtO3Jd2dVMJ5a F/jN5SY800LhvCbPFPL4k03xK98n7fLs432jsJOMYtRvY9N62oEbufBj0dCS0S15 A7Vj537ziRZuGt4xz3vdE48GEBdxm+frPNadS8IurW1gDN4Rr0d5VLfKFwMsiSXr baVMWTjn6kcfpomYDhl5451lDAyhZ20qFxx9M1lRNj7ploz4khmdv1e1zqENocQd t4eQrptk4YUgxEIZ0R56b2qf =h/Vp -----END PGP SIGNATURE----- From nobody Wed Apr 29 18:41:03 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g5R2m21VMz6ZtqC for ; Wed, 29 Apr 2026 18:41:04 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g5R2l6q8rz481W; Wed, 29 Apr 2026 18:41:03 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777488064; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=Eek2XY4nJcTQATsNfh1hGkkrRe7p0UmcElpBX96ViXw=; b=n0/kE6boQ+IJuAaq/+Ho+9MO6cOnoPVuU6Ign9yx+plq+1oRtRvqVE3d4BcIAi31w11wUw iFzeP4qn1LymTyJ5ZPnkTKEmFmiz8SsOkFfPNPFZ9PuUn15Bci+ImW+E6IgwgTOmNmmAjQ 6Yt65/1NLSPFyLgTuhs+fIwE7d1O4LIgOB/JCGCKtk+erevu61Jl3pcOEA4zgqzHFsSooj qcDkeL2nujL6WewQpdduubrErs3fcA/O8eSKeWvk2fQpO+SPgBssCQYdCBkeZoA9Tjaght d4LbgxpBVuUKs73FLuRZLNvx5nGUFHaGJcvS7xWQWfFyXYtb7H6oJsSmlgkt/g== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1777488064; a=rsa-sha256; cv=none; b=PLTeEtxbMVUj8ssBjQHfECiGhG09RUzLZZifO88nFLxIWzJ0vUE7kIMFcFlmel1Wf8CvBJ zQHflrb0Xaho2ZF0cjnw4vFidBhfEfCKd1JOw6BIwF6+tXwzP8rY0ZTLyj+nM25q+ITCiv cwM0hWR/020SsYp9GJLx6zc23nZaehJNdIxd+f12ITohIvO11Lug4zZTR3SV/yaoYaEmOr Dt33wI29QzdIJ2NrLRbmAjGBjLvZpABp9h/7yjjIRHhonJudpiZiE9anoVYYp2xdDZX0uP CGEW+SC6Cnhr52cUoZ0b+oh4cqExot8cTRizJa9LDEFnJk8C54uKIJZjKah06w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777488064; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=Eek2XY4nJcTQATsNfh1hGkkrRe7p0UmcElpBX96ViXw=; b=DxxLniPhzQgPsiI107PWR8i3N5E6vzuouYuhVJ/6TSpUFy/4+yc138lio65Fxc+2uiWRvp jNgzaVGqcUZy6XPMsO4BZGBWdR9iJ7M4ykYt0fbaVh9hkbxVR8lWgV69iVbxV29X5SZmxD gjkpCZ53GwKRq4vV6vXPDZ8D6RLFWAzHRAlDyWfnh7NnlTGiiWjV1FHIlHgb8dnOvkv4aA 1mjMgkbh6+jtlqB9RlfZ30ypxoa6yIrIg/YNTVXDvRVyTKEtsfWUbNLPTaKR2UFc5EXIpI FHRV28SV8d5NXRoVzMrpZzi+ol5SOWuGdyNSDfIEGw3q9RPhmRa9n1D1bOH6qw== Received: by freefall.freebsd.org (Postfix, from userid 945) id BBCD69906; Wed, 29 Apr 2026 18:41:03 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:14.pf Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260429184103.BBCD69906@freefall.freebsd.org> Date: Wed, 29 Apr 2026 18:41:03 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:14.pf Security Advisory The FreeBSD Project Topic: pf can overflow the stack parsing crafted SCTP packets Category: core Module: pf Announced: 2026-04-29 Credits: Igor Gabriel Sousa e Souza Affects: All supported versions of FreeBSD. Corrected: 2026-04-29 14:47:50 UTC (stable/15, 15.0-STABLE) 2026-04-29 14:48:30 UTC (releng/15.0, 15.0-RELEASE-p7) 2026-04-29 14:48:52 UTC (stable/14, 14.4-STABLE) 2026-04-29 14:49:44 UTC (releng/14.4, 14.4-RELEASE-p3) 2026-04-29 14:49:20 UTC (releng/14.3, 14.3-RELEASE-p12) 2026-04-29 14:50:08 UTC (stable/13, 13.5-STABLE) 2026-04-29 14:50:20 UTC (releng/13.5, 13.5-RELEASE-p13) CVE Name: CVE-2026-7164 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background pf is an Internet Protocol packet filter originally written for OpenBSD. SCTP is a transport protocol with multihome support. pf parses SCTP packets to discover additional addresses for SCTP endpoints, allowing it to create states allowing connections between these additional addresses. II. Problem Description Incorrect packet validation allowed unbounded recursion parsing SCTP chunk parameters. This can eventually result in a stack overflow and panic. III. Impact Remote attackers can craft packets which cause affected systems to panic. This affects any system where pf is configured to process traffic, independent of the configured ruleset. IV. Workaround No workaround is available. Systems not using pf are not affected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, which were not installed using base system packages, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.0] # fetch https://security.FreeBSD.org/patches/SA-26:14/pf-150.patch # fetch https://security.FreeBSD.org/patches/SA-26:14/pf-150.patch.asc # gpg --verify pf-150.patch.asc [FreeBSD 14.4] # fetch https://security.FreeBSD.org/patches/SA-26:14/pf-144.patch # fetch https://security.FreeBSD.org/patches/SA-26:14/pf-144.patch.asc # gpg --verify pf-144.patch.asc [FreeBSD 14.3] # fetch https://security.FreeBSD.org/patches/SA-26:14/pf-143.patch # fetch https://security.FreeBSD.org/patches/SA-26:14/pf-143.patch.asc # gpg --verify pf-143.patch.asc [FreeBSD 13.5] # fetch https://security.FreeBSD.org/patches/SA-26:14/pf-135.patch # fetch https://security.FreeBSD.org/patches/SA-26:14/pf-135.patch.asc # gpg --verify pf-135.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ e1c9f92130e8 stable/15-n283379 releng/15.0/ c01d9bcf0cf6 releng/15.0-n281031 stable/14/ ba21845e94dd stable/14-n274078 releng/14.4/ 0cbe512c7a80 releng/14.4-n273693 releng/14.3/ 63495b09ccf5 releng/14.3-n271490 stable/13/ ed0e766f1256 stable/13-n259861 releng/13.5/ 0ab05345fb40 releng/13.5-n259217 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmnySS0bFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvIZAP/1GsgtB+t9rl+cOV5dv6 EeW82SX6ivf2GdmjiuXGSKoGuw3VsXPUC4RCcnFoewr1dmh+p0mGGnN0mH7lwXlT 8HG/ZF5sRXAvbaqMt2t2kPh6RbSUTfDm9TWpFQRCUmCn2PjAtrZtjQAjEZZOhfAS domShW7gUMTHl5AA3bpSWyL/GL2/WicOkhczJAoRg8rlUiFmTg8OYWPmSZfXfLtf E5AeXlfn5OaXFFupB+FKsdQDShU2p01kh6BtpyfH6TXa7a2yM3Cu4OdL37oy+TSi OgH3G7/CveNXqRknOD5DJi/kwIGbWpGLGnyAerOepY3MMq8Wag5Wz0Ive2H6B6Ud 45v7cmXhDUUaNv/vAW/q+oiru0qJKzEvOlL7RWOxDLz1eL1P8Cqj9fJBLmD9Z3GW t4QwGS09bkDcvkxyLh4HkrHwuOmZIP/OXfdHZji98N7tgmvepiNdv8e+Ww2Pm/Oc M+E+44nx2grOpo5kewoUUT9KPxNMwn2h91Pdh2qLFCAb/HTuJ9cpPcoKvw2DAsYz 6IGLxUjQA13kkD9J7ehlvEd1/OaYxBeRIBVIJAxV2Y3OJMLhQRCu1HKz1ACNkQY0 /wHT5DXf4Q8PfGCEyEjtRI/tVAtVFdojSAfyWuxfusSjTxGD6SAz/MjWKI0oqGPZ oTn0P+vVYzU3/bYgLl6DYOCP =dRoD -----END PGP SIGNATURE----- From nobody Wed Apr 29 18:41:08 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g5R2s10ZSz6ZttH for ; Wed, 29 Apr 2026 18:41:09 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g5R2r5JM9z482P; Wed, 29 Apr 2026 18:41:08 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777488068; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=ZPzjWcqe2VnMZOeJXvNp7SfBFjE4uSwP4KMGn48wjY4=; b=IWwpiZ/PDowjevH3S8PYR4i9awXXZNW2kgWFEmZiTrO9KtWgMdSKLatXh9rSDpwQQgwXtm pYAcmaIfKg45Be5YOv9CTpP8LsDJPoLB0XB5DqRyMhb+mhJsY+ttAdIQTL9b+tzc05/Pfx 2VqhHgirwwyNXLD70o4fOORdeD7j+GJ5/lrqVxz3I+BBl7xFqS2ixMmwd13pu8SRiXRRYZ 7kZ2m3TPkBrTun5+bLBlMUrmWthHe6DuG7dSw7OA8SK+v+nH9DrKLf9o7so/jPkTllE6eb KFuNT+gy9Rdtm3qmRzR+F/sRIi9wrd7Vu2CYirl44PCMB/yWaBL9d9/0xHkKYw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1777488068; a=rsa-sha256; cv=none; b=PVKpLjOmZbZoJSFo9fKs9NL+2kAvArBO2By9dL0T3atTEYDPF+2QxMylWGng2uCZqtsVE8 hcEKwBvCAkC458d+JJoFpTDy+exhk7EtNsN9sF4v4B38HtVwzrfbWaM8M1DI8oJEywBBJW ad3sRFp5B8Pv7D9isreXjAoHebPB0fYUZKK44OWXh2rSkGReOXgBZTjbnQn2TelC3+2jes jz1RYlPfyFjvclq8EuflLM7+wm5J9tzYKX2IZqjgvhAubome9mIPbkJbVjq7hmHCQsji/9 CCwaXCGe+gehqkWRaxxbB5ubSD1jwz5oajWmSalZ8vDVnmb+AB/gSUGURLvtqw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777488068; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=ZPzjWcqe2VnMZOeJXvNp7SfBFjE4uSwP4KMGn48wjY4=; b=vhalRwYaXQzQLztFUdEHzuAOQEjvPD0f1DLm4AV1Kii/ywhwZtCLBo0FJn3snML8Y1p7ND rG2pGbIybFeUK4Wjm7rpiu5N2nd0Q00XZtNj0OiFFIdlxDZtFEWo7sF55PL70tnqyBKbMi JcsQyDeWYTlWso02FpetfS3Sh4SjM7S5/xEm6wFtyBrvs1rcfB8VEz/W5XcSmHHQVG5O4J /4cIvH8ZzdE6O7UQm9+mu8qA+4lHwxZ7ZRXlmkXCUDHdv/Gqzi9s2Cwr64z0kl4xi1ia8g a27CLIkXqkn2YA08Q/SkLdi52ePwOmI1wKy4ag+cvt7zhA4wC79DOOmLrc/pag== Received: by freefall.freebsd.org (Postfix, from userid 945) id 9B8B097EF; Wed, 29 Apr 2026 18:41:08 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:15.dhclient Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260429184108.9B8B097EF@freefall.freebsd.org> Date: Wed, 29 Apr 2026 18:41:08 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:15.dhclient Security Advisory The FreeBSD Project Topic: Remotely triggerable out-of-bounds heap write in dhclient Category: core Module: dhclient Announced: 2026-04-29 Credits: Joshua Rogers of AISLE Research Team Affects: All supported versions of FreeBSD. Corrected: 2026-04-29 14:47:49 UTC (stable/15, 15.0-STABLE) 2026-04-29 14:48:29 UTC (releng/15.0, 15.0-RELEASE-p7) 2026-04-29 14:48:51 UTC (stable/14, 14.4-STABLE) 2026-04-29 14:49:42 UTC (releng/14.4, 14.4-RELEASE-p3) 2026-04-29 14:49:24 UTC (releng/14.3, 14.3-RELEASE-p12) 2026-04-29 14:50:07 UTC (stable/13, 13.5-STABLE) 2026-04-29 14:50:19 UTC (releng/13.5, 13.5-RELEASE-p13) CVE Name: CVE-2026-42512 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background dhclient(8) is the default IPv4 DHCP client used on FreeBSD. It is responsible for contacting DHCP servers on a network segment and for initialising and configuring network interfaces based on received information. When processing a DHCP offer, dhclient passes various parameters provided by the server to dhclient-script(8). DHCP options, as documented in dhcp-options(5), are passed via the environment. II. Problem Description As dhclient is building an environment to pass to dhclient-script, it may need to resize the array of string pointers. The code which expands the array incorrectly calculates its new size when requesting memory, resulting in a heap buffer overrun. III. Impact A specially crafted packet can cause dhclient to overrun its buffer of environment entries. This can result in a crash, but it may be possible to leverage this bug to achieve remote code execution. IV. Workaround No workaround is available. Systems not running dhclient(8) are not affected. The attacker needs to be on the same broadcast domain and respond to DHCP requests. A well-managed network will configure DHCP snooping on switches to prevent rogue DHCP servers from operating. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, which were not installed using base system packages, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:15/dhclient.patch # fetch https://security.FreeBSD.org/patches/SA-26:15/dhclient.patch.asc # gpg --verify dhclient.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 4408b683d237 stable/15-n283378 releng/15.0/ 66d6c32ce7b8 releng/15.0-n281030 stable/14/ a813012f4b76 stable/14-n274077 releng/14.4/ d60456d859a1 releng/14.4-n273692 releng/14.3/ 76734958a098 releng/14.3-n271493 stable/13/ 5d3e93fda7ce stable/13-n259860 releng/13.5/ 5a5e7883a3bb releng/13.5-n259216 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmnySTMbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvvwIP/3DfD428ehRM/ukPC7bY 2AUpIfE5s+AHvE6JiRF8IcbsuVRHsMfO1Z6YWYMfPxhzTpoKhjBcC1XuM6fMugcP 9GFRoW1u4f17trfSSTFMbgTA6q7EC1hab1wQsGhpgazQA+lGpUjoISC88ah+jiEu +Z1b9ubyuYURnstf5V5gj3cRunt9YL3ZuBC0oJJaybODJSuVvuvgZL3QvtwSGM98 OJmqEANEYO3uGpkbeJsIXBYvzqJdzVHpp/rVF84+PHYLp/uqVaWFllflWLwEp6wE 0oSKmsWljjPjL2bIcbsxu+aJH4XJDwDizgYRq6IVnbV/G3XYqQPJwMyQh/qGDhIq 8hA3tG/aQrs5ukL4WE7eMMM+fNzy+LTBfD3vWyfuabFHmKXBCI+Kc6q+oNcPGXeq /ofaJav+ivO4d0H6XHIJ/MtZOO9782EXYWmR8X8E4myZ4z6/vtmqUzL457Kh2v7b rdGE/1tdd+CyIVobfcuPJBq0cx8Fp8gVydcQ7Ts6i5Hqx/Grz2za5qvQgsHsruqo ZQxb3rw7J6wp7w7duqEl9cYVZRgz9CdmTSmjCPi8Ws3nO0PCBV220/dHBHi/kPtl f2GPmIBJA2s0HjTiPQJp9LAFaAnUuCsleo4PEj04NDe6QFMt/u1W22AZbO50zCOQ wuVe9dL9HWnNoKuR1hjIWB27 =rnNn -----END PGP SIGNATURE----- From nobody Wed Apr 29 18:41:12 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g5R2x2DQPz6Zttx for ; Wed, 29 Apr 2026 18:41:13 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g5R2w5KbSz48nF; Wed, 29 Apr 2026 18:41:12 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777488072; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=JhrmztvykV13LAtB00giocImtvWNZM7PyGbt1l63Zb4=; b=kijEP3j0IPOUOdyIrkVA85GyejgOE4IXijkgcJvDoTa54X37v6f8Bz8bpkYW5UAgbyAJoV TBgoDITWRqsDmMYIBweZO9nTA0OOimlX5LwebBxX77PyeYM96smhQRrcfydr6WSZBZHqRA yas2ageJF7mT0b3pmwwbkZEy87bgLIgDTYBpBGEBJNu9mtGifpOR+03gkd8s1AuzihP1ec o/0uyiK7vplQmL4QsSUgz8D5lUK1/X76B2DL/q7mRgD2yoY6wDaPyp90aQcgyMRb8eQHt4 +OiFDif7B/bewGphI/1UAg8dt8aTUILfR8k1PXul1ZC9rQ4BcvPQfm7vOB8tpw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1777488072; a=rsa-sha256; cv=none; b=hRdpYUAOSsFmXf5aX0K53pYLPkT7bhQdhD9djfphwUXP568VIwLLsMxBc70D9gLAEe215b 2f7G8Leu9Ws1L8kHoHrLoSFLztCtYh7RZ0kLz5dFateMDWpdR9oVREGE0B7DPQXM1TJ3XZ PuCTCQtdwYbHdjWVShapCfMi3IpRS1MA4AtkyeSNnIreJpJUkI3CSb2usYWYAHiKxUDzDH XDsqAoAzgBEGfhkWRYOyCMHwqXFgA7TJG0gwyfpWT1wR/WlKPZSbLc5YWXyvCoDW4Sjoj+ gAKgvEaDWuxwbuA9HZl5qvV5OZlBSIZhp69PoUVKcsi25B39EgXODuJYbt2rAA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777488072; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=JhrmztvykV13LAtB00giocImtvWNZM7PyGbt1l63Zb4=; b=q3xs2lbw6uBx89IYtxvn42b5ijk174HCBL0cNe5xNl725n9wDUl8gzpi7KEY5nR4nN+qaH pbaY2fppJx9PSVsv0j/U1zAPcjRLzw5YFbxkt3wvwuc7fY6EL+r/R73LVwkkqV2e5xA82M pnpnxf+n38SnzOddDMbhpSmB7TS6ODsvV4JkrnT5sd3hlYKhhigKky8Q2YCp4QdQJmLY5d 0/LLdbnocXSMe6uu4zCjeVw6U1WsFO9yEEW0px/QF4m+rxmZwzl3gzCRW3HtUS36beelvp n+DaFv6qHPB3vfWVVn8Ei9Zvl+kuAn9DMIIalYkOoHvvXBSxxmSZPHzpa4NiNg== Received: by freefall.freebsd.org (Postfix, from userid 945) id 9FEB397F1; Wed, 29 Apr 2026 18:41:12 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:16.libnv Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260429184112.9FEB397F1@freefall.freebsd.org> Date: Wed, 29 Apr 2026 18:41:12 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:16.libnv Security Advisory The FreeBSD Project Topic: Stack overflow via select() file descriptor set overflow Category: core Module: libnv Announced: 2026-04-29 Credits: Joshua Rogers of AISLE Research Team Affects: All supported versions of FreeBSD. Corrected: 2026-04-29 14:47:51 UTC (stable/15, 15.0-STABLE) 2026-04-29 14:48:32 UTC (releng/15.0, 15.0-RELEASE-p7) 2026-04-29 14:48:56 UTC (stable/14, 14.4-STABLE) 2026-04-29 14:49:47 UTC (releng/14.4, 14.4-RELEASE-p3) 2026-04-29 14:49:27 UTC (releng/14.3, 14.3-RELEASE-p12) 2026-04-29 14:50:09 UTC (stable/13, 13.5-STABLE) 2026-04-29 14:50:21 UTC (releng/13.5, 13.5-RELEASE-p13) CVE Name: CVE-2026-39457 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background libnv is a general-purpose library designed for storing and exchanging sets of name-value pairs. This library can serve as an Inter-Process Communication (IPC) framework, enabling processes to exchange data and file descriptors. For example, it is used in libcasper to establish communication between privileged and unprivileged processes. Additionally, libnv can function as an interface for communication between userland and kernel. Originally, libnv was inspired by OpenZFS' nvlist implementation. However, the implementations are separate. This advisory relates only to the base system implementation of libnv, not to the one in OpenZFS. II. Problem Description When exchanging data over a socket, libnv uses select(2) to wait for data to arrive. However, it does not verify whether the provided socket descriptor fits in select(2)'s file descriptor set size limit of FD_SETSIZE (1024). III. Impact An attacker who is able to force a libnv application to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, can trigger stack corruption. If the target application is setuid-root, then this could be used to elevate local privileges. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:16/libnv.patch # fetch https://security.FreeBSD.org/patches/SA-26:16/libnv.patch.asc # gpg --verify libnv.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . d) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 025789eaa648 stable/15-n283380 releng/15.0/ 7e4d5363ddce releng/15.0-n281032 stable/14/ 45809b0e1bc1 stable/14-n274081 releng/14.4/ a5cb4863d65a releng/14.4-n273696 releng/14.3/ a872c32f389e releng/14.3-n271496 stable/13/ 4acc2b5c61a7 stable/13-n259862 releng/13.5/ 32d12677ff45 releng/13.5-n259218 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmnySTUbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvEdwQAKF0kwMDT0ZjvcDnvqXa NmJEse7XRdFDWDcMp8NtSQK5DTYBRpUgwWiC7M+HRr4QIf/aIjzwuJdu1luK913i vAJJUbAaEAdGbNqd35FtDlnTWQE638R4HQ0TqMBrUfGTSp0O5SPOpTSPXB1Fw/F7 Q3c22lNDHgxgZ8+DOoJH70HgjdVskz3ezZroYUKfmk5vh9yZtVM9zMr6iGr6TUA7 OEbIrMlRCJ3pI9dOSGNKz1i/3s8bMS3U3nvAWIYPdSjKQBOyRdHoZHtk4SfY9TVs epqQQccUv9g5+E1QgxxoQHLR4dLkCHEJKOU2sqc/qW9KISX2rsTd2UYgYubxtb+j CIzTg23/rkMMhCi3VZ9NVLmGrxZclxyvAVJ/V3942jjag0c1onc+5RH0IGAljgay hobn3CBqE2NIOjoFyCJK9RcZ+wtvxFoQFdX6A56h5vDD2I/H7MIFJ0EnW3aWvT8f 0xiWhD4//9AU3+06soPt6l4tE/YaXJbcvYb92kC1JbbGVApMrDYbdxu3QK8HwAlV mNTFd3hgoEzlCiFH9vDNK/RIsVE67kb4KjqZKC1ElWrQbawQZtnKUigpxGcZbhCC 9zwXgoFRHCzeBiO77anQMgArNuY3Wj29beepzCvOA7u/KRyDTvDat8YRWNKbWS5L T3cMyFqgRkUgr7tajk0L51Xx =Edvm -----END PGP SIGNATURE----- From nobody Wed Apr 29 18:41:15 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g5R2z5bwKz6Zv9M for ; Wed, 29 Apr 2026 18:41:15 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g5R2z3SK8z48lJ; Wed, 29 Apr 2026 18:41:15 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777488075; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=12hx3gdyvyd4jDmZfazu7fjld61j0sJcmSvqqFiAhgY=; b=aJ8qnX51PmAqd8tUKGmDhNqJQVSLnJWr+uFF6oDoaPgVL4vcJK2nMSSCLV4AcErw5T9out FJTpb33Nq/30UM2OIoVonVu7Xuu+L3H8Sr2ngtDYFKZBtIe4clohXo0nsb1MO4foQ+XMuO bpApVd1g4HC0yCyvUs2MME7Zzx5VT/3CtjCjYiQplAZz168ylf9W14BTxf4vCgWMVlGGCT 0G44nijz3XSjfbsBsfzY1eopx3Dnb20485Pzh72jCS+9K9HXj5YmlAn4TptnIWvnY7VlBY JeHP9FNNYOYcTCFQD8+WuPoLhMh/1vCHm7Q81rQhfMtHg0AA+YMpDM1gxt0m1A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1777488075; a=rsa-sha256; cv=none; b=Ms8RzC2kCmWZJ8h1AIzlIRGQLcQVKzPyE5FQiOZLy2/TvE1Y+U4aWAnFxMF1+uipgfQJRj lwGJyioY9fi7KB0HKTAsc+SIoK8RLrFxEMzFq1l9CMz4+ykIQnmGBsZZ0uWRFGBCNUn1qm DEEE6W7i6PfR2tOEvlsL7UIRi8GcM4WR8JfX+LU5HJRp+iEeK4zR3oyrGnWNVqDJbdGxxJ DAFqY+GelSUKwkdpkG+VlfGx8MbSqvOma+zreb/j8cDqCIB0GZhUITP9Ss3nDblZqusJyd SVMtG5fBKWxFxEA9D49P2ZYBCjj3ZeYcluuCxrxi+NKF1rTtqyDiCxViNBRB8w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777488075; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=12hx3gdyvyd4jDmZfazu7fjld61j0sJcmSvqqFiAhgY=; b=q4jy/IMZR0SVBpf+nWvIddWSPyF1zbnPQQI+UFXdxTa/ThBuLJTuSwgu0Nurk5xfSXn4qS s/UeLm1ULxjKvs6tWM8nmc5C7dk4NBMOZ6KX/efKE5v5Iw1a1szk3fwNLtT+mqa1YRC9et BZKfdAXEvCPmIW1eOQyR+m4Ie3RM0C5mEkIwqB4b4wK/l8P0Mb0pkcrkN745cyPhUMtC2Z v3ZnP1Txkjwynfbp6R5iYTAwYUTHMY6hB8KoOpZL9n8nRQk9WgyCkm6wsUHmlq/gsBQUo5 3x9YI3Zp/2hDzlK0m6ZrtLRWNnGd1Wv7HaLmqRSepSBzBKPcLwC9xtqv/Dmvpw== Received: by freefall.freebsd.org (Postfix, from userid 945) id 60B1E9765; Wed, 29 Apr 2026 18:41:15 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:17.libnv Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260429184115.60B1E9765@freefall.freebsd.org> Date: Wed, 29 Apr 2026 18:41:15 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:17.libnv Security Advisory The FreeBSD Project Topic: Heap overflow in libnv Category: core Module: libnv Announced: 2026-04-29 Credits: Mariusz Zaborski Affects: All supported versions of FreeBSD. Corrected: 2026-04-29 14:47:52 UTC (stable/15, 15.0-STABLE) 2026-04-29 14:48:33 UTC (releng/15.0, 15.0-RELEASE-p7) 2026-04-29 14:48:57 UTC (stable/14, 14.4-STABLE) 2026-04-29 14:49:48 UTC (releng/14.4, 14.4-RELEASE-p3) 2026-04-29 14:49:28 UTC (releng/14.3, 14.3-RELEASE-p12) 2026-04-29 14:50:10 UTC (stable/13, 13.5-STABLE) 2026-04-29 14:50:22 UTC (releng/13.5, 13.5-RELEASE-p13) CVE Name: CVE-2026-35547 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background libnv is a general-purpose library designed for storing and exchanging sets of name-value pairs. This library can serve as an Inter-Process Communication (IPC) framework, enabling processes to exchange data and file descriptors. For example, it is used in libcasper to establish communication between privileged and unprivileged processes. Additionally, libnv can function as an interface for communication between userland and kernel. Originally, libnv was inspired by OpenZFS' nvlist implementation. However, the implementations are separate. This advisory relates only to the base system implementation of libnv, not the one in OpenZFS. II. Problem Description When processing the header of an incoming message, libnv failed to properly validate the message size. III. Impact The lack of validation allows a malicious program to write outside the bounds of a heap allocation. This can trigger a crash or system panic, and it may be possible for an unprivileged user to exploit the bug to elevate their privileges. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, which were not installed using base system packages, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:17/libnv.patch # fetch https://security.FreeBSD.org/patches/SA-26:17/libnv.patch.asc # gpg --verify libnv.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 414e25d7d512 stable/15-n283381 releng/15.0/ b345e07c8d71 releng/15.0-n281033 stable/14/ 1cbd6e148249 stable/14-n274082 releng/14.4/ 4f0992ce23b0 releng/14.4-n273697 releng/14.3/ aa15809f85de releng/14.3-n271497 stable/13/ 05b91c2a7106 stable/13-n259863 releng/13.5/ f7f48005fbe2 releng/13.5-n259219 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmnySTgbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvV+cQANyoTjQKCgT/ObIaHIvn /ZHiHhWtxqpnOGHiJQ/Pu32XfF4zngUmxH3RFM4V+p2QTKd+OnCojcr/nWjS1Xh4 D2G0TUYeTfEUzERLxODtWSxD6Px0n7qutRgpTx9yLid3N34av93aoQYnK+1FkqAf PonQlVKqI2Ab44879/Aw4glrjNQg2kGzAwSA4Nzik96BZMePQk6sDnzNKODz914O khZ6KDSc9Fc0jUS4RZUh1AXnAEV2a7vD3fQLg+8aegFiaIajnC4dFZPjl1jioawp 0Jm0f1UI/n5jfp/zyHCJZIgDNvcX+laFnLRJuB8XCrWk8luFdpVOTUjsuPMSA737 TwdSG05ZnGhWsJhQjK0mdkDxoH81wWW7mz21jjVBJ9UhaWhGMNV4mBSevfFYkFkb JHuHO0aCUB6e6/MJ/7O6d0tG9etdQUjCpQeLqXKiYQKqjQkplUUL0C2Uy7A4otEu MelMjHsQMQEjUpRVxX4IADyNQgtJjrroFDdoez3oBF1dfBxQrKkWBnKTTYrV6cbl fIVmkl2b6B/0FcGhAekDh1tLvHj4Ul0n8wzb19F7vT1+4QlnLOtIrXZcJdsTbqde tKRoUYcwvBpUn2bsefxWzEPZ9jvSBoIkSwPmSnu8zQ1jY44eyiHodaXkMsZygplL WfRkGmyutQ0XdUuhcCSyfi/G =K9xn -----END PGP SIGNATURE----- From nobody Wed Apr 29 18:46:09 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g5R8d3yZPz6bftj for ; Wed, 29 Apr 2026 18:46:09 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g5R8d15HDz3LfZ; Wed, 29 Apr 2026 18:46:09 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777488369; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=A/XwNBpbF2sN/Hdonm448dGX9avMSxaoy2aNIzE1owU=; b=MlGkUhtgtnKKZ/3z9bK/p4nh08sMqpITZbZQtCE50owjRUfQbdkNBdLT2xiyaFJGvzfjy2 0WsZLsHNXUSfhnDkSZbMGqz/niK6K3DL/KMyr50kJkRLswdSjqnuEdoL/1CnnkkYz7Nwr2 xiNLtEHs+WCQlMRNEwqihixoP9BJVz/mWtDDUINkYXnYqDXNDAtvdSvqhU9p06PQPM261y DlaH9jP9vEpv7XtA1riSa8FHZEEjCEWQsv5WUP/RAfXvhZwXoqH5iicnezTF6zBXrpp8ML TrvNAnlS4MQBNoo0xrQ2er2Ox6MMgER0mHxxhnds6AtA6yf8DjizNiL+MLqKOw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1777488369; a=rsa-sha256; cv=none; b=KDS181STMrdfxy51CK7eTx8sQzNv59ctXbKGPoNKU/5OKxuVIdeUfnwnyACYlyZwgdV4or n4a/8OjB5F1TOXhmP4a/FGOq5dsk8XOCoXtY+aRF4OljmtZliDXJP6y80GiabtfMxRTadz sH8aAF9d1aY9LF39NenIUXLJTZIWV1z7MnoHzBiCSYOJcnwzuDmedISiYMSWp/WotuWJ1m wOrnak7oW/pNC/0/sJswc8HD2UjfMQc+zj4gn5rXupkm4QjdaH+3J922jD4P+u0JW0Hpg4 3c71pKGJ+UiHmeZq1xjpNBgekWGkpxjNQapM3Llm9cGrM8thoyYFZtK87FLm2w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777488369; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=A/XwNBpbF2sN/Hdonm448dGX9avMSxaoy2aNIzE1owU=; b=rdYW5bX71h2faxI3hvTbDhiFE4+9uWbVNyowe/4njGK/XPrH2BzTMB/HvVEssRMI9y7oun leY9Uan6Bv1jF1QMSiKmBXdMBip0J4qs3/RuG0k29scWnifaKJEN9bRSex3xDGj4H3uEAX o8QkyGjhijR7EACs29JYWC54Nk+eBzDA3scseGL/L/p4mTB6k6dq/MTWU4MraSSDlCQGz6 qEaMrV0TtZaOcbuI2YsT4hSHyGDMRuir5tTt2IT7cHQ/3XZ2EHJ1hGkCsTFIsE8e7MHHN6 TBnel5i0PyK7V+PfZC6v9ENZNhoQ3TpaHlg6WXH+3aebN8+HV0riLs7szTl5Zw== Received: by freefall.freebsd.org (Postfix, from userid 945) id 164C499AC; Wed, 29 Apr 2026 18:46:09 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:13.exec Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260429184609.164C499AC@freefall.freebsd.org> Date: Wed, 29 Apr 2026 18:46:09 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:13.exec Security Advisory The FreeBSD Project Topic: Local privilege escalation via execve() Category: core Module: execve(2) Announced: 2026-04-29 Credits: Ryan of Calif.io Affects: All supported versions of FreeBSD. Corrected: 2026-04-29 14:47:46 UTC (stable/15, 15.0-STABLE) 2026-04-29 14:48:27 UTC (releng/15.0, 15.0-RELEASE-p7) 2026-04-29 14:48:49 UTC (stable/14, 14.4-STABLE) 2026-04-29 14:49:40 UTC (releng/14.4, 14.4-RELEASE-p3) 2026-04-29 14:49:21 UTC (releng/14.3, 14.3-RELEASE-p12) 2026-04-29 14:50:05 UTC (stable/13, 13.5-STABLE) 2026-04-29 14:50:17 UTC (releng/13.5, 13.5-RELEASE-p13) CVE Name: CVE-2026-7270 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background execve(2) is a system call is used to launch an executable image, including scripts prefixed with a path to the interpreter. The system call takes a path to the image as a parameter, followed by extra arguments and environment variables to be passed to the new image. II. Problem Description An operator precedence bug in the kernel results in a scenario where a buffer overflow causes attacker-controlled data to overwrite adjacent execve(2) argument buffers. III. Impact The bug may be exploitable by an unprivileged user to obtain superuser privileges. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, which were not installed using base system packages, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:13/exec.patch # fetch https://security.FreeBSD.org/patches/SA-26:13/exec.patch.asc # gpg --verify exec.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ c3e943e78e06 stable/15-n283376 releng/15.0/ 934b48683c4f releng/15.0-n281028 stable/14/ ae00a52921ca stable/14-n274075 releng/14.4/ 943aa64ba91a releng/14.4-n273690 releng/14.3/ f04c40607b8f releng/14.3-n271491 stable/13/ d619e3a3c0ec stable/13-n259858 releng/13.5/ 7c5c37ac8f8f releng/13.5-n259214 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmnyTiobFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvVDoP/2CASXfMizRLg2uhf7ab Rq2AlXil/b3uDA316fV30LeAEc1X16VVRwuZbOPd8oovXnpt6ACj26Yg+4IsPyU9 ZEMNcm5tA0eEqicFrrVBNxyA41QMwB1S36+tyzoZ3CTWndTAu/5yVLb0VWoniW9S cvf8xULDWBVI48DUKuJ86Bh5aUPNMy2bCMaQc5V88aK5Cc4CG2ZWJu3pJa4+MWq2 CBXgOA3k3qqTIQ5imrRl+9RFYe5WAEnAYNWRauXmQKeJA41bDseUB/Bghy6KY3y+ uuIelphX3pz36cRQd83CIs6IjH0TQ0slizGsmdQ8jVDEbK+kWzSegOo90E8hepQg p929lZbUhpg98G2Fv7cLQ1W7+39dqrqcJubXb0xUcvBp6b9uEUJigRaYJJjxFBUc wtR6sTMqZeyQE/EDubgKMepaY7BWe8K/kDRFzPuGf3LSxZUFtXdsXHixOz6GUBjT oRgtF/QyPIDBlxzWriBI7hbY/4vcQ/XQ7/Q4+x5Q28CNsmw9dmqrolCel8Tvaqmy eFbbIDl+tQn+GolIs9xudzTx4lu1DGYrONoK7Gpb83UxQahkeUEryqhUJApxBskk 3Yt8nG0wWP2U8rZ8JbrWAFNIZU4/j6t+FcFctuh1bnyd88bSuQgEMbcGZ40AP9nS LBz716wDKXX8EOoJT6jjwZ7u =VIf8 -----END PGP SIGNATURE-----