From nobody Wed Jun 17 16:41:26 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ggV466xxRz6h7gy for ; Wed, 17 Jun 2026 16:41:26 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ggV464nqlz3HXs; Wed, 17 Jun 2026 16:41:26 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781714486; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=22BPvHtMw8vGhKctiGFKQpbdVsl7Fy29bPNP0X9RMwc=; b=coC2td/IIUU53M/Orc6k8nS7Aw68OBW74P6+mq5q4BTDUG/mit5NRRxc/OU8pVILdkVmjN BO9K/ptJ/oqmbO1Roy8w8ST0ifLLdP8fJ1Vhsop6czY6VvzR22sBRADh9S0SWnfMiT7neY mjKo4p2CW4eYPjylzkNZY3PuU9Q8rKEsHT0e/3BhJDRrVCkxE2CLSWLVsqplw+YLRpAcyR 0fz80BRpqfSJFOQLSr2V+yAapD4ruBcrtvpMmvY6geBsAQZ5HYnMTx77nh0IfocQzNcU8b yCXV9s6hdfh7MsQgHcuECtYxREoEQ5nJCdlkkO1wFUdOzRi+rkrJEd9xftikQQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781714486; a=rsa-sha256; cv=none; b=JsyHTCM0BJ954MZ/8mQUCDcuPGJWla1xkvkBr1iE8TubCy4J66alrdofrVOecva8Bt2bgg ENyOIIc9nm8OEy+z9/3fy2log2xGji9uh5yhkbVmPOOg6WnXlMU/JKdeqzq2lZcM+AXsb5 PzOdYEwegbs6Mo+vnA3tejGLb8/uRoE+itqFYsvOgYS/VgDH6ZoHyctPCI+DoT4hRSPG7n 10HRsFwtu6k5RZdZMXN0XVfp8JuSWSIWdcG6M1DMmbqHK6J2lyH+JkGGeYRAKhpAeU7U1Y vLDmWaFhHe/NnCAed4YUsXYy8wSDXM3OseFW/ov8k6rXJV48TtHYfewhQsvgaw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781714486; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=22BPvHtMw8vGhKctiGFKQpbdVsl7Fy29bPNP0X9RMwc=; b=DdGIUGIXCC2gSSBeQfVHup9F+rsI5NqNlvBfEbkcMhCXQ+QPHO+98cnc9WK8Tgg7+SUvgz 4tBWbtq8sW+4q5xyYDua+6d07Wg1CJqEbk2ha9bvymPIvgOv+5Sxm6W+q5kWhU4ffG8Rtb NCJRLeBbbijnnvyRHq3d4HOmTz5o4KSArx9wWVxyvb+iJt2X/8UgxHFU6IrjwKZiKb27zt Q25+bmyxKoFq6LWFzw2tpl0Nlk2OWcr8n8hQATXrqjk0FOQSBcGZb7t0rAsAcsll2IOMWc Q2yZ5J072F7NYSKd+mgxsM1ak8tpGe7o8GM/X4TpYNfNs0ZAbjSNu5//weVo1A== Received: by freefall.freebsd.org (Postfix, from userid 945) id 81E521C6D6; Wed, 17 Jun 2026 16:41:26 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:26.ktls [REVISED] Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260617164126.81E521C6D6@freefall.freebsd.org> Date: Wed, 17 Jun 2026 16:41:26 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:26.ktls Security Advisory The FreeBSD Project Topic: Arbitrary file overwrite via the KTLS receive path Category: core Module: ktls Announced: 2026-06-09 Credits: Bumsrakete Affects: All supported versions of FreeBSD Corrected: 2026-06-09 19:17:28 UTC (stable/15, 15.1-STABLE) 2026-06-09 19:20:06 UTC (releng/15.1, 15.1-RC3-p1) 2026-06-09 19:19:43 UTC (releng/15.0, 15.0-RELEASE-p10) 2026-06-09 19:17:46 UTC (stable/14, 14.4-STABLE) 2026-06-09 19:19:05 UTC (releng/14.4, 14.4-RELEASE-p6) 2026-06-09 19:18:35 UTC (releng/14.3, 14.3-RELEASE-p15) CVE Name: CVE-2026-45257 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . 0. Revision History v1.0 -- Initial revision v1.1 -- Update workaround section I. Background Kernel TLS (KTLS) moves Transport Layer Security (TLS) record processing into the kernel, allowing applications to encrypt and decrypt socket data without copying it to and from userspace and to serve TLS data with sendfile(2). When a connection uses software KTLS on the receive path, the kernel decrypts each incoming TLS record in place within the socket buffer. II. Problem Description The KTLS receive path decrypted each record in place, assuming that the mbufs holding received data were anonymous and safe to modify. This assumption does not hold for data placed on a socket by sendfile(2), which can reference file-backed memory directly through non-anonymous M_EXTPG pages or EXT_SFBUF mbufs. When the sender transmits such data over a loopback connection without enabling KTLS on the transmit side, the file-backed mbufs reach the receiver's decryption path unchanged. Decrypting a record in place then overwrites the backing file's page cache instead of a private copy of the data. III. Impact An unprivileged local user who can read a file can overwrite its contents with data of their choosing by sending the file over a loopback connection on which they have enabled KTLS receive. The write modifies the page cache directly, so it bypasses file flags such as schg and is written back to disk. By overwriting a setuid binary or other trusted file, a local user can escalate privileges, potentially gaining full control of the affected system. IV. Workaround Set sysctl kern.ipc.tls.enable=0 to disable KTLS entirely. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:26/ktls.patch # fetch https://security.FreeBSD.org/patches/SA-26:26/ktls.patch.asc # gpg --verify ktls.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ a51345704403 stable/15-n283882 releng/15.1/ 48c1c5e3c348 releng/15.1-n283550 releng/15.0/ 540a315cdb46 releng/15.0-n281052 stable/14/ 333bdd7e9427 stable/14-n274311 releng/14.4/ d43259dd66b3 releng/14.4-n273714 releng/14.3/ af3398862ac0 releng/14.3-n271514 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoyuewbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvze8P/RRvp3TUprrxMgg4prj6 Mv7sglMFvwyVPGJstM0zBV2k+seMm8S5QmJtO+m8N5NHAIyJWL6PzvMFE9klI/IC g8Jov8lcEcAml0G+xJFCPeeG0fYszqtE8/gxGNdatDv01AnMoFnVMUyy4y1QpSyo kJzymPs49LysxggffSmPgmX446hEo7pZ6iQLBuEc0XKNN/7LYmiYq6kcVLzTpkRa kfYwsJphWZkfdR2AVzCSxMiMb9D/NQ7WN96B3o+xYX8XoHgrsQmvZ2YrvRf9nyRs lgAm9QxlkTcWlwPrNoacg2sN/jZFb3k01GRJAFbcKbDP1t3lkFygD+UHNnlStO+s hb5fKHgQgrUpX7atsD2UQ2W+irca0ejLhflxxvgY7pRTLnnmJ20fXDhDn2sWb7zs cPxir+4bJk4IZvomK0raFH5eMeJ434/rfkMjfE87WOEryFHabnGsiH9xO2u6+ADT UhMl4iBY+wOoaHTTqfpOQpAk2/gO7UUvXtbOkEa8SYZjSQAxMAz7nqyL7Lucix9n 7ES4hLmic87cr7+q+8iwvASvcNjlDxqyGYRoLa2+TECsTmKqVbwEEANcufNKemb+ aPoRFi5apShhwe1kl7/vVCDGPtCssRRYZ+ejwpQY6m4PpRKY9soNFUt2WjOGVmaB iQR9r08fcX9SuW2dTuTzXLEi =wfi1 -----END PGP SIGNATURE----- From nobody Wed Jun 17 19:58:01 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ggZS44ZBkz6hhdD for ; Wed, 17 Jun 2026 19:59:00 +0000 (UTC) (envelope-from Alexander@Leidinger.net) Received: from mailgate.Leidinger.net (bastille.leidinger.net [89.238.82.207]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (prime256v1) client-digest SHA256) (Client CN "mailgate.leidinger.net", Issuer "E7" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ggZS30G3vz3wkl for ; Wed, 17 Jun 2026 19:58:59 +0000 (UTC) (envelope-from Alexander@Leidinger.net) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=leidinger.net header.s=outgoing-alex header.b=CaVvUyFp; dmarc=pass (policy=quarantine) header.from=leidinger.net; spf=pass (mx1.freebsd.org: domain of Alexander@Leidinger.net designates 89.238.82.207 as permitted sender) smtp.mailfrom=Alexander@Leidinger.net List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leidinger.net; s=outgoing-alex; t=1781726326; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=RwHozHdQsQtF8B15Wb/hvxoRipGwkzs2365qej0jweI=; b=CaVvUyFplhdXzjNoYw6veCW6KuDmgdiSEqb8BInrHtrL8tNJPWE8639NZ6DahBkAh1HAj3 7jCRmusNfqA3HTDXAKyuCyEVK52wqg2V61Xn/BlFmiOEqVQHnqQ0veE7QLNezsN+G7zPfg /7i9U9UQFvI+A/tm+2dur/dlIed3GoSRn2aB/22xRj7FsxgIdttgF/KJzxaiUfQWSTF7iC lKUNrohtKZpLjkrNUW5a/zg18grmoRaC5EhZ4pgNoSJ9zxc2dQDWVcgyN+RFT+7zvJVISl tukzk0VhXSLwx6mKKE4kBoD01HP2WVfpJH/uws1lkWMRzGjbBJ1mbW1LWeg/dA== Date: Wed, 17 Jun 2026 21:58:01 +0200 From: Alexander Leidinger To: FreeBSD Security list Subject: Switching on compiler/src options to harden FreeBSD Message-ID: <0d41bfe199e62c951591a2d528b323b0@Leidinger.net> X-Sender: Organization: No organization, this is a private message. Content-Type: multipart/signed; protocol="application/pgp-signature"; boundary="=_a2427b35e550a4fff54c825e74bcadb5"; micalg=pgp-sha256 X-Spamd-Result: default: False [-6.00 / 15.00]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.995]; DMARC_POLICY_ALLOW(-0.50)[leidinger.net,quarantine]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; R_SPF_ALLOW(-0.20)[+mx]; R_DKIM_ALLOW(-0.20)[leidinger.net:s=outgoing-alex]; ONCE_RECEIVED(0.10)[]; MISSING_XM_UA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCPT_COUNT_ONE(0.00)[1]; ASN(0.00)[asn:34240, ipnet:89.238.64.0/18, country:DE]; HAS_ORG_HEADER(0.00)[]; DKIM_TRACE(0.00)[leidinger.net:+]; ARC_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCVD_COUNT_ZERO(0.00)[0]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@FreeBSD.org]; TO_DN_ALL(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; HAS_ATTACHMENT(0.00)[] X-Spamd-Bar: ----- X-Rspamd-Queue-Id: 4ggZS30G3vz3wkl This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --=_a2427b35e550a4fff54c825e74bcadb5 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed Hi, given the numerous talks at BSDCan about security in the last hours, and the mention of maybe enabling fortify by default, I want to point out https://www.leidinger.net/blog/2025/05/24/freebsd-security-hardening-with-compiler-options/ I run a lot of this stuff on real workloads. Not in a high performance situation, more of a SOHO workload, but I have mysql, postgresql, redis, java application servers, python application servers, php, nginx, postfix, dovecot, squid, various dns servers (unbound, bind, adguardhome) and samba in >60 jails (some of them service jails, some of them normal jails, some of them service jails in normal jails). All of those build in a local poudirere with those options enabled. This stuff works today, and we should maybe think about just enabling this stuff and go ahead. If it hinders a bit in the performance area, and it is important, it can be deactivated by those which need the last little bit of performance. In my situation where the CPUs are normally not near 100%, I can not feel a difference. Just my 2 cents... Bye, Alexander. -- http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF --=_a2427b35e550a4fff54c825e74bcadb5 Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc; size=833 Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEER9UlYXp1PSd08nWXEg2wmwP42IYFAmoy/FkACgkQEg2wmwP4 2IZQ6Q//TJX3OfjWAlr1lXASYHZukQkrxzLiOr0/hUXOrkuoAgTWI0UpMxZQD5tc Cxy0w4JV7mK8nyya5KMXz3odAMzOkN73XXRAp2vVwDI1PzDTankhqld8MkPlUqeZ zl/F9EczjPIfA2RP86OFAEp1Tg6C+veGmme41gWhcqC8KBJCAclMVhacjyT89hoV J0RLfXEewjMYUkg5QNNH9FWOJpx55RehA9g8vrjMGSr83yr1uQsjD/BRPeG28m78 CCjTXheZ1tFuhMVXxmaO6KnWLzLWI0b9n66rSTdmhocVcjrS8Xk1j5KzzxIuzTrk ifgD0KdPweUCT07iRpyyveCexov/x7oNnt67nv4l7WmlhHLLFcv6dUGXbVx4i9ug p1ANkGvV2vOg8sUBVkMSDsLdmi+pDn4xoGxu9KxlTByn37lWMZtXtgMQv97sJ2q4 DOc1ypFtNsDID/P1BgNfceJJQSo7Kpqc1fxCA2O09ssU3Xy82ufn9K26uAUxpLAi Gh3m0SbTSWzj5kpl1RnHvhaR6/+l2j7MKwCtaP06Ydb8KICsnAVtApiFpdiNQZEn X9f3v7gL2+QmiPRrCOcS7Sbxyi/gMcEF5wrrpjHw/2GUIfdTnha0o2WklRKlc5nr r215PWWWUlVibnJM490Nw1fSeVB1IIYQcGutTRxe65cCMf0xLBQ= =f7c0 -----END PGP SIGNATURE----- --=_a2427b35e550a4fff54c825e74bcadb5-- From nobody Wed Jun 17 20:11:57 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ggZl71bXRz6hjqT for ; Wed, 17 Jun 2026 20:12:03 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "YR1" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ggZl716yqz41f8; Wed, 17 Jun 2026 20:12:03 +0000 (UTC) (envelope-from kevans@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781727123; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Z++HkWdYU5XIaqWuf52OLmKAw9rwmCU2opgDtmV1frI=; b=DCqDZsZIlxJqwE7BuJCRr68rPRe5sTGng8mTMvNkVP644YfriyLuUHg7NBsghSluD509Q/ LRIxJgod3NalivbFs14RxTDtcHyL0afBDQnwzVMYCKXs0oYOYs8khNxd2U2tN61XRkLIpE V3UUd22zAMHPkTtXSgMOMqYdRQkQAiIMhurK5kEQOu/XWgBL8Zt/bgXUjbtnDoN79yZ8Ip b4iddTpSHuzduEizSWWp32Sse79AeKYLpEP3PU6A0Bn/EgzkPz7ocT2UPklzhhT+HYJVZE HAeZXQW5dxkBh6bN146OkisvIwrbQnZ6x6gxHx3dto2uEVYdPl0Ope4ePHcQyQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781727123; a=rsa-sha256; cv=none; b=lOpjE2WDbxGX9Q+xtbuOM5SX/i4ZTW+yg9WX/AA7fzj3OrWZcRxE0BsHx+5HcAizr4vigT QG6rAZ62yjs3y/P2JukXEaIFPWq+NN53NDIqwLVzASLFRrQ2AUaJh35qqPAGGjXTnTBiPN +7TiyBlgF0+N01GqajbGrBCYIpMH5cQoFdkCVrBgd4QMnIZ45ZhPC9nO6YYzTsb5E5Pc9R KsMOJq96jOdbU+BIBRK98HcxuJFRYnRJEM5NFslF90AaAmpEYAvJFM9K+wf7d/RGqtFcKS kQZQjPtHF0C+sG5/+ZsdSEiRQRTeRkFV32jAYjmWq7OQDi0ehN5SVrgA0muEFg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781727123; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Z++HkWdYU5XIaqWuf52OLmKAw9rwmCU2opgDtmV1frI=; b=t0asWo6GocUYU+l5AzCyGVMSNEBJ6KWEfYH8Iw2Bvg19evwtbmOylTiiQ7CbRHMU7oqSei Fxu8l803eoGfzbBaGB2Bcu3bwv9b29QqE2plT71iCJD5je10OV6dJ0ZF7Ehk/a5rqjJuOF 81xOkGrx9SW93zVcbM+fwGf+XDtnwwKPYy4dD9364hLj5GaDDVz5LUGLY256f4DkxWOI8v D29JAA1yBR5Yh+cYY0bsqMf4rg84vIhTTPvLrkDZeFpB2SnIKyxzq3+f/uFwav49rNu/CR CTyNtvGIhRMrUKXvAGo9IUMX5WtRo5raJxeBGJxmGZ8Dhvm2NqVnEbTRmuHxjQ== Received: from [10.19.140.219] (unknown [91.209.212.136]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: kevans/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4ggZl56sSpzvsH; Wed, 17 Jun 2026 20:12:01 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Message-ID: <54152c1e-8c3a-47a5-83b2-4bd0f781e03f@FreeBSD.org> Date: Wed, 17 Jun 2026 16:11:57 -0400 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Switching on compiler/src options to harden FreeBSD To: Alexander Leidinger , FreeBSD Security list References: <0d41bfe199e62c951591a2d528b323b0@Leidinger.net> Content-Language: en-US From: Kyle Evans In-Reply-To: <0d41bfe199e62c951591a2d528b323b0@Leidinger.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 6/17/26 15:58, Alexander Leidinger wrote: > Hi, > > given the numerous talks at BSDCan about security in the last hours, and the mention of maybe enabling fortify by default, I want to point out > https://www.leidinger.net/blog/2025/05/24/freebsd-security-hardening-with-compiler-options/ > > I run a lot of this stuff on real workloads. Not in a high performance situation, more of a SOHO workload, but I have mysql, postgresql, redis, java application servers, python application servers, php, nginx, postfix, dovecot, squid, various dns servers (unbound, bind, adguardhome) and samba in >60 jails (some of them service jails, some of them normal jails, some of them service jails in normal jails). All of those build in a local poudirere with those options enabled. > > This stuff works today, and we should maybe think about just enabling this stuff and go ahead. If it hinders a bit in the performance area, and it is important, it can be deactivated by those which need the last little bit of performance. In my situation where the CPUs are normally not near 100%, I can not feel a difference. > I missed the FORTIFY callout, but I have one more patch to fix the last failure in our test suite with it enabled: https://reviews.freebsd.org/D57356. I note that in the associated PR, only one issue was a case where _FORITFY actually kind-of broke the underlying functionality[*]. The others are cases where the test simply shouldn't build with _FORTIFY_SOURCE because they're intentionally overflowing. I poked Simon for a sanity check and I plan to wordsmith the comment I dropped in bsd.sys.mk tonight (and push it). I don't have a problem pitching a diff to lift it to an =2 default as soon as right after that- I've received enough reports from folks that build and use it to suggest that nobody's world will be severely blown up, but it's worth cautioning about anyways when we raise the default. Thanks, Kyle Evans [*] That functionality being that Annex K specifies how to handle too-large buffer sizes, which one presumably wouldn't be doing intentionally. From nobody Thu Jun 18 09:42:06 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ggwjx2BQnz6grX1 for ; Thu, 18 Jun 2026 09:42:13 +0000 (UTC) (envelope-from lumiwa@dismail.de) Received: from mx2.dismail.de (mx2.dismail.de [159.69.191.136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA512) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4ggwjw3J9nz3MkL; Thu, 18 Jun 2026 09:42:12 +0000 (UTC) (envelope-from lumiwa@dismail.de) Authentication-Results: mx1.freebsd.org; none Received: from mx2.dismail.de (localhost [127.0.0.1]) by mx2.dismail.de (OpenSMTPD) with ESMTP id ffd77e62; Thu, 18 Jun 2026 11:42:09 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=dismail.de; h=date:from :to:cc:subject:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; s=20190914; bh=TgLCrj8B nikB7BHsTS4Zz4yT/jLAm/OdfNTbOtj7qBc=; b=sZmj1hYZPzProZN81UIbBS/u ombbFSiUCrGrku8k1PjypOEshayAbI8Iqu4CZwJLufdVUlV3gT42kylOLnQSHlrW Byfw/ccykwbw4Tbt7DzTCYUtGFZA74XvpXs+vU48p0oZ3ZmtNb6OZ6vX2lidaknh 2mOl+TfWo4aqSowzAFXwdiPJ6GSVgHCTRdCLKm5ezCZLd9PVtsPpU/jGZkYY4B5E wJv/3hbCTi9a82Xo68oTnDnvDZ9ZSrs/tk6/WWVAlpcvjqQd0tao7mPvtOcnSDnd mkoXgTue7gSWFtz9JVHTJza5av5QvakUKrt2SOyosbrR5ark1N9g4O5ofEg9Jg== Received: from smtp1.dismail.de ( [10.240.26.11]) by mx2.dismail.de (OpenSMTPD) with ESMTP id b5959d20; Thu, 18 Jun 2026 11:42:09 +0200 (CEST) Received: from smtp1.dismail.de (localhost [127.0.0.1]) by smtp1.dismail.de (OpenSMTPD) with ESMTP id 8ec4beb5; Thu, 18 Jun 2026 11:42:09 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=20190914; bh=TgLCrj8Bnik B7BHsTS4Zz4yT/jLAm/OdfNTbOtj7qBc=; h=references:in-reply-to:subject: cc:to:from:date; d=dismail.de; b=j8VNztEWTMxQzmz65CMG3dj4xf5PeJnjmE5x0 NFMut+pf/IYQ38ld4taqL2HJXNPaC9Y9wkhRUuDDcEJvEMw808bFVrHxfYGWOaxQYcQ+yb BNS/7B93RJ3ith3it2nJlNShND8CNJs/fv7ZtT2OqBG0WoeiLykMq2SvJz6CwD60W7pjj4 BcQhnc1kZaYAIdKqlUwnjiwATD7NCf82IYNiuyXCrp/cfm4wmgaTU/p7rwir3RN38PFnUa vxzaS5g6ydOCGpEJZJiYqcZbQGyA3aDR802NGUzeqqfY+4qWuOAQ2AJF2JwT+0o8NAJ8KK KGof12fjdr3PY71KobJCo0jjg== Received: by dismail.de (OpenSMTPD) with ESMTPSA id e220d028 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Thu, 18 Jun 2026 11:42:08 +0200 (CEST) Date: Thu, 18 Jun 2026 09:42:06 -0000 From: LuMiWa To: FreeBSD Security Advisories Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-26:26.ktls [REVISED] Message-ID: <20260618094206.18231bcd.lumiwa@dismail.de> In-Reply-To: <20260617164126.81E521C6D6@freefall.freebsd.org> References: <20260617164126.81E521C6D6@freefall.freebsd.org> X-Mailer: Claws Mail 4.4.0 (GTK 3.24.52; amd64-portbld-freebsd15.0) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:24940, ipnet:159.69.0.0/16, country:DE] X-Rspamd-Queue-Id: 4ggwjw3J9nz3MkL X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated On Wed, 17 Jun 2026 16:41:26 +0000 (UTC) FreeBSD Security Advisories wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 >=20 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D > FreeBSD-SA-26:26.ktls Security Advi= sory > The FreeBSD Pro= ject >=20 > Topic: Arbitrary file overwrite via the KTLS receive path >=20 > Category: core > Module: ktls > Announced: 2026-06-09 > Credits: Bumsrakete > Affects: All supported versions of FreeBSD > Corrected: 2026-06-09 19:17:28 UTC (stable/15, 15.1-STABLE) > 2026-06-09 19:20:06 UTC (releng/15.1, 15.1-RC3-p1) > 2026-06-09 19:19:43 UTC (releng/15.0, 15.0-RELEASE-p10) > 2026-06-09 19:17:46 UTC (stable/14, 14.4-STABLE) > 2026-06-09 19:19:05 UTC (releng/14.4, 14.4-RELEASE-p6) > 2026-06-09 19:18:35 UTC (releng/14.3, 14.3-RELEASE-p15) > CVE Name: CVE-2026-45257 >=20 > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . >=20 > 0. Revision History >=20 > v1.0 -- Initial revision > v1.1 -- Update workaround section >=20 > I. Background >=20 > Kernel TLS (KTLS) moves Transport Layer Security (TLS) record processing > into the kernel, allowing applications to encrypt and decrypt socket data > without copying it to and from userspace and to serve TLS data with > sendfile(2). When a connection uses software KTLS on the receive path, > the kernel decrypts each incoming TLS record in place within the socket > buffer. >=20 > II. Problem Description >=20 > The KTLS receive path decrypted each record in place, assuming that the > mbufs holding received data were anonymous and safe to modify. This > assumption does not hold for data placed on a socket by sendfile(2), > which can reference file-backed memory directly through non-anonymous > M_EXTPG pages or EXT_SFBUF mbufs. When the sender transmits such data > over a loopback connection without enabling KTLS on the transmit side, > the file-backed mbufs reach the receiver's decryption path unchanged. > Decrypting a record in place then overwrites the backing file's page > cache instead of a private copy of the data. >=20 > III. Impact >=20 > An unprivileged local user who can read a file can overwrite its > contents with data of their choosing by sending the file over a loopback > connection on which they have enabled KTLS receive. The write modifies > the page cache directly, so it bypasses file flags such as schg and is > written back to disk. By overwriting a setuid binary or other trusted > file, a local user can escalate privileges, potentially gaining full > control of the affected system. >=20 > IV. Workaround >=20 > Set sysctl kern.ipc.tls.enable=3D0 to disable KTLS entirely. >=20 > V. Solution >=20 > Upgrade your vulnerable system to a supported FreeBSD stable or > release / security branch (releng) dated after the correction date, > and reboot the system. >=20 > Perform one of the following: >=20 > 1) To update your vulnerable system installed from base system packages: >=20 > Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 > platforms, which were installed using base system packages, can be updated > via the pkg(8) utility: >=20 > # pkg upgrade -r FreeBSD-base > # shutdown -r +10min "Rebooting for a security update" >=20 > 2) To update your vulnerable system installed from binary distribution se= ts: >=20 > Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platfo= rms > which were not installed using base system packages can be updated via the > freebsd-update(8) utility: >=20 > # freebsd-update fetch > # freebsd-update install > # shutdown -r +10min "Rebooting for a security update" >=20 > 3) To update your vulnerable system via a source code patch: >=20 > The following patches have been verified to apply to the applicable > FreeBSD release branches. >=20 > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. >=20 > # fetch https://security.FreeBSD.org/patches/SA-26:26/ktls.patch > # fetch https://security.FreeBSD.org/patches/SA-26:26/ktls.patch.asc > # gpg --verify ktls.patch.asc >=20 > b) Apply the patch. Execute the following commands as root: >=20 > # cd /usr/src > # patch < /path/to/patch >=20 > c) Recompile your kernel as described in > and reboot the > system. >=20 > VI. Correction details >=20 > This issue is corrected as of the corresponding Git commit hash in the > following stable and release branches: >=20 > Branch/path Hash Revision > - -----------------------------------------------------------------------= -- > stable/15/ a51345704403 stable/15-n283882 > releng/15.1/ 48c1c5e3c348 releng/15.1-n283550 > releng/15.0/ 540a315cdb46 releng/15.0-n281052 > stable/14/ 333bdd7e9427 stable/14-n274311 > releng/14.4/ d43259dd66b3 releng/14.4-n273714 > releng/14.3/ af3398862ac0 releng/14.3-n271514 > - -----------------------------------------------------------------------= -- >=20 > Run the following command to see which files were modified by a > particular commit: >=20 > # git show --stat >=20 > Or visit the following URL, replacing NNNNNN with the hash: >=20 > >=20 > To determine the commit count in a working tree (for comparison against > nNNNNNN in the table above), run: >=20 > # git rev-list --count --first-parent HEAD >=20 > VII. References >=20 > >=20 > The latest revision of this advisory is available at > > -----BEGIN PGP SIGNATURE----- >=20 > iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoyuewbFIAAAAAABAAO > bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvze8P/RRvp3TUprrxMgg4prj6 > Mv7sglMFvwyVPGJstM0zBV2k+seMm8S5QmJtO+m8N5NHAIyJWL6PzvMFE9klI/IC > g8Jov8lcEcAml0G+xJFCPeeG0fYszqtE8/gxGNdatDv01AnMoFnVMUyy4y1QpSyo > kJzymPs49LysxggffSmPgmX446hEo7pZ6iQLBuEc0XKNN/7LYmiYq6kcVLzTpkRa > kfYwsJphWZkfdR2AVzCSxMiMb9D/NQ7WN96B3o+xYX8XoHgrsQmvZ2YrvRf9nyRs > lgAm9QxlkTcWlwPrNoacg2sN/jZFb3k01GRJAFbcKbDP1t3lkFygD+UHNnlStO+s > hb5fKHgQgrUpX7atsD2UQ2W+irca0ejLhflxxvgY7pRTLnnmJ20fXDhDn2sWb7zs > cPxir+4bJk4IZvomK0raFH5eMeJ434/rfkMjfE87WOEryFHabnGsiH9xO2u6+ADT > UhMl4iBY+wOoaHTTqfpOQpAk2/gO7UUvXtbOkEa8SYZjSQAxMAz7nqyL7Lucix9n > 7ES4hLmic87cr7+q+8iwvASvcNjlDxqyGYRoLa2+TECsTmKqVbwEEANcufNKemb+ > aPoRFi5apShhwe1kl7/vVCDGPtCssRRYZ+ejwpQY6m4PpRKY9soNFUt2WjOGVmaB > iQR9r08fcX9SuW2dTuTzXLEi > =3Dwfi1 > -----END PGP SIGNATURE----- >=20 I try to update and got: "freebsd-update fetch Looking up update.FreeBSD.org mirrors... 3 mirrors found. Fetching metadata signature for 15.0-RELEASE from update2.freebsd.org... do= ne. Fetching metadata index... done. Inspecting system... done. Preparing to download files... done. No updates needed to update system to 15.0-RELEASE-p10." Is it okay, please? Thank you. --=20 =E2=80=9CSome people talk in their sleep. Lecturers talk while other people= sleep=E2=80=9D =E2=80=95 Albert Camus=20 From nobody Thu Jun 18 13:25:17 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gh1gS1JZcz6hCrx for ; Thu, 18 Jun 2026 13:25:24 +0000 (UTC) (envelope-from des@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "YR1" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gh1gS0Jz1z3mHr; Thu, 18 Jun 2026 13:25:24 +0000 (UTC) (envelope-from des@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781789124; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=pgzkNag59WOP4hoUKnZBtVMch8xbBGE68cQRicOFZ1w=; b=AQf+fLiFOmuq370MeXk39oOWwTNH/lUeHSsRSyHoZjSonQYpIqCZwQh/gXZ7fswKUNdCgD 9aZkUuviCTjW0J7mmFxCHclyLYqVzFiqDBsYsWnKVgTZ3Z/6ik+E1C55kh2tYSMjrp6EYE dFhvRj7ew5TfwD9k8ies7eIYwu7Wk8q9LON7jq63eI77dOb/+5qtX7jRGqK3vJCsXEZ+CR zEu1fNixTvHSqBCUVJozMadvIhOFdo9vA894TpkMft0UHBmAgs2L1ZLGAyC9wuDtxbJ/hB uhScDW2RkO8nb5wAIiSHkzIPCokoOb1qheoiCJ8TRav5TAQZTwLEu0OLdqHS/w== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781789124; a=rsa-sha256; cv=none; b=Aul3/Vt6IDUK/gC6C8EuJGRLaNC7Dec6bGesU9z+2Iz2F2oT3rBeCCbEhhIOr/ZwcrNaix 2fbWGkAnGbDTSZjLLGhYvngb4V+hXH74m7JhqF0kqR2FOfrFGQp+dprzw/bFqBwlh/xyMO obUzemivGb9xCBvdwCRvoMUKb3XB5UqWsTE+XYJ0ZZxe6m07iOSAhQaSHZCK0/ALBe+5N+ 62TfyVMa6ii42dphM4IGmCdfaWUi0G3yM3m3UfUThSWitGcxhjRiEgDQCnAOZ4UuoefB3a jAW7AmFrtBqO65h27mw0+cMBDmDG6vf9U0KvCRmbEdNybWX0g8cWpO2FSRuCLA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781789124; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=pgzkNag59WOP4hoUKnZBtVMch8xbBGE68cQRicOFZ1w=; b=OneHH/SeGcnNyNltwJZila4k2vKTi1NAFQ3uIUS9BvJYLWw+MMgn2f3WceXct61fqFeSXT 15HPbUhQQ5wXdFTjy6Axy5x67TrVx2DIP/xZUfnr2iBi5sjgj3jwEDjVpxo2AWEHYu4b8n 6ronRsvJH+a8HRE1ogECHHjOVq8cs9SPoHQV4O213BWhfSFD+vPuirPWc85HWU5HrNmwz1 y/7bfveJEDvp+WsT2ZwkrxBce2y6wbQKqp2Lyi7MmUd12zilGvccwFcc2Fj6KW8N7wx44i G/ABwIgyOtV4yN841bg/wuQ8Yihk7Z5XKQv8WzYYUOKipi985PdYrUOAdf/EXQ== Received: from ltc.des.dev (2a01cb0585070b0036e894fffeca9834.ipv6.abo.wanadoo.fr [IPv6:2a01:cb05:8507:b00:36e8:94ff:feca:9834]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: des/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4gh1gR4StXz1xK; Thu, 18 Jun 2026 13:25:23 +0000 (UTC) (envelope-from des@freebsd.org) Received: by ltc.des.dev (Postfix, from userid 1001) id 6E501C64D3; Thu, 18 Jun 2026 15:25:17 +0200 (CEST) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: LuMiWa Cc: FreeBSD Security Advisories , freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-26:26.ktls [REVISED] In-Reply-To: <20260618094206.18231bcd.lumiwa@dismail.de> (lumiwa@dismail.de's message of "Thu, 18 Jun 2026 09:42:06 -0000") References: <20260617164126.81E521C6D6@freefall.freebsd.org> <20260618094206.18231bcd.lumiwa@dismail.de> User-Agent: Gnus/5.13 (Gnus v5.13) Date: Thu, 18 Jun 2026 15:25:17 +0200 Message-ID: <86tsr02d6q.fsf@ltc.des.dev> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable LuMiWa writes: > I try to update and got: > [...] > No updates needed to update system to 15.0-RELEASE-p10. > > Is it okay, please? The email you replied to already contains all the information you need to make that determination. Please take the time to read it. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@FreeBSD.org From nobody Thu Jun 18 13:30:23 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gh1nc3r4zz6hDRJ for ; Thu, 18 Jun 2026 13:30:44 +0000 (UTC) (envelope-from droidbittin@gmail.com) Received: from mail-dy1-x1334.google.com (mail-dy1-x1334.google.com [IPv6:2607:f8b0:4864:20::1334]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gh1nc0NZMz3nnw for ; Thu, 18 Jun 2026 13:30:44 +0000 (UTC) (envelope-from droidbittin@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-dy1-x1334.google.com with SMTP id 5a478bee46e88-30bcf74e617so2065231eec.1 for ; Thu, 18 Jun 2026 06:30:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1781789437; cv=none; d=google.com; s=arc-20240605; b=SPZqmoNI1FZQKjGZsSLAnQ2s0nop2Si75etfx3PZcAoNOXXB4NlMh9RTiSIkw/jVwP SqECf0hv6cGTbiGjnvz2j2R0ggJf8KlfTT5OJl8w3b1zKCdQQvaWvJNvGv5S8C2gfyyq lMlAJR14vVMxbQcdHcZBGrpV4WZG6yfYQiWRq3bq/RAwLFBKK0BHt5Mt2kxRBQdD253Z rnvU5+gqhSa0vz4rnY8p6HsZapyD0O80Rsiqt0mQP0i0qUG5UzFduWBJ9js2yzoIXx7R l5Y5oUXsdg2xz7Wr0HHErW4NePuAuce4v2AwrKhE9fSllc67ZNE9skaqmkrXTAj9bHHH O42Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=l/3gkDtrNuSZqn2z359ZfpWCBPDI+NvRe0+zX0mVFjc=; fh=K4pb4EFUR7Z3sCxpWX19U1FjubsjzOpgdiwyH6S/wrc=; b=cPI2nWjb9/7Z8qkLvkcJ0FZ5rY1ux1zRhyDhQ8SN7R7tU2Ccc1mqRroY+Ln3xVnvqh yclnQT9HQ/0m4jn9DEyKH+TqsUFfE5VLfhQZMJJegeKBqkZsfIUah2wErnLxxsSgviyS 642ul3aVToRL0WLbsMHrKAHFA450AxX27NHwizYkIjl5BaR5jrcgcb9qXl+H7OJ9hgdZ 4eiHP0ExlLw5QX6GxUYrlRpBvggcIORmRATFzgUw1wSHUeTErAd423MqHcg+pMxO12Dp Atih+nTktgRTvD25vYq30cRvJwNxuHUvpH5lmlZdolcaLdiwYr0AERC2871GFHf9o7i/ r0+A==; darn=freebsd.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1781789437; x=1782394237; darn=freebsd.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=l/3gkDtrNuSZqn2z359ZfpWCBPDI+NvRe0+zX0mVFjc=; b=DWgtk2LUuZHPCnqQkR6MYr7aCw67RasEHuc4rqBG1WaiBiaThiyN8z2yLtMqrMUkf1 9CStFSVkJj21JUfel25i8GPrbqTj6kOntjS90rBPHb8X7yK36DJrRCOO972EYZm7L9XK cCdHxLicwN/BxjHnImGl1eh1praJ669XgoyG9K3pPYfUenSflF8948ePKPfjOA+LmbIh Gui8o6j/ROwjk88c9TfoQAT5EOasiDdjLntBCXBzhdc1ATsDjRsT54ZBciYB+yV34c9b +iILu6k8of9mKJLswJc0usifYknvgQKXV4pylPdIT7ERWBPP1KjkSVWPV7yACGZxOKWF q1+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781789437; x=1782394237; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=l/3gkDtrNuSZqn2z359ZfpWCBPDI+NvRe0+zX0mVFjc=; b=NpBtXfNDG6hWSEdudZGi4/ruHRdMf+s4a+fIFa5J9PSVyy8iqlXz1S4wR/Od/PwB8t aYs/gha1eiFtrhtgexhSVy9pe8a1mFbIoqiuXD9XVtp1tVhKpRFnVDEFBvrlEij2+pZr f5VxRQlliZ7e0MODvHxyrn2vbZk2e19uR1PXef5/wREa6xdagdZdq+r+7U82MRuidsvC hGvjfkKwyPcI3ucaUDXs9GJbkHYZoRcC+GAEEqpHsXSm+YyzJQTY6ckZ3GGcKlzgf4EG Olv5EJfpDAtekTyaopB5jtit1LnD35jRo3FNLo5wyO/PN3sD6UgNBp12DI8ADdtFGm0u QG6A== X-Gm-Message-State: AOJu0YwosXIk9b7+Q5/7ct1eqfVP/6QugcH/R7U7ZXbmk3SgmmVtjPJZ ob1srHTSJrFqz+8mfNJfAWoc8UuToiKdXTPVk/rHfLy+pY35kZfmsgHsLFdhBU1tWm0rZAt8Lgf KQocFJFaQO4YcQtrJ0b5cYoOfaGxaMbZoIMRLBOpV3Q== X-Gm-Gg: AfdE7ckncL1lvOROthIDjDQlrRwRGoL6tWdnIRA4r20EQ81qCa9gIwQhJLl1gVxIGCB Y4E3zLluQBJwNFNz/iOysNXpZoRBxzWR4tTbW/XhZ5ifi9oAvCESR3BtUKtAJBCHzrJTCp7AnYN cB+JwAOf7NyIDvRRLeFJ2Xv0Ab8SBP4rkBSCkYUZL8b1Z4oKIIKuHtm3ryaBD2bK7PTrBHXzpCC CJGtEUJJUcFfqjsHx8QndcE6WN/lL1Wb+Wtl+oCm5UqPb8JiB8BuDIuVx4mWURPKwvlc8/N9SYl gVuYXDyNk8jXWDu1rIrDy/8mPFRv9rRnjBXzulF1T1zTEYviFJe744r0MdeNpYEoV4KcEu3iEDa Gir2jfXo2E6jfkaNovgblu5TrDF2sKrGkFv5byNK3GWZK9TVY+hWGKjLHnTebZpHf4SBT2yKdo8 mugF0+dne+ X-Received: by 2002:a05:7301:ea7:b0:2d9:6373:ad22 with SMTP id 5a478bee46e88-30bf717370bmr2319367eec.12.1781789436891; Thu, 18 Jun 2026 06:30:36 -0700 (PDT) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 References: <20260617164126.7935B1C98D@freefall.freebsd.org> In-Reply-To: <20260617164126.7935B1C98D@freefall.freebsd.org> From: Luna Jernberg Date: Thu, 18 Jun 2026 15:30:23 +0200 X-Gm-Features: AVVi8CcnglGOCtlqr3Y2vQXdyLVCh6ubK3k09uRZgCPbKdyeDcEDwZjdnv2jvE0 Message-ID: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-26:26.ktls [REVISED] To: freebsd-security@freebsd.org Cc: FreeBSD Security Advisories Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US] X-Rspamd-Queue-Id: 4gh1nc0NZMz3nnw X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated And this got mentioned in the Swedish G=C3=B6teborg IT-Security podcast yesterday: https://sakerhetspodcasten.se/posts/sakerhetspodcasten_305_ostru= kturerat_v_25/#bumsrake-freebsd-ktls-kernel-s%C3%A5rbarhet Den ons 17 juni 2026 kl 18:44 skrev FreeBSD Security Advisories : > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D > FreeBSD-SA-26:26.ktls Security Advi= sory > The FreeBSD Pro= ject > > Topic: Arbitrary file overwrite via the KTLS receive path > > Category: core > Module: ktls > Announced: 2026-06-09 > Credits: Bumsrakete > Affects: All supported versions of FreeBSD > Corrected: 2026-06-09 19:17:28 UTC (stable/15, 15.1-STABLE) > 2026-06-09 19:20:06 UTC (releng/15.1, 15.1-RC3-p1) > 2026-06-09 19:19:43 UTC (releng/15.0, 15.0-RELEASE-p10) > 2026-06-09 19:17:46 UTC (stable/14, 14.4-STABLE) > 2026-06-09 19:19:05 UTC (releng/14.4, 14.4-RELEASE-p6) > 2026-06-09 19:18:35 UTC (releng/14.3, 14.3-RELEASE-p15) > CVE Name: CVE-2026-45257 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . > > 0. Revision History > > v1.0 -- Initial revision > v1.1 -- Update workaround section > > I. Background > > Kernel TLS (KTLS) moves Transport Layer Security (TLS) record processing > into the kernel, allowing applications to encrypt and decrypt socket data > without copying it to and from userspace and to serve TLS data with > sendfile(2). When a connection uses software KTLS on the receive path, > the kernel decrypts each incoming TLS record in place within the socket > buffer. > > II. Problem Description > > The KTLS receive path decrypted each record in place, assuming that the > mbufs holding received data were anonymous and safe to modify. This > assumption does not hold for data placed on a socket by sendfile(2), > which can reference file-backed memory directly through non-anonymous > M_EXTPG pages or EXT_SFBUF mbufs. When the sender transmits such data > over a loopback connection without enabling KTLS on the transmit side, > the file-backed mbufs reach the receiver's decryption path unchanged. > Decrypting a record in place then overwrites the backing file's page > cache instead of a private copy of the data. > > III. Impact > > An unprivileged local user who can read a file can overwrite its > contents with data of their choosing by sending the file over a loopback > connection on which they have enabled KTLS receive. The write modifies > the page cache directly, so it bypasses file flags such as schg and is > written back to disk. By overwriting a setuid binary or other trusted > file, a local user can escalate privileges, potentially gaining full > control of the affected system. > > IV. Workaround > > Set sysctl kern.ipc.tls.enable=3D0 to disable KTLS entirely. > > V. Solution > > Upgrade your vulnerable system to a supported FreeBSD stable or > release / security branch (releng) dated after the correction date, > and reboot the system. > > Perform one of the following: > > 1) To update your vulnerable system installed from base system packages: > > Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 > platforms, which were installed using base system packages, can be update= d > via the pkg(8) utility: > > # pkg upgrade -r FreeBSD-base > # shutdown -r +10min "Rebooting for a security update" > > 2) To update your vulnerable system installed from binary distribution se= ts: > > Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platfo= rms > which were not installed using base system packages can be updated via th= e > freebsd-update(8) utility: > > # freebsd-update fetch > # freebsd-update install > # shutdown -r +10min "Rebooting for a security update" > > 3) To update your vulnerable system via a source code patch: > > The following patches have been verified to apply to the applicable > FreeBSD release branches. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch https://security.FreeBSD.org/patches/SA-26:26/ktls.patch > # fetch https://security.FreeBSD.org/patches/SA-26:26/ktls.patch.asc > # gpg --verify ktls.patch.asc > > b) Apply the patch. Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile your kernel as described in > and reboot the > system. > > VI. Correction details > > This issue is corrected as of the corresponding Git commit hash in the > following stable and release branches: > > Branch/path Hash Revision > - -----------------------------------------------------------------------= -- > stable/15/ a51345704403 stable/15-n283882 > releng/15.1/ 48c1c5e3c348 releng/15.1-n283550 > releng/15.0/ 540a315cdb46 releng/15.0-n281052 > stable/14/ 333bdd7e9427 stable/14-n274311 > releng/14.4/ d43259dd66b3 releng/14.4-n273714 > releng/14.3/ af3398862ac0 releng/14.3-n271514 > - -----------------------------------------------------------------------= -- > > Run the following command to see which files were modified by a > particular commit: > > # git show --stat > > Or visit the following URL, replacing NNNNNN with the hash: > > > > To determine the commit count in a working tree (for comparison against > nNNNNNN in the table above), run: > > # git rev-list --count --first-parent HEAD > > VII. References > > > > The latest revision of this advisory is available at > > -----BEGIN PGP SIGNATURE----- > > iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoyuewbFIAAAAAABAAO > bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvze8P/RRvp3TUprrxMgg4prj6 > Mv7sglMFvwyVPGJstM0zBV2k+seMm8S5QmJtO+m8N5NHAIyJWL6PzvMFE9klI/IC > g8Jov8lcEcAml0G+xJFCPeeG0fYszqtE8/gxGNdatDv01AnMoFnVMUyy4y1QpSyo > kJzymPs49LysxggffSmPgmX446hEo7pZ6iQLBuEc0XKNN/7LYmiYq6kcVLzTpkRa > kfYwsJphWZkfdR2AVzCSxMiMb9D/NQ7WN96B3o+xYX8XoHgrsQmvZ2YrvRf9nyRs > lgAm9QxlkTcWlwPrNoacg2sN/jZFb3k01GRJAFbcKbDP1t3lkFygD+UHNnlStO+s > hb5fKHgQgrUpX7atsD2UQ2W+irca0ejLhflxxvgY7pRTLnnmJ20fXDhDn2sWb7zs > cPxir+4bJk4IZvomK0raFH5eMeJ434/rfkMjfE87WOEryFHabnGsiH9xO2u6+ADT > UhMl4iBY+wOoaHTTqfpOQpAk2/gO7UUvXtbOkEa8SYZjSQAxMAz7nqyL7Lucix9n > 7ES4hLmic87cr7+q+8iwvASvcNjlDxqyGYRoLa2+TECsTmKqVbwEEANcufNKemb+ > aPoRFi5apShhwe1kl7/vVCDGPtCssRRYZ+ejwpQY6m4PpRKY9soNFUt2WjOGVmaB > iQR9r08fcX9SuW2dTuTzXLEi > =3Dwfi1 > -----END PGP SIGNATURE----- >