From nobody Wed Jun 17 16:41:26 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ggV466xxRz6h7gy for ; Wed, 17 Jun 2026 16:41:26 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ggV464nqlz3HXs; Wed, 17 Jun 2026 16:41:26 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781714486; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=22BPvHtMw8vGhKctiGFKQpbdVsl7Fy29bPNP0X9RMwc=; b=coC2td/IIUU53M/Orc6k8nS7Aw68OBW74P6+mq5q4BTDUG/mit5NRRxc/OU8pVILdkVmjN BO9K/ptJ/oqmbO1Roy8w8ST0ifLLdP8fJ1Vhsop6czY6VvzR22sBRADh9S0SWnfMiT7neY mjKo4p2CW4eYPjylzkNZY3PuU9Q8rKEsHT0e/3BhJDRrVCkxE2CLSWLVsqplw+YLRpAcyR 0fz80BRpqfSJFOQLSr2V+yAapD4ruBcrtvpMmvY6geBsAQZ5HYnMTx77nh0IfocQzNcU8b yCXV9s6hdfh7MsQgHcuECtYxREoEQ5nJCdlkkO1wFUdOzRi+rkrJEd9xftikQQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781714486; a=rsa-sha256; cv=none; b=JsyHTCM0BJ954MZ/8mQUCDcuPGJWla1xkvkBr1iE8TubCy4J66alrdofrVOecva8Bt2bgg ENyOIIc9nm8OEy+z9/3fy2log2xGji9uh5yhkbVmPOOg6WnXlMU/JKdeqzq2lZcM+AXsb5 PzOdYEwegbs6Mo+vnA3tejGLb8/uRoE+itqFYsvOgYS/VgDH6ZoHyctPCI+DoT4hRSPG7n 10HRsFwtu6k5RZdZMXN0XVfp8JuSWSIWdcG6M1DMmbqHK6J2lyH+JkGGeYRAKhpAeU7U1Y vLDmWaFhHe/NnCAed4YUsXYy8wSDXM3OseFW/ov8k6rXJV48TtHYfewhQsvgaw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781714486; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=22BPvHtMw8vGhKctiGFKQpbdVsl7Fy29bPNP0X9RMwc=; b=DdGIUGIXCC2gSSBeQfVHup9F+rsI5NqNlvBfEbkcMhCXQ+QPHO+98cnc9WK8Tgg7+SUvgz 4tBWbtq8sW+4q5xyYDua+6d07Wg1CJqEbk2ha9bvymPIvgOv+5Sxm6W+q5kWhU4ffG8Rtb NCJRLeBbbijnnvyRHq3d4HOmTz5o4KSArx9wWVxyvb+iJt2X/8UgxHFU6IrjwKZiKb27zt Q25+bmyxKoFq6LWFzw2tpl0Nlk2OWcr8n8hQATXrqjk0FOQSBcGZb7t0rAsAcsll2IOMWc Q2yZ5J072F7NYSKd+mgxsM1ak8tpGe7o8GM/X4TpYNfNs0ZAbjSNu5//weVo1A== Received: by freefall.freebsd.org (Postfix, from userid 945) id 81E521C6D6; Wed, 17 Jun 2026 16:41:26 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:26.ktls [REVISED] Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260617164126.81E521C6D6@freefall.freebsd.org> Date: Wed, 17 Jun 2026 16:41:26 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:26.ktls Security Advisory The FreeBSD Project Topic: Arbitrary file overwrite via the KTLS receive path Category: core Module: ktls Announced: 2026-06-09 Credits: Bumsrakete Affects: All supported versions of FreeBSD Corrected: 2026-06-09 19:17:28 UTC (stable/15, 15.1-STABLE) 2026-06-09 19:20:06 UTC (releng/15.1, 15.1-RC3-p1) 2026-06-09 19:19:43 UTC (releng/15.0, 15.0-RELEASE-p10) 2026-06-09 19:17:46 UTC (stable/14, 14.4-STABLE) 2026-06-09 19:19:05 UTC (releng/14.4, 14.4-RELEASE-p6) 2026-06-09 19:18:35 UTC (releng/14.3, 14.3-RELEASE-p15) CVE Name: CVE-2026-45257 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . 0. Revision History v1.0 -- Initial revision v1.1 -- Update workaround section I. Background Kernel TLS (KTLS) moves Transport Layer Security (TLS) record processing into the kernel, allowing applications to encrypt and decrypt socket data without copying it to and from userspace and to serve TLS data with sendfile(2). When a connection uses software KTLS on the receive path, the kernel decrypts each incoming TLS record in place within the socket buffer. II. Problem Description The KTLS receive path decrypted each record in place, assuming that the mbufs holding received data were anonymous and safe to modify. This assumption does not hold for data placed on a socket by sendfile(2), which can reference file-backed memory directly through non-anonymous M_EXTPG pages or EXT_SFBUF mbufs. When the sender transmits such data over a loopback connection without enabling KTLS on the transmit side, the file-backed mbufs reach the receiver's decryption path unchanged. Decrypting a record in place then overwrites the backing file's page cache instead of a private copy of the data. III. Impact An unprivileged local user who can read a file can overwrite its contents with data of their choosing by sending the file over a loopback connection on which they have enabled KTLS receive. The write modifies the page cache directly, so it bypasses file flags such as schg and is written back to disk. By overwriting a setuid binary or other trusted file, a local user can escalate privileges, potentially gaining full control of the affected system. IV. Workaround Set sysctl kern.ipc.tls.enable=0 to disable KTLS entirely. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:26/ktls.patch # fetch https://security.FreeBSD.org/patches/SA-26:26/ktls.patch.asc # gpg --verify ktls.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ a51345704403 stable/15-n283882 releng/15.1/ 48c1c5e3c348 releng/15.1-n283550 releng/15.0/ 540a315cdb46 releng/15.0-n281052 stable/14/ 333bdd7e9427 stable/14-n274311 releng/14.4/ d43259dd66b3 releng/14.4-n273714 releng/14.3/ af3398862ac0 releng/14.3-n271514 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoyuewbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvze8P/RRvp3TUprrxMgg4prj6 Mv7sglMFvwyVPGJstM0zBV2k+seMm8S5QmJtO+m8N5NHAIyJWL6PzvMFE9klI/IC g8Jov8lcEcAml0G+xJFCPeeG0fYszqtE8/gxGNdatDv01AnMoFnVMUyy4y1QpSyo kJzymPs49LysxggffSmPgmX446hEo7pZ6iQLBuEc0XKNN/7LYmiYq6kcVLzTpkRa kfYwsJphWZkfdR2AVzCSxMiMb9D/NQ7WN96B3o+xYX8XoHgrsQmvZ2YrvRf9nyRs lgAm9QxlkTcWlwPrNoacg2sN/jZFb3k01GRJAFbcKbDP1t3lkFygD+UHNnlStO+s hb5fKHgQgrUpX7atsD2UQ2W+irca0ejLhflxxvgY7pRTLnnmJ20fXDhDn2sWb7zs cPxir+4bJk4IZvomK0raFH5eMeJ434/rfkMjfE87WOEryFHabnGsiH9xO2u6+ADT UhMl4iBY+wOoaHTTqfpOQpAk2/gO7UUvXtbOkEa8SYZjSQAxMAz7nqyL7Lucix9n 7ES4hLmic87cr7+q+8iwvASvcNjlDxqyGYRoLa2+TECsTmKqVbwEEANcufNKemb+ aPoRFi5apShhwe1kl7/vVCDGPtCssRRYZ+ejwpQY6m4PpRKY9soNFUt2WjOGVmaB iQR9r08fcX9SuW2dTuTzXLEi =wfi1 -----END PGP SIGNATURE-----