From nobody Tue Jun 30 19:55:33 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gqYm60nJRz6jp2l for ; Tue, 30 Jun 2026 19:55:34 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gqYm55Y3Sz42G9; Tue, 30 Jun 2026 19:55:33 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1782849333; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=SO/67F9vDCwrpqVYzsU2Phivg341+xMVhKt+DNFTDe0=; b=OM19EGongP05b7eJ4TxnxdOs6e2b9ppVk3sxPG4RvJff4p5qohJd+S43CUZRncukCZdcCe cZ8d5n62fl2NU/a0jMo9OX1esAZTXFzB4+jH3m3JhGqmuAHSTfrUdNrkcKvYocQTcXRuH2 QkRNLiUYoOJlaSSxOgkv1c5Yn5ADUHXNdPrHsq7p2JzH8UY3LwyfZlI9Ha4mTcaWzknoX1 qk/+OSwrbAeZ9u+GoLcGmriMml5Y6gxNuc3D6+5XdManCydg7p3XUQWNS6wgXslbNF46oM Vlwgqc7Euw1fALGmg/f413/oChpYmqcJM1Tol8ObRhjtxLalPmcrEz2/8A1S7g== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1782849333; a=rsa-sha256; cv=none; b=RWZBYO8O+kjK2rTQy3H3uqGE/D5MKjN1uscmJFX7DVNkQv9a0/7oDQsUJ3DXnFu/C9nk6a I2DUV1R18Pk9wlOvn3DWZYKmObcGjwEuGn3m9+S7luwGzhVpl1SC8w494CIIrg3KgR4BWF +NdktLbLySAg7Zxe1e3bu0pFRz9R4uBqd75UDPxJxdwot//TDLM6OXpNieW2O+++PeCVoy Fi3r5u0wfjFtAulJlzjAtQjdSqtWyILka88j4ike+Kg6XImkcuH+tOtWDlRCXDYZ5Frp/4 DzSTnGLTYCNhukNooaId7MdnpAZK32tT3eFmvG1PIyb9yhS0hmzt8guSmHPUbA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1782849333; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=SO/67F9vDCwrpqVYzsU2Phivg341+xMVhKt+DNFTDe0=; b=AmPjYGCJiApJP6+rqd4r0Smi+MdVakGpdEnsxzWp/Sjf3Kyduj1wvjBT5wSiZWlDhiDbBS sVv5fxPBZ22rE2zfR6Smksost+9vprKFbNKnG4f2wlP1V5yOiC7lTtEq0R8eHU+z+9BzHr szc/LM5Z8NOPv7Kwxy0dVvfRsQ7DyTSqNj+em6Elh8FsWnb9LXKv9+MJLN7kw4R8p7eGBY syUnsaaduF6JZkxWIjthlfQtFq04y45la4ydPqFTDnHSlSPeHQY0Qd78wkj5UPWAqru3dq 293l2cwCppzxlruo7U6o1F97S0dlblVaxb7HZ8TTIhsQsAHrPe+o3+KPXa8WyQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id 96BA31BC1C; Tue, 30 Jun 2026 19:55:33 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:37.vm Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260630195533.96BA31BC1C@freefall.freebsd.org> Date: Tue, 30 Jun 2026 19:55:33 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:37.vm Security Advisory The FreeBSD Project Topic: Use-after-free in device pager page list Category: core Module: vm Announced: 2026-06-30 Credits: slidybat Affects: All supported versions of FreeBSD. Corrected: 2026-06-30 17:20:07 UTC (stable/15, 15.1-STABLE) 2026-06-30 17:21:52 UTC (releng/15.1, 15.1-RELEASE-p1) 2026-06-30 17:21:20 UTC (releng/15.0, 15.0-RELEASE-p11) 2026-06-30 17:19:47 UTC (stable/14, 14.4-STABLE) 2026-06-30 17:20:54 UTC (releng/14.4, 14.4-RELEASE-p7) 2026-06-30 17:20:27 UTC (releng/14.3, 14.3-RELEASE-p16) CVE Name: CVE-2026-49418 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The FreeBSD virtual memory subsystem uses pager objects to manage memory-mapped device pages. Unmanaged device pager objects maintain an internal list of pages allocated by the device fault handler; this list is used to free the pages when the mapping is destroyed. II. Problem Description When msync(MS_INVALIDATE) is called on a mapping of an unmanaged device object, the physical pages in the mapping range are marked invalid but remain in the pager's page list. A subsequent page fault will cause the fault handler to re-insert the page into the object's list. This corrupts the list, and on object destruction the page is freed twice. III. Impact An unprivileged local user with access to a device that provides memory-mapped I/O can trigger a use-after-free in the kernel, though this is limited to a pool of objects ("fictitious pages") that are never recycled for a different purpose. It may be possible to exploit this to escalate privileges. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE or later version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.x] # fetch https://security.FreeBSD.org/patches/SA-26:37/vm-15.patch # fetch https://security.FreeBSD.org/patches/SA-26:37/vm-15.patch.asc # gpg --verify vm-15.patch.asc [FreeBSD 14.x] # fetch https://security.FreeBSD.org/patches/SA-26:37/vm-14.patch # fetch https://security.FreeBSD.org/patches/SA-26:37/vm-14.patch.asc # gpg --verify vm-14.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch -E -p0 < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 21929fbe1ced stable/15-n284323 releng/15.1/ 958de92ab2dc releng/15.1-n283565 releng/15.0/ 2baf56862bfd releng/15.0-n281067 stable/14/ 715831359fa7 stable/14-n274447 releng/14.4/ 4c9e89c85d7c releng/14.4-n273728 releng/14.3/ 78bd098b9f83 releng/14.3-n271528 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmpEEjAbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvZmgQALulswibuZPW1hUdWD6t M/k6X1fBPbK8lg1Yj5J5Bnh4n1YyB4YzntGaAfLiq5mjpQqxskWtkpIWVqkVe3qO TKt9113HEn9bkBBrd1u8D708atb6jAAol+JrWeYRTkkUjBTPE3Oltgv9+ln4VyOJ agSTKRIgved3hxKr88+ms6yLQ4cymeeecPa1/0Brb+5kqWxOIia/DUbx1IebD9xY GPzwgR9RGMdrHBQsZMwvKx7P5kdb0lp6DFhFP3y8AUZEbgjUOI3832KWje1PsXpj wqLTxTuXGgRcARm0hl41GQO5FemrRm6sMA699aJ04EMhd+Z453IwNeBzGwsMV1R6 vEUfqVHUUV3Kzr6MuGSFaaYpvR/99XcK0XYI6aarVfM0JaTn5Wtn80OplD+xbMpr NN0SHRpM2zOmJ1Cmzv3qBRTGxkbBHR1Evrj8Kdc18xhV2Gn8tEhCd5RZBu7exmVA RQxuaOD70lOk+7dV2nS+w2OYKLHMhgfWFgQCzmi37F1K7qDDScT0xlgH0rbc6l5W ntbBim3/FTsLQxzGXcPhteWp1vYeqmMqQqyZ4cPzxqk/20LPbjmB1MSI9YlU0GHm /e+gouXdyruJK0p4sAsH/HyrgXwqprBF4N5xOY/f/kDWznuO7w6y9yc9OynCAnxA P8ZqzeJU+9SMnrQxrs0JcNEi =BnYM -----END PGP SIGNATURE----- From nobody Tue Jun 30 19:55:41 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gqYmF6mcVz6jpDX for ; Tue, 30 Jun 2026 19:55:41 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gqYmF2QQZz42N1; Tue, 30 Jun 2026 19:55:41 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1782849341; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=Rclku49ABF6mmvj8pFKiOY99i92Sd4u1McE3/TBQWu4=; b=g1XNvZ0noZB/o0r+K9bOtpDDKzsWeD4jpLRP+tH6Ve/VtxbmIyrWN4L6WngZAcKzty3lO2 tiT/m2eSrrP12cCYIZaYioGS3SMfMehN6xek+zzi8HiVLpAdIJ6v5J0JHmPdhTOpTuhV1u QaD1bKeX4E8t0UG1fm9xGKotdkVbvERUwv/yKnypkcYmc1yxGN8pFYsqZdltR2e04rgJKa yTu2VXvcTLcYPmqkslhxD8hunTSw2hiFsEZw+gdJAh2ZRwwlJquwnfTd3M6GsAL8wzHROO ep1+lWbxnRu0izqh5aUJ1UywLDYE08iX8FT42boxFwG8PPCF0BzltCO678wtAQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1782849341; a=rsa-sha256; cv=none; b=BJpUiSJH1DUsLpPSWQptL84Zq5Zr5Wfd86xblYGajqsSdSGChHfrbXI95CM/FRM7RibvVW gxTAC3t8CQNaj9MIJiisbwi3LFSuWZKw/lUBCof+aBlMjfBxlJs4K8V4XOGkjCeKsyu+FT NHaKxEjMg88ucH4RfxaGDPpCtDv5xYF99MFehqHEji4q+o1AXgKFHybTz+6CCm64p0KC2I 2qPgB6juh4Mu22MofWEveNjA75IXJu1X20/IHMTLbIa1ug2aCg0ql2LpAjMSeRaR/VW5Ka N6z9NJLkFAtHa7RFGX72RpvKeVax4g3rCssPEr5cebI+rSNhnTXAwxJ6yNSD2w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1782849341; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=Rclku49ABF6mmvj8pFKiOY99i92Sd4u1McE3/TBQWu4=; b=TYJPQCArI3KWw9ZumeUSVFq9CY1Xew2cHFxXeEvHHBbm4bcgLnq49miFTKE9yL/vCBDo2z 3fJb8bkGiXcdoJDfxwQLd2Y07VQmzkIHPJLtwq9hTPJChnWgTzPFYqBRLFmR9zBd/6wWSa CHyeEOOIeyJr4/SkUJKHSPRPGWWScAYMXElsWn+GJA7ZDNMphvne10NF/LXF/K3sSH6Zmr o24xgI9j3H283/QmWTKBdAqC1Zub5PQkNIHNgJIiOg1kA37zJxUfIngD5QaHjUXyaEKL7c aLLSM9aFmDYiiK6mzdzBTXxxTITsbUitkRNnO5nsM0IjFkGZf41qv8FxGMEK4Q== Received: by freefall.freebsd.org (Postfix, from userid 945) id 360F61BBB4; Tue, 30 Jun 2026 19:55:41 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:38.jail Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260630195541.360F61BBB4@freefall.freebsd.org> Date: Tue, 30 Jun 2026 19:55:41 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:38.jail Security Advisory The FreeBSD Project Topic: Jail reference count underflow Category: core Module: jail Announced: 2026-06-30 Credits: Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai Affects: FreeBSD 15.0 and later Corrected: 2026-06-12 17:59:54 UTC (stable/15, 15.1-STABLE) 2026-06-30 17:21:54 UTC (releng/15.1, 15.1-RELEASE-p1) 2026-06-30 17:21:21 UTC (releng/15.0, 15.0-RELEASE-p11) CVE Name: CVE-2026-49419 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Jails are an operating system virtualization technology which allow administrators to confine processes within an environment with limited ability to affect the system outside of that environment. The jail_set(2) and jail_get(2) system calls are used to create, modify, and query jails. Starting in FreeBSD 15.0, jails can be referred to using jail descriptors, a type of file descriptor tied to a particular jail. The JAIL_AT_DESC flag causes jail_set(2) and jail_get(2) to operate in the context of the jail identified by the descriptor, rather than the caller's current jail. II. Problem Description When the JAIL_AT_DESC flag is specified, kern_jail_set() and kern_jail_get() released the reference to the caller's current prison before looking up the jail descriptor. If the descriptor lookup failed, error-handling paths released the same reference a second time. III. Impact An unprivileged local user can trigger a prison reference count underflow, which may cause the prison structure to be freed while still in use. When this is done on the jail host, the bug will generally result in an immediate panic. However, if the user is running in a jail, then it may be possible to exploit the bug to elevate privileges. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE or later version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:38/jail.patch # fetch https://security.FreeBSD.org/patches/SA-26:38/jail.patch.asc # gpg --verify jail.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch -E -p0 < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 4938fd9361b4 stable/15-n283929 releng/15.1/ fc9fe1b9f024 releng/15.1-n283566 releng/15.0/ 029528221261 releng/15.0-n281068 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmpEEjQbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvyHIQAJzpVmMYymSw2XqUga4f DLmFIgbf8rLcZPmcCJ71yFBxC/Je7jEyu5BJo+83sdxaL554UCKYtlADrtvFcb5d Lyou2mGgchuGB50KPeUtwZw4M6BbhOvWGh4syTv/aKuoKyFRLLyWz9UiDWI32Fjh OUuEpcsQOoGXPKcItEO+LkDGC90YxAa1ERl+Z7YbKy5oFZ7iiUrgvV+Ethx+FvK5 WYUDJAbIlrcsF2xyKHag/j/PjNmJNt6oT7i69BHz+9NhXGKFCGqBvUeX4b8TaQM5 R0nfYL1rBuf7vPmvQRKqXsKfzr4lPIN+g1MnILMvb85dmfukP8r3LqjLHbBoNT5a lLoFNU7qvR3Mt4bNGxMAZegkWoD+DrgtmQhyB6Tv8EtoCaiOk08EsnKS3BPCwGlv YYvbn4clZUfTY2bOZR1+rqeTnjgkOlqD4Jaa0c0iTyUOh/+KpfniHSFHdmxXbXjZ upuWU+pxbfc/cHEWTAXlbJxSUOwuiNoSB4iSMAIwEM2TmrjFvri4CcgY2YJIpUoW c5w2SLWe8GtNgipuPPQNqLPJ3fooWxrqF+fegHC2tv4lvpSOQbPFDvxOF1b+sCIR 7hxeglpyfCUwvq9k8/LZtdoFSE4HE9sKlvZ0CbabYh8C1bIoozqJlMwRg+VhG1q7 XWX6sgatGhZHNDndm2p8/YUw =DzLZ -----END PGP SIGNATURE----- From nobody Tue Jun 30 19:55:46 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gqYmN032wz6jpML for ; Tue, 30 Jun 2026 19:55:48 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gqYmL4Ltcz42WG; Tue, 30 Jun 2026 19:55:46 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1782849346; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=RwjNDQq+HI/xZOJIkYLpQNO/DfvvHF5V69ggCSsTd60=; b=OGQ82orkftS862p8ocTVPZOsu5IXbAW6aaepDWytdaa2AyMa466x62KCtyDdnIa6vXZcjd CLdfv5L12YgO+jxqoIH1z7Whkb22zLXl2xA/XnNL3qby4VFu24LdV1E0lIlLw/+NuonOGu GPm9hU6sDCpMjy83DVQVpvmeGWPcCHo3UFsrkCcrKF3pWBGAiQtuL+9DPy7t4bbWnWn2Zi 4V9IXA+CTX00IDwPLmiFeSeGRJ/FVQbja/UdqzJXa9yidWOUqc3KeIgrdlGhKn22PWKO+h nw3ecCbNb5wQ9vjolbcTlO8nmLe6afRTFq1ykYl8ISwv55nLbniHgXr5hneFmQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1782849346; a=rsa-sha256; cv=none; b=rOea9fZRt8zwIS2UXrHaCvj3hfMFSMCpEl5D9fxB6THskS0A+yB93pvsPeoB8fnaOSdKxE 0fegOedvbyl9gJ5WJwwEtOXdL1UKuM7XJ/D/8MDxjLyu+YHNsYMVDH2B/1OblR2AhykHkc VDQOXdZMMLhH2k2cveEaw/u5gAHu+f5+P7Gm5zZIKbC+0y6jc9ScKV/UgzKBqG8IKZAcjy CnngPScN4FH9PoEJD9uiUMm3CsXW4fDAfcYMWtwx+rPQFGeBKPYLW9tL3wsUKo7jeUZ3aa GUwDnSubtmRWnBCaouaeh4YhjFXJp3Aqdg7lAWiQnErAHmt68o7cy1+hzztmpg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1782849346; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=RwjNDQq+HI/xZOJIkYLpQNO/DfvvHF5V69ggCSsTd60=; b=VZAK0mr9jMS6Z/4HVM0MaPaSjzYVqQKl01vDnLam5vSe7USNN42S/2SLFUTxGdefl7hYls yK36XjozXfzm0r8PYiuCjzH0Ds7k51/ZKGBcgmUGZpmdnkmlkTF96AwvU3AhjSLvfsKzpW j+LjJ3c+6S0HCFJcn0V64hZQP9rs2lx2G1aqvdSdoJpwEJ7l2k5GEeI5K18p6YSVVUP8NK /vjD8Fm4Xj2U2ucR/fQjCXeKFprb95G1Y8nimkERQpNNWH4B4PcokIhFoV7e/5LoKsZg+U oT+FOCDrPEHmWtnMdS+UK+WmNdpDufxWFyJG3r0hSGk9DGP7viE4x4PIQRsihg== Received: by freefall.freebsd.org (Postfix, from userid 945) id 657CF1BB4E; Tue, 30 Jun 2026 19:55:46 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:39.execve Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260630195546.657CF1BB4E@freefall.freebsd.org> Date: Tue, 30 Jun 2026 19:55:46 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:39.execve Security Advisory The FreeBSD Project Topic: Local privilege escalation via execve(2) TOCTOU race Category: core Module: execve Announced: 2026-06-30 Credits: Synacktiv Affects: All supported versions of FreeBSD. Corrected: 2026-06-26 22:20:44 UTC (stable/15, 15.1-STABLE) 2026-06-30 17:21:55 UTC (releng/15.1, 15.1-RELEASE-p1) 2026-06-30 17:21:22 UTC (releng/15.0, 15.0-RELEASE-p11) 2026-06-28 00:30:18 UTC (stable/14, 14.4-STABLE) 2026-06-30 17:20:55 UTC (releng/14.4, 14.4-RELEASE-p7) 2026-06-30 17:20:28 UTC (releng/14.3, 14.3-RELEASE-p16) CVE Name: CVE-2026-49415 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The execve(2) system call replaces the calling process's image with a new executable. When the target binary is set-user-ID (SUID), the kernel installs a new virtual address space containing the binary's code and data, then changes the process credentials to those of the file owner. II. Problem Description During execve(2) of a SUID binary, the new virtual address space is installed before the process credentials are updated. During this window, a process running as the same user can access the target process's memory via procfs or linprocfs, because the kernel's debugging permission check still saw the original credentials. III. Impact An unprivileged local user can exploit this race to modify the address space of a SUID binary before its credentials are elevated, potentially gaining full control of the affected system. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE or later version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.x] # fetch https://security.FreeBSD.org/patches/SA-26:39/execve-15.patch # fetch https://security.FreeBSD.org/patches/SA-26:39/execve-15.patch.asc # gpg --verify execve-15.patch.asc [FreeBSD 14.4] # fetch https://security.FreeBSD.org/patches/SA-26:39/execve-14.4.patch # fetch https://security.FreeBSD.org/patches/SA-26:39/execve-14.4.patch.asc # gpg --verify execve-14.4.patch.asc [FreeBSD 14.3] # fetch https://security.FreeBSD.org/patches/SA-26:39/execve-14.3.patch # fetch https://security.FreeBSD.org/patches/SA-26:39/execve-14.3.patch.asc # gpg --verify execve-14.3.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch -E -p0 < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ a80e40ce9ee0 stable/15-n284141 releng/15.1/ 46f7b5a64048 releng/15.1-n283567 releng/15.0/ de7144f7c391 releng/15.0-n281069 stable/14/ bb1154f3ea20 stable/14-n274435 releng/14.4/ 8fbbc185a3ff releng/14.4-n273729 releng/14.3/ 6772a8ece2c0 releng/14.3-n271529 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmpEEjcbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvI88QAI5z9LuCV46PtN5Nxw7f wv6davrwFt1N/q+hXVXKR0LNU7Q7nB5okGi0ipcjSqIC/9OaTMl9BsT7dA3yxeZi D1SN0kdrUyTsCNy2jMR/jd21uUMpcMHJYeUEzp9SNtiMwEEWYXNgsr5mX3sqG7/Z W6RJ5xBXfG0rePsXQ2wRkYsEZzK+sJJWSgPmxqRu+ruQYollVTExjOZfSm7l1ipq GS150pQ3kw5XNv2+fTnTxphJCXXvB9ZQRYb0ks4D3E/+r/bmY+OZmdnhGzCh6gEh Es4FmUAAWFbTtu355GcwOR+wy5AG1BxDVL+0D/8mM2EhbKBM5In54Q6JteMl7JeT DL1kt9nGOG5KXOZmcJdL5vsFg6vbdDvTGD1ufgcddesp6qD5JYh00Gg/2zQTxLjj EHIc0Oked/eIwObSKypbSYICGQRLC8QdeisdoDgmbWHAxc1OBJY/o+T6emcsDbT8 qpl3e9CNcGTRAznrrfHS3WJatIHcvLPInxKleXUbXAwcI5IzOWDGuBgOg/GeSdsz ybPU1NMsT+vqOQ67O7ENjJo/djXxyTQI/ExUR9nFrKZL/ma3EP4G+xyD+1pFW+Pk HCm1RbMayr75ck7Wb6rjbc6fgPIK/djz1f2rzYMFipt8U1qiiAN552AQ6/mFMjGS Dp8iGjzGu60Hf9IaLXxTOcYV =HivV -----END PGP SIGNATURE----- From nobody Tue Jun 30 19:55:51 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gqYmR4nZrz6jpFB for ; Tue, 30 Jun 2026 19:55:51 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gqYmR3H2mz42j9; Tue, 30 Jun 2026 19:55:51 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1782849351; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=v0JF7Oqxpi+cychrcAayELJLUUNzbgG0jEfczNiaEfM=; b=e6vWocRJoeJ2R3pCuqVW4WeRMm6h2APEoV6aITPs1nIRSNeKX481nFO7LVKlGiiuHfjdIz +KBkes0n5zjG3a09ZmKbgt3ssOVVuwSEx94OVB/209a7gVdMGP8Qctma7QHJhLRKikg5DG gSTku/HykkpMnah4oDJqSk7/mWhZaeKeROrvO+efietL2b+UPUumy155y8jl2iofDurC4m dd5VshhRH+cecc+fjGJyHISxy+/wcHer95rgI5yD34V+vYL4CUDwSA2CUrd0vHBnSNo4sh cvow1c9veus2iMzR6SnQFxWPtI9TxlObXxqYuKfjrsOeQr/HSH93g8HWlHprDw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1782849351; a=rsa-sha256; cv=none; b=vY4pJ2NJaUUqxWIFoj3sHfwGFvdWW0CeQzydCACZgr3en4PyW557T7j21qvSSY6fS7ms7N gBc+ERYdr9/bouEwo/2IdvGXsFg3ZOKuXCMyKeeoahEOYMJPsS1bohc7/UfY0woj+rCHaT K9L/5UORN3bEEoLmVuKAEz4m42t42wLIUy2c9zKknojf4DnZ9k3sOF/R41B0Hq1RJ5DpBz HR7o7gv3/VIv5pAlOOhYBX5Aq0jhKWoviQesFIWPuWp1/fxocwwp4PSsG869xTIN38AXrs tMnh1IX2dhmXUrsGxM7uhrhWrP7pPYLK4qJRkBSnrg2jEjJPmkkU+66eP/Z2ZQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1782849351; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=v0JF7Oqxpi+cychrcAayELJLUUNzbgG0jEfczNiaEfM=; b=tzUBgHzg4TUffWIEwspQZmzHgCmBbBH/Fz5i0l/IZA0q6IZuiDiQKWLLVcIq90GrRlXhoN jqbmZTUr+WxLPsb9EnJKWptcwppCACTNCegtyXpVmGnjIxyDmiVdBfQE3gas3af0eZ9Clv HYnm2dmeYUkBCWOVr0BET0nsrJqx3iJ5A9owGfrTXjPjCQNP6WmFKHhR/O+HtXOVyY8Awb FMpqBFn5suVDROA/cnJp7s35l9VrPKlqgDSQKwL2diKM7QkbfXk6NXytsRxpcFukCDonyN hjWJDnp0yAK/1Ei39Dy0M8zB9zHmFk1zaUXwFM3/6SEnoi/bMgqcyLkkdC9n0w== Received: by freefall.freebsd.org (Postfix, from userid 945) id 5DACB1BD19; Tue, 30 Jun 2026 19:55:51 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:40.zfs Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260630195551.5DACB1BD19@freefall.freebsd.org> Date: Tue, 30 Jun 2026 19:55:51 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:40.zfs Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in OpenZFS Category: contrib Module: openzfs Announced: 2026-06-30 Credits: Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai Credits: Emmanuel Genier at Quarkslab Affects: All supported versions of FreeBSD. Corrected: 2026-06-17 07:21:06 UTC (stable/15, 15.1-STABLE) 2026-06-30 17:21:56 UTC (releng/15.1, 15.1-RELEASE-p1) 2026-06-30 17:21:23 UTC (releng/15.0, 15.0-RELEASE-p11) 2026-06-30 17:19:48 UTC (stable/14, 14.4-STABLE) 2026-06-30 17:20:56 UTC (releng/14.4, 14.4-RELEASE-p7) 2026-06-30 17:20:29 UTC (releng/14.3, 14.3-RELEASE-p16) CVE Name: CVE-2026-49429, CVE-2026-49430, CVE-2026-49431 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background ZFS is an advanced and scalable file system originally developed by Sun Microsystems for its Solaris operating system. ZFS was integrated as part of FreeBSD starting with FreeBSD 7.0. ZFS delegation allows the system administrator to grant unprivileged users the ability to perform specific administrative operations, such as creating snapshots or managing properties, on a per-dataset basis. This is configured using the zfs-allow(8) command. II. Problem Description The ZFS_IOC_USERSPACE_MANY ioctl, used by zfs-userspace(8), truncated a 64-bit output buffer size to a 32-bit integer for the kernel allocation, but used the original 64-bit size as the buffer limit when writing records. The ZFS_IOC_RECV_NEW ioctl, in the heal receive path, similarly truncated a 64-bit payload size to a 32-bit integer for allocation, then used the original 64-bit size as the length for a byteswap operation. The ZFS_IOC_SET_PROP ioctl, used by zfs-set(8), incorrectly validated the calling user such that an unprivileged user is able to set metadata on a dataset indicating that the dataset has received properties from a zfs-recv(8) stream. III. Impact A local user with the "userused" delegated ZFS permission can trigger a kernel heap overflow via the ZFS_IOC_USERSPACE_MANY ioctl, potentially escalating privileges. [CVE-2026-49429] A local user with the "receive" delegated ZFS permission can trigger kernel memory corruption via ZFS_IOC_RECV_NEW by sending a crafted receive stream in heal mode. [CVE-2026-49430] Any local user can set the internal ZFS metadata flag "$hasrecvd" on datasets via ZFS_IOC_SET_PROP. [CVE-2026-49431] IV. Workaround Systems that do not use ZFS are not affected. The first two bugs are only triggerable by the root user or by a user with delegated permissions. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE or later version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.x] # fetch https://security.FreeBSD.org/patches/SA-26:40/zfs-15.patch # fetch https://security.FreeBSD.org/patches/SA-26:40/zfs-15.patch.asc # gpg --verify zfs-15.patch.asc [FreeBSD 14.x] # fetch https://security.FreeBSD.org/patches/SA-26:40/zfs-14.patch # fetch https://security.FreeBSD.org/patches/SA-26:40/zfs-14.patch.asc # gpg --verify zfs-14.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch -E -p0 < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 25c6e6ed725d stable/15-n284009 releng/15.1/ 7eeab0afea4d releng/15.1-n283568 releng/15.0/ 2318d229b76a releng/15.0-n281070 stable/14/ 6419ed0df139 stable/14-n274448 releng/14.4/ 62f64d81b50e releng/14.4-n273730 releng/14.3/ 6503d56e7c63 releng/14.3-n271530 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmpEEjwbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvutcQANSzEdc9r+T+8QZd4M+q 1amnRPldgOo0RVKuIXRxJUisZFXA4/vI03deRulMtVLhqo4OcaDowTs973Y967Ue yiQwKNY+CpXrJ9gp2dnyx5aN3LnxEtaRRzdfh0ZiRqeDbuV4kjPK2T2tU4iU3Cl3 2F6pfnY+0vK95pj0QGi6GrQSLA05/RHDUhmzQ9Of/HR75wz7q29cgKufUOE21l40 lqeoeuhDVwOOx9L9dFASJFTSj1g8FjWHH07DKO0lFVr0z7WyfwuekPnLmcJ1+30N 4EWDLdCA40rgcuugvQMK5/RRPkqBOUOX+xIzS6gNN86uW9SqDcNQAztbcEwPKtie fcAmRHZrHmCf4Xscbv7G2eRilopaZNxrLnLiDBu3ZPBHlK3ljP5ACRgmMWxJ12T3 hle+tp/JVNEKcAj74/Cg/WdsPPSXbaf8G3T051FRHEbBVwkZaqZBqfjdVvmfnr5Z tMAsfFUZkzBXOTw4/7lpuHNIY2ddcn+WWK7MIFv2oKh7NhmS/3bma5KglGhQNvrK iF7OFkGHZaMBZj+a07qSUvGzAGMlXsNhULruYPGWaA2TsMQMiJR5eT1DA/nRMwA2 MJ/r7gliPrPzAid5CIbVk8JvgPHwv3/z3VYbrqVbRGhorbBD8F1MkXEqGs94hNuK L3Gd4s12Y0FYaUnHaOSBqgL6 =OdNc -----END PGP SIGNATURE----- From nobody Tue Jun 30 19:55:56 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gqYmX60nWz6jpQW for ; Tue, 30 Jun 2026 19:55:56 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gqYmX1NQ0z42nf; Tue, 30 Jun 2026 19:55:56 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1782849356; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=IH37Nuw3atlczaTqKrHR59YZj5gBFtSFADdOmEOGzVE=; b=W4zsUCBBdIaBIUn/qPXTDlWlQLV7+NlUCYjQoqucEEvignHe5bnxDH7UGAj8zEW/wXS3cY F2QHKy+qDp2bG8Ln2u/Ebs//WIsuOT7nSdcI22UjqZZW+aR2a9aNucF5I/2b69EOMlPIoy crwte7xLO4atvunBxRjUSjRhlu1T9G4rW4+2W4mda47rB/WPa/Yv8/WqF2kpERxdchCqRT +jhuVvrHquf6qoAsN9gJzlL/z7YlfnXONgH+S1fmJ7gd2+w0v4ZaiQq/p4aoYi8gKOtGD2 aaCWWO2yoDJI8uPAqNlpS6OGAuhnoazDgymkgr6jEtSl1ntr9DjhemoClKm+QA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1782849356; a=rsa-sha256; cv=none; b=ErjXHfo93JRLarm98H15OCv2Z3haHDgaFlhR7ydvkI6gEErPyfgZ8pTdhiWmqSDf+7pwmB WCehRaGN9MeAgAQR+ZoY29UI9TEI/OR7dWsNRIsXKYrE9yFrPAe8qGMkOLumFhFwEyjVA+ za3FlefZ0M7t45gmqPcphKc3+4VWKdB+ncTcN9AO+ghcR877OWBsAUDurk2rYxTJ8Grdgy lHhytsFTQMi1Q/V90b1GN2JiQITt9w9bubBTvKXkIAfZz0mQkEhoka3es7SEYzh7TkvQng u6UA3SS3c4hzp4Uz9Wrr0K/V/XF5yEtNCVjdze79inCo4myVPTiPiS26QkM/Nw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1782849356; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=IH37Nuw3atlczaTqKrHR59YZj5gBFtSFADdOmEOGzVE=; b=lySr3/W4gWgWhJyiVAGjvvYFy1Og9NvAwLTc9E1Yec80r9tfikDHeVT7bpM+9bjIb/prcR GTY43z1g5Lkq2be13q3Rhl9PqE55+yKktSc63PHu27dBAk/NwHOU5hw2VMQkcXjeZRHaQ0 POPhvxgV+c5BF46DY4SuXriI7yzj34mvtZgVBrXQZXAgVcys4jkBsK9d3MzoIxmisRyGFu 1mPKkLVgdxHF+SOKcb4ZlIm8vFnQ8tBn3g1bJToaIw9dg5WRJpTQ4CNqrgisd9n8brRx03 3R75lzhg3QXcFoBLQ2Tk6KCjGBs0rqHPua2AAbG2wowsVcJ7Ly3cGjJMc15E+A== Received: by freefall.freebsd.org (Postfix, from userid 945) id 1CDC71BB51; Tue, 30 Jun 2026 19:55:56 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:41.libalias Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260630195556.1CDC71BB51@freefall.freebsd.org> Date: Tue, 30 Jun 2026 19:55:56 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:41.libalias Security Advisory The FreeBSD Project Topic: Buffer overflow in libalias RTSP handler Category: core Module: libalias Announced: 2026-06-30 Credits: Atuin - Automated Vulnerability Discovery Engine, Tianchu Chen of Tencent Xuanwu Lab Credits: UC Berkeley Antiproof Credits: Stanislav Fort of Aisle Research Affects: All supported versions of FreeBSD. Corrected: 2026-06-30 17:20:09 UTC (stable/15, 15.1-STABLE) 2026-06-30 17:21:58 UTC (releng/15.1, 15.1-RELEASE-p1) 2026-06-30 17:21:26 UTC (releng/15.0, 15.0-RELEASE-p11) 2026-06-30 17:19:50 UTC (stable/14, 14.4-STABLE) 2026-06-30 17:20:58 UTC (releng/14.4, 14.4-RELEASE-p7) 2026-06-30 17:20:32 UTC (releng/14.3, 14.3-RELEASE-p16) CVE Name: CVE-2026-49420 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background libalias is a library that performs Network Address Translation (NAT) for outgoing and incoming IP packets. It includes protocol-specific handlers for application-layer protocols such as RTSP that embed addresses or port numbers in their payload. libalias is used by ipfw(4) to implement in-kernel NAT, and by natd(8). II. Problem Description The RTSP handler in libalias rewrote outgoing packets into a fixed-length stack buffer without checking whether the rewritten data fit in the buffer, or whether the result fit back in the original packet. III. Impact A host sending crafted RTSP traffic from inside a NAT gateway using libalias can overflow a stack buffer, potentially achieving remote code execution in the kernel (when using ipfw(4) NAT) or in the natd(8) process (which generally runs as the root user). IV. Workaround Systems running natd(8) are vulnerable only so long as libalias_smedia.so is listed in /etc/libalias.conf. Removing it from that file and restarting natd(8) ensures that the vulnerable code is not loaded. Systems using ipfw(4) to implement NAT are affected only if the alias_smedia.ko kernel module is loaded. The affected code only runs on TCP or UDP packets undergoing outbound NAT translation, when the source port is 554 or 7070, or the destination port is 554 or 7070. Dropping such packets before they reach the NAT rule prevents the bug from being triggered. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE or later version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.x] # fetch https://security.FreeBSD.org/patches/SA-26:41/libalias-15.patch # fetch https://security.FreeBSD.org/patches/SA-26:41/libalias-15.patch.asc # gpg --verify libalias-15.patch.asc [FreeBSD 14.x] # fetch https://security.FreeBSD.org/patches/SA-26:41/libalias-14.patch # fetch https://security.FreeBSD.org/patches/SA-26:41/libalias-14.patch.asc # gpg --verify libalias-14.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch -E -p0 < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 1546794142f9 stable/15-n284325 releng/15.1/ 1b96804ba50d releng/15.1-n283570 releng/15.0/ 64ce87df6876 releng/15.0-n281072 stable/14/ 4c0f47666666 stable/14-n274450 releng/14.4/ 0a7dd3d960c8 releng/14.4-n273732 releng/14.3/ 935a96aa77be releng/14.3-n271532 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmpEEkAbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvrg4QAN0ZqVi9f+0/PMb2W+5d AmlzLM8foU/Po/ZHFgJxdNGEGjmrvJkh7YIg3/+XwnhICtai7Fgbl68PB6SYQNpe oUQyZiS+pDJEogj7TO0WD4X5XDxmOxQ9LKrgno+jYN4DvpKvXdFs0j6Ad0pD8SNa qi7GHz0SkEp6mG5Mdr4jr26ZiWiz1pce/buyIDJiHF1gI8munbBJ11OQZBKYCb0C TE3jBeTPuksIL6o2+Wa8usxdqRUoiFTvRl/ueyDtcDqCasIxgbn8povTgznuPgot 7s4VOc3osXQTkABE42WXa48UzfgsiF8yCUIrYWAA7GLrhTx14gl+XPREkW0c1g/n n2o7eSRquSQN3eAUgjvqrAmDrJlHeQoLg5w6ojqSIY3yeK8ozJakCU8DT1I/63wF r7hFMMgVDBe+Gqb3wzq1QTl83UcqbaBYgLbhRkMsRFagMk6toKEtJxXtoBh2G03O QOSByYug9cgbrbpA7uMZaRHJTsYJDeHFC3b1LhtBAssPq/rHNsrVaL0KQru6odWb z6dRH4UpQr++pGD5qswBwyxkT1B3lS51sbauoSCbg5Pch3xEqzgGQjcPwaKTebU9 kbPR8Gt8sC7AZH9tpt+L7m6jWLzP5zdYbC0YVqdaMavZGqk6QR4VwLBSj5ivdrkB MQFPoDvZ8ua+TPP+0+yOK2hV =O443 -----END PGP SIGNATURE----- From nobody Tue Jun 30 19:56:00 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gqYmd2Khkz6jpYX for ; Tue, 30 Jun 2026 19:56:01 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gqYmc6kzxz4357; Tue, 30 Jun 2026 19:56:00 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1782849360; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=CdB7WAdmYIPY5GWiJVPraC2ohW6nwKatzusxgiC5Sdg=; b=xUCoMp4T0wCbyXVQ0TXLDoezuV0fAeAtyf352MCyKd1waEStEGFEvTB2kBKFxvIuPlIxEd B177Cez6s3zqp7isS6hnFBy/9LjNSEm9VwHBBO+EEtJbXJm0AGim4kJdi0iQNJxmXm8+7V YjOzm7mfAeTuL9MTMFJeY9XU48JpADbCmnmzUpCtLcCiiVbzqp0/7Rx3wl5lLcgNkYH+tj o/42b1d5t50p2y8Velm+ugW5aYRKXxJ3+RmTcVzNUSupS0L2CIm/vq1L4kSH7aXNOndF3N p1oWeKw7SvpiXQDZFmbyeC7s5WUiy7Mz6dqwDV2IQs867PhvEvmFu8aQDtw4Fg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1782849360; a=rsa-sha256; cv=none; b=tISxQ6Q6unbZKkdA18bD66OnrTfjaRe0P8ToQ5Jk04wVrIDCqzTLWb795bYv6qfJs8VyhM x5Xw/etJ99YnQwH0vylZTigbY9Ar5oWvVlgCoOnBmZ4kOhU85lMDxdgPF11HT4qJQkZPJs ByER6G+q7E36rGLzD/RSq8lfh+opfNovKpEmnRHIuZBUCuVTKu+Afbh6H4SnAXstyvWt0i FybZ7WqB7ZRWvtsaZerPURs42AZBcdt4WvFD+Dp0QULhRzoPeRSLOdPw7wnVhNMbfjk0ki RSqcYgK7vtgN2KFDyMWUb93yzr44TE5PEo6kRHmM9+oyevYaSRFpSImoKXLVaQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1782849360; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=CdB7WAdmYIPY5GWiJVPraC2ohW6nwKatzusxgiC5Sdg=; b=nCPv9Sfk60vN+tA5pzTaqslYE6YdQsHSG0f5QZfDDkReeB7zp0+fSu5Yc+SZOAy3TxwtUW 2deNGnKbbK3rCRW6zxqPyaSYP36sPYY6kiG0+73KT5kP9ahQqEddf2UbQEMXu4Mc+bb6fI udWDLZovT/hczzibmTqDoj9+jiVZBjABWtRFtisKiGZS82auNbWOjWE/NV4/2NX+zixgPI zLb2kkF5aP0izGBuXg5zzjUMECkGnGFKyyarMXciYovmA05Yq0pANWxc/iUBVIjVjGm2yJ 1eipo5UBQ7flIE9Q4FKJ55+tqqJ1QFk717ZwgUqAZOjXIE4X+V56+7iyMgtYcQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id C18821BD84; Tue, 30 Jun 2026 19:56:00 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:42.unlinkat Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260630195600.C18821BD84@freefall.freebsd.org> Date: Tue, 30 Jun 2026 19:56:00 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:42.unlinkat Security Advisory The FreeBSD Project Topic: unlinkat(2) ignores AT_RESOLVE_BENEATH flag Category: core Module: unlinkat Announced: 2026-06-30 Credits: Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai Affects: All supported versions of FreeBSD. Corrected: 2026-06-30 17:20:10 UTC (stable/15, 15.1-STABLE) 2026-06-30 17:21:59 UTC (releng/15.1, 15.1-RELEASE-p1) 2026-06-30 17:21:27 UTC (releng/15.0, 15.0-RELEASE-p11) 2026-06-30 17:19:51 UTC (stable/14, 14.4-STABLE) 2026-06-30 17:20:59 UTC (releng/14.4, 14.4-RELEASE-p7) 2026-06-30 17:20:33 UTC (releng/14.3, 14.3-RELEASE-p16) CVE Name: CVE-2026-49421 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The unlinkat(2) and funlinkat(2) system calls remove directory entries relative to a given file descriptor. The AT_RESOLVE_BENEATH flag restricts path resolution so that it cannot ascend above the starting directory, providing a path-containment guarantee that may be relied upon when processing paths from an untrusted source. II. Problem Description The kernel function that implements unlinkat(2) and funlinkat(2) validated the AT_RESOLVE_BENEATH flag but failed to pass it through to the underlying path lookup. The flag was silently dropped, so path resolution was not actually restricted. III. Impact A process that uses AT_RESOLVE_BENEATH with unlinkat(2) or funlinkat(2) to confine path resolution can in fact resolve paths above the starting directory. A caller relying on this flag for path containment may delete files outside the intended directory tree. IV. Workaround No workaround is available. Applications that do not use AT_RESOLVE_BENEATH with unlinkat(2) or funlinkat(2) are not affected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE or later version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.x] # fetch https://security.FreeBSD.org/patches/SA-26:42/unlinkat-15.patch # fetch https://security.FreeBSD.org/patches/SA-26:42/unlinkat-15.patch.asc # gpg --verify unlinkat-15.patch.asc [FreeBSD 14.x] # fetch https://security.FreeBSD.org/patches/SA-26:42/unlinkat-14.patch # fetch https://security.FreeBSD.org/patches/SA-26:42/unlinkat-14.patch.asc # gpg --verify unlinkat-14.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch -E -p0 < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 45f1fcb9d2f7 stable/15-n284326 releng/15.1/ 63a8e7bc0412 releng/15.1-n283571 releng/15.0/ 278ebff1ee51 releng/15.0-n281073 stable/14/ 7982ae91a51a stable/14-n274451 releng/14.4/ 9a6bccc57c68 releng/14.4-n273733 releng/14.3/ acfff8b35bfe releng/14.3-n271533 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmpEEkMbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv7KgP/21qi7igC4TUd2Hjk7l+ L97zhQeW3TqERBHPTNdeHF2R4dgyGzI/tYUS48btWN6rOUDS3137UE+u1dBkZPIY MpdTszKSGZQz/wjd6M1utUWIZzGSOa+L60RSzsEucSQHwiBkNXK4hCSW9TIG3Dug oF8HW6HIv3oZkrSET34+WWcrSWiXvEow3N0B7ICWfFp1b7rzwo7fMqhCL/1SVDtF 3hfUz6OC13HC7MVe44nHKW1LodC9fyekyfY5kD167FZtvgeIy2kn+D+ZOsJIVPsI tgiJCerS+R9GWIhdeJcCPT+Prq/LO8Vb7x0ggTO2ejJVqwcFWgJTP4aZrtNEC0is iYuAJPRSCHdRjBQC2ELGZVDHN4ybm8UAlkImKc48pl6ey0xTQb+iaTUKeghbupUW 7/lPpwaOHWObCwn1a5CXcTJ2LwX6vZYdLoCXM69/bTQ9fHI1zI4qo+PUUqwNVg9s 7hsWd9Y/fDXPofDI+vgnXmq87A2EGcQ6iIh5YGEkayfVfpjTJSzZ7wfUtPjRLyqt QdMtnpFI0mnMIBmKX4ESZh2hB7E6ZG/J2Ky6ll/fA+5ITvE/D2qpzSYljOzu9ZV1 t3UQvMNWkq4cBjJiHpvVR73Bj5vyEtSrUu70NwV80fVtQqinWalVPlWHm51tkTW+ 6mH3f+G+BExq2ovEvUQqDy6o =Jjhy -----END PGP SIGNATURE----- From nobody Tue Jun 30 19:56:05 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gqYmk3zm9z6jpqY for ; Tue, 30 Jun 2026 19:56:06 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gqYmk1G74z43Cy; Tue, 30 Jun 2026 19:56:06 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1782849366; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=YKv0L3GVUhh5fnJBGJ3obKVBlvGLCrF8SPoVz0pFkSY=; b=V3In8Vw1z5tySGpAhznFQzCe/oge01LyODI50a0NBZ0qmhGlDltGFbMgHPPq6Z5OQaXwnn b2I+FXAtMWXMmgafEaNqxvqLX5yRxs8gchWDi+vmjQ5va8DNF7ypYY3jR/ixdrfAjADs91 WQZE2kom0YWOYVz3JpsOrVb03dunc2gNY5cjODfKuC0sb8dunqM9cEYCKqHbBFs/pNkaAH HVh1IPi0MR4MVelmL0NrGuQoCi+gErFzhWO4Q7qBIbbnByXlyLqGjXCnAdgVjdz1n3WJ4P s5VXJQw1TXAq1KgnUgowsAv86ExwD/i0hGNKwbGbUjIFeFXFj9uzMCG7VihYHQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1782849366; a=rsa-sha256; cv=none; b=H/VHL9JiKoxAKP8R9YpGZGDb6hcJY2EosogRwWR4BELf5hwd46EMQWIEylYQB7a9U1mSrH YimffsK9H7JkqEf/4Hz8CGCnFQw+0loeuU4GDSLVw0+ajVeZDDyB1mjucmUAIClAvw73Qd Oya6MAz1CuAI4yrpd8PgUH6KVgpo0UMB6EugdckQvoE2fZIHVYMcUj+M8pjS8sR/AU1YtT 477gQdt7CSj8GOpslmTo18/YzX9fE0vQRjsvEDHYofhfmUruu357mqQKqDrP7JKpPsd9QU 2yEmaKWMQfmW0YaqoqROLVr1IgUS13BD5q9G/Gt9E2CYMieZoJhAxirkubAokg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1782849366; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=YKv0L3GVUhh5fnJBGJ3obKVBlvGLCrF8SPoVz0pFkSY=; b=fWe+oF6Sta79Z9MQnlsSOI2o8PN1YmfQXG/Et6oJc6AoLPJMcOYn3mWHflUombplASd/7e gecqWGTSzKyo/Sj2YvPLrkrjRACN8eZAAaSRoLn4MHhFrJ0VFlGmYIAw8xAtHqmGAjVOMr RaCTJ7v3f5OOoFq3qy7LW8wjQspZBWPXyYtXpMmcO/rmT63Y6tGLkEPJiJDU2KCb9qKxEq XqZlU0iW1N3C2SaKcxbjqhHbauRzA80pvrbNA5nH+x4CHyWu3DxDchApSxT61umwlJARyJ 2z7kBiOBh+si6YR/ZH/TqYCv1z9uW3f8+2XJVEZIYBPRLOqWbzKKkVLTa5eEJQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id D66291BBB9; Tue, 30 Jun 2026 19:56:05 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:43.tcp Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260630195605.D66291BBB9@freefall.freebsd.org> Date: Tue, 30 Jun 2026 19:56:05 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:43.tcp Security Advisory The FreeBSD Project Topic: Use-after-free in TCP RACK stack option handler Category: core Module: tcp Announced: 2026-06-30 Credits: Maik Muench Affects: All supported versions of FreeBSD. Corrected: 2026-06-30 17:20:11 UTC (stable/15, 15.1-STABLE) 2026-06-30 17:22:00 UTC (releng/15.1, 15.1-RELEASE-p1) 2026-06-30 17:21:28 UTC (releng/15.0, 15.0-RELEASE-p11) 2026-06-30 17:19:52 UTC (stable/14, 14.4-STABLE) 2026-06-30 17:21:00 UTC (releng/14.4, 14.4-RELEASE-p7) 2026-06-30 17:20:34 UTC (releng/14.3, 14.3-RELEASE-p16) CVE Name: CVE-2026-49422 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD supports multiple pluggable TCP stacks. A given TCP socket can be configured to use a particular TCP implementation via setsockopt(2). The RACK stack implements the Recent ACKnowledgment (RACK) loss detection algorithm and is provided as the loadable kernel module tcp_rack.ko. II. Problem Description The RACK setsockopt(2) handler drops the connection lock in order to copy option data from userspace, then reacquires the lock. After reacquiring, it verifies that the TCP stack had not been switched away, but did not reload its pointer to the stack's per-connection control block. If userspace switches stacks twice during this window, the check will succeed but the saved pointer will refer to freed memory. III. Impact The bug may be exploitable by an unprivileged local user to escalate privileges. IV. Workaround Systems that have not loaded the tcp_rack.ko kernel module are not affected. The module is not loaded by default. To check whether it is loaded, run: # kldstat -m tcp_rack V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE or later version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:43/tcp.patch # fetch https://security.FreeBSD.org/patches/SA-26:43/tcp.patch.asc # gpg --verify tcp.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch -E -p0 < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ aed4c4dd9afc stable/15-n284327 releng/15.1/ 490e506a1ca8 releng/15.1-n283572 releng/15.0/ 57b3853cc9bb releng/15.0-n281074 stable/14/ df8885512da5 stable/14-n274452 releng/14.4/ 800acf75eb80 releng/14.4-n273734 releng/14.3/ 8845978fec03 releng/14.3-n271534 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmpEEkcbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv+1AQAMZB1D+dHqyjfENkZer9 nXE18ljPEZzAO/wZvEls9PbqqAX9eyYK7dChKsQchYiRNQVDekXc9BEgOpFJuJPH ZbjNpH+xnzt7iMTiU2lQnOqASrtfVsvwWoLOvqeTIKr2O0Sh9v2SfyurQS8zEh6D JdgVQKrGT6Nw0wQ/Kc/Ul4Wii2gkGP9kIcqhDRNfqMybuxAYJEYlWqKwzLlI36j+ C7f3d5CNhhXdjuv08Rvyp6Pvh5hd04yQGiI1iN4pCqJlGLOvguPm0DJhr1WOqOcI jjkPL5envbvOFhEDe69scIsfZnvcXv79IgYyZvz2rKnO/k3Ce7azEUWjMQemb1ZD ih6FDn1HtOb04zTMFCtdZAd05+qr2B9BsynGcFBdg/KGG1is87VU0SpyYSv5Uj7z tbFfxb8mPvulMqmG+l29voVBRJB5VqSr3zCBMEc/GrvI0R+d7sHWSSgB898s7XPE H/QzpHwDmvE0k7sIDQeevjhvj93XrkS6+QOcNiJRmc9G7+UOBssxOzp20GAKD9a1 /h2fzCpyjS3hJxQ9Y9xUeSiibS2tneZ7d4hoTZm9+5JIq3Y1ORdL0gOFHFdDIfFU nLKNPguFAGZkd/ASS6/ULvW7UqZJ0UdQrcFS5RIBMsYNYF8uCDramlZ4qWiz2DsT yqCs7JnSKZzpSqdKKEQSKabq =oO9/ -----END PGP SIGNATURE----- From nobody Tue Jun 30 19:56:11 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gqYmq5fyjz6jptb for ; Tue, 30 Jun 2026 19:56:11 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gqYmq2Gncz43Db; Tue, 30 Jun 2026 19:56:11 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1782849371; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=3owM/nwKj2Gjhd9VE+g8A52iwCTjay7danpAsOyl0Ig=; b=rzY8FHkT7t2UyAEre9fG0KucZ9BK1nIT6DWU2oTPXW2dj5plFWdYjwxh8HHCej8QTMG+C+ vTbdr/ua3vY+epaLwSdizJfmA1o8OQtKLww3iZw50ExchJ1dds87/tLC0nBoBzaH+Xj9T7 bInmEncRFSsWp1FGEl2qRimnjfJ4Kckp+gadktxoN2NzhnpQu2W/cU100gy+X735BNTSt8 crMP00N5gb3KjlRQpdPgG6ksvME08118IAMpFWYRoAW4xUPE39bcFu18aHtrrSaWQknJ3T 4/T32iU8NgzTrevcUJuxfbrWaH60TGciIaEejmUXjCLys9XRPeZa+TxgR5oH/A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1782849371; a=rsa-sha256; cv=none; b=iYB0AyD4WrVfIApaF1n0GaBR0R7UXYh02dQgYw5/NDt8RBaAnpQlB8GNTBc7qphcymhRF2 wo07Qtssxr/KTDKyZ4jf5y+hYMA+YGp8IbFHgldx2FVd5+Uyhap0DdHErx83dyMPywuEb0 /+Bc4OURVK5lpt2mqnH4ZJN/WxyQz45g0PN1ChiKpIZHI5XUsPiMeezqh3j1YP1CpquOm/ dRudp6HQHc6mg0ICUq6SwRhsBKMYbfHx/DYIkvxjYOPR+rQifYSDV3W+CwVIEGo6PZC+fy JtjOxI5yiL7ks0ek6TatpasSe9LPNF7+hv3DDw4imFcUo+95GQOld3MmEzHHoQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1782849371; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=3owM/nwKj2Gjhd9VE+g8A52iwCTjay7danpAsOyl0Ig=; b=UxaG4PAG5MKsLLDEk3n722NS5lQ/qOAjkhaaF/14K3bCikZvT4pKSrqwkrwgG2wT9h00wg ukvJUgewSK5zMes/SVfQ7PtyZ+cUEx7g+Q6BQ2K63hsP3x0LOUAUMtPcmVk7K6KfvfRRTr 0s8D057K7uZprWlQdCzSiPacH0a+tDqQt/3BRN/Q8ytbYqpqyKwe+060al6mrR4WyKp3cC yUFlvRyV1v8X/E/rIlAsHwq+c/f/yL9LdBAXejsCvQ3qg/oLqV9JhQf8dlwy9dsxx+lKnJ 2YTTLAjVgNDkqTfG3q+0UDv13IxNwZhgdsGr9ef4kIT4oYFegSqogEENyZOYng== Received: by freefall.freebsd.org (Postfix, from userid 945) id 45CA01BD22; Tue, 30 Jun 2026 19:56:11 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:44.posixshm Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260630195611.45CA01BD22@freefall.freebsd.org> Date: Tue, 30 Jun 2026 19:56:11 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:44.posixshm Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in POSIX largepage objects Category: core Module: posixshm Announced: 2026-06-30 Credits: Chris Jarrett-Davies of the OpenAI Codex Security Team Affects: All supported versions of FreeBSD. Corrected: 2026-06-30 17:20:14 UTC (stable/15, 15.1-STABLE) 2026-06-30 17:22:03 UTC (releng/15.1, 15.1-RELEASE-p1) 2026-06-30 17:21:31 UTC (releng/15.0, 15.0-RELEASE-p11) 2026-06-30 17:19:55 UTC (stable/14, 14.4-STABLE) 2026-06-30 17:21:04 UTC (releng/14.4, 14.4-RELEASE-p7) 2026-06-30 17:20:37 UTC (releng/14.3, 14.3-RELEASE-p16) CVE Name: CVE-2026-49427, CVE-2026-49428 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The POSIX shared memory object module supports "largepage" objects, which are shared memory objects backed by physically contiguous memory. Such objects can be accessed more efficiently in some cases. For most purposes, they behave the same as ordinary POSIX shared memory objects, but the underlying implementation is quite different, and certain operations cannot be performed on largepage objects. Largepage objects can be created using shm_create_largepage(3). II. Problem Description Pages belonging to largepage shared memory objects were not explicitly wired. When sendfile(2) transmitted such an object with the SF_NOCACHE flag, it freed the underlying pages after transmission even though existing mappings still referred to them. [CVE-2026-49427] Separately, certain system calls, such open(2) with the O_TRUNC flag set, and fspacectl(2), could incorrectly free memory in largepage objects. These operations are not permitted on largepage objects, but the implementation did not verify this. [CVE-2026-49428] III. Impact An unprivileged local user can abuse the bug to access freed kernel memory. This can be exploited to escalate privileges. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE or later version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.1] # fetch https://security.FreeBSD.org/patches/SA-26:44/posixshm-15.1.patch # fetch https://security.FreeBSD.org/patches/SA-26:44/posixshm-15.1.patch.asc # gpg --verify posixshm-15.1.patch.asc [FreeBSD 15.0] # fetch https://security.FreeBSD.org/patches/SA-26:44/posixshm-15.0.patch # fetch https://security.FreeBSD.org/patches/SA-26:44/posixshm-15.0.patch.asc # gpg --verify posixshm-15.0.patch.asc [FreeBSD 14.x] # fetch https://security.FreeBSD.org/patches/SA-26:44/posixshm-14.patch # fetch https://security.FreeBSD.org/patches/SA-26:44/posixshm-14.patch.asc # gpg --verify posixshm-14.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch -E -p0 < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 702f4c829c17 stable/15-n284330 releng/15.1/ b15971f462b6 releng/15.1-n283575 releng/15.0/ 8d086f03b9be releng/15.0-n281077 stable/14/ f30052c16dba stable/14-n274455 releng/14.4/ 0848cdea83fd releng/14.4-n273737 releng/14.3/ 5272af920126 releng/14.3-n271537 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmpEEkobFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv0zcP/j01bgGuZ73aAS8U1kMc cwIZi2tTheS0vEkznQj1gEKKVnMRp9kex3spTuT10U8Ed5dWH6ADAKR0WNEf5O0f /Uz8twaksMCECr5Nepu/cl/WfB9x7rNq7dFwtYv75gxbhE1i++dQNJictcAT9m/s I4RtejHRHmSWKun/6k6x6LqKTpbOoueQv1SvgwGMB4gyCX8PBfmpUM068ESI0L2K L73EICrCDBouSXgKDOvexQkmy57gPx5DfMIsUMg6nw2WmGNfPUxQQGSJ/mT53en9 QkgrV8GTZDP2PWl8/J6MZ/MjABy5WEmmFQnu0h7ABB/oErZSbYRQj5kdlCM1CHEN kw9eLoXLUVORV2U1+kAvPaa3qJJrktSeVjXbFPttU60QWxjfdIYOua3WTX5FrJVv TKNOpmekA6kbqaHQV/4BhGH2teIySCzaIbJi3jG2qechP3SoIi8cpqfHD7rZgOzQ 7xPAre/kO/Ub86DRfjXPHtiDYZ0ubCQc/tSwem5oTlgElDWjH0F5sjLLlk+uGGP/ C7kkGgPCs5O3U0Ja1wMV5b+pCKu4BDJ8c+ZXCquWi5iqqoXUwgGAQGlu8lJ7/RUH 7FXdEW2jCvk+NR4SDwPF4nq9DMP+HSsLWdrWFbwkxtqOe1vNY5IMVnUqzmHgDVsr 2pZywMqIe2szHqOdRUKwoDvM =+cdK -----END PGP SIGNATURE----- From nobody Tue Jun 30 19:56:15 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gqYmw3kwkz6jpcp for ; Tue, 30 Jun 2026 19:56:16 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gqYmv72ZWz436k; Tue, 30 Jun 2026 19:56:15 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1782849376; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=3OAVSr5K/DwPSeMZ8o5em7wYjfZBpXIYJk96MarXQds=; b=OXKNdjT64T1wwpbCIEN9tzjhDif7kJcKs5wK2W6507ftc442kiALs5VMiKnS9x1S2SFHcS puOP6bEK6gHnhsMN2qUAEukQ+wuEMZ/CMYV9VLNij88K5ns0AJcOZhkdGc5PVoKlx7hADq +mFCevrTJT8L2jNwh9qOGJY3mrnlyETgAKzOJIbMQTFS9yZsVZks+US+qAHBoGi+w092dw X33tC4rlsiDcHBGOlocvrOmVSrQ21VtaIiaCRIQpfQYfrBKuwC+P6iaH8U88CX00y9pUxA CRjn9kUGxONbdAOyjvpyLpBio1aqWI7tOR1c0JSxvhnAGETt188mmDo8r/tJwQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1782849376; a=rsa-sha256; cv=none; b=FIh0hCBf1xNgaLxSkV5MrK/ncUmgzN3iMx8algfn9OL9PciSqPPxzVdACe1Hue36uv3+pP zGD0n84oJLw+Fg06rB8lK6YJMiOwzPmTtl/+dq+7b90MSs3hoiQ1wEUkagCGbbRXVhyn4H QXF2zTdCnwV/T942Zts1DtzoNBZuJEz7pyisjhRsXZQnhf9YgTPDNGYjUlTzMZtFJEJFPS /9bwfRhsLijnPlwRTP8Js9vp1/eLebnZKk1hPzWdwo2ba6od9wGAJOFW67bZucRT1rTOHd tznmMB6+dW/FY+t2jY5ZS/RjzBQAWqd6kGGFAVaZqUqvxbyk1mQnO5IgHHNpUg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1782849376; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=3OAVSr5K/DwPSeMZ8o5em7wYjfZBpXIYJk96MarXQds=; b=YOLULqIy/RhiquplB8dMGmdgFXmaMzZiazytvtcLuTtotXTEiH9QlHrA77JvuaeAVJl4A5 8vm4mCQz6Bipy3kOPmbxyoD5uxUG+1tnoexYhhYBld4DKAhe7vcHocWo8Yw/lyaNqxUkMn SW8Q8UfkIItAObvt5lTrd9u3g38mZGscs/kXDnppeRH617M8duL++1JUzAJkG651S9fw6u /fJff+6DGSht3wC+/KXy8TfrGA9oPGuZrZo7L0yksMaz7nr+3Fbj6q+rRP2ixHjlgolzvq jWiw3IK9eDezq2Vxn6CDJiMMLNohhTheZPOrcnriAKSYqwZJWxJzZdIbeYv0rQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id C491E1BD89; Tue, 30 Jun 2026 19:56:15 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:45.audit Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260630195615.C491E1BD89@freefall.freebsd.org> Date: Tue, 30 Jun 2026 19:56:15 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:45.audit Security Advisory The FreeBSD Project Topic: Incorrect audit records for ptrace(2) syscall requests Category: core Module: audit Announced: 2026-06-30 Credits: Kyle Evans Affects: All supported versions of FreeBSD. Corrected: 2026-06-30 17:20:16 UTC (stable/15, 15.1-STABLE) 2026-06-30 17:22:04 UTC (releng/15.1, 15.1-RELEASE-p1) 2026-06-30 17:21:32 UTC (releng/15.0, 15.0-RELEASE-p11) 2026-06-30 17:19:56 UTC (stable/14, 14.4-STABLE) 2026-06-30 17:21:05 UTC (releng/14.4, 14.4-RELEASE-p7) 2026-06-30 17:20:38 UTC (releng/14.3, 14.3-RELEASE-p16) CVE Name: CVE-2026-49426 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The audit(4) facility allows a system administrator to audit security-relevant events, including system calls. The ptrace(2) system call permits a debugger to execute arbitrary system calls in a target process via the PT_SC_REMOTE operation, and the audit(4) facility records the outcome of such remotely executed system calls. II. Problem Description When auditing a system call executed via ptrace(PT_SC_REMOTE), the kernel passed the return value of an internal setup function to AUDIT_SYSCALL_EXIT() rather than the actual result of the executed system call. As a result, committed audit records for system calls which returned an error do not reflect the true outcome of the operation. That is, they indicate that the operation succeeded when it in fact failed. III. Impact Audit records for system calls executed via ptrace(PT_SC_REMOTE) may show an incorrect error status. An attacker with the ability to debug a process could use this to produce misleading audit trails, potentially undermining audit-based Intrusion Detection Systems (IDS). IV. Workaround No workaround is available. Systems that do not use audit(4) are not affected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE or later version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:45/audit.patch # fetch https://security.FreeBSD.org/patches/SA-26:45/audit.patch.asc # gpg --verify audit.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch -E -p0 < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ ec1989960781 stable/15-n284331 releng/15.1/ 8666a62872de releng/15.1-n283576 releng/15.0/ f887a2c04c9e releng/15.0-n281078 stable/14/ 1763deb84ba9 stable/14-n274456 releng/14.4/ d68c2e77d70c releng/14.4-n273738 releng/14.3/ 8b11e7df3a62 releng/14.3-n271538 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmpEEk8bFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvrhYQANVoWdJ34ecG1KUeAl/T 2+TdDkWob/ime5tYXbsnyA2u3mbGdl9DMoCa6bbmx5D0KW5hsNIbvpHHguv6Nvss CeBpipZrrkIQnRI0m1p9EevzrHJ+H31Rz37jYaa3usroMcpquWt28jnS28aykZGr at/kLU2TXPZfk0/p6G6DK60gIh0l366UGqNYqgoBkSbG0eR7wDjD7KVIndCkN9Js U+VqJHg8cwgM6O5+Hss7aTrJ8zqug1mbxFqfEabp1jBvNZf/IbiA8oyquKIEtkVl TRrDdmmNivOQMqi8Q2Jst/gbJYrlMMvYr2UFjtX9YT5K6ayAh97Ti8NzUP8BNV4l Hl9JMuF6BhADlQONAe4gR6bl2TqTuGnrXxlqalbTvRnix7khXo8iRkS168c8Hi8M 9+fR/bESF5YFEtnTBE3BKyr4dwTltPA3VVzL3VmhnK1HL2hQzSK3GsJloruZRbbj UxpPiouxhLRfDzSdMp8dNdNLuXtuNQy5V6iX1QXaA3RxJ+IJL2I/K/bngNYzBBkk 4Nk09DDbVDBCgXLDGrBZgj6FAQUbACzzBY9oWOJjy65lA61IAHW4QjsyqirNOg9D KoJfDAbCtO3C3xZKmA2rGBo6MOFJIqOxIvWXGKknQPZXJthXX/U32ewO96ik2OQl rR9c1Q1hpdSMHhd8PCE85ZJY =jxSH -----END PGP SIGNATURE----- From nobody Tue Jun 30 19:56:20 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gqYn16hnhz6jq1S for ; Tue, 30 Jun 2026 19:56:21 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gqYn061n3z43LZ; Tue, 30 Jun 2026 19:56:20 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1782849380; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=RZSASVVQPRiHE9QnZwinG3k/TiYAUsU4PlmWNVGtdMs=; b=bbGUciQ47tPA2iCehUk49u11HBztyZtsY/diqUedVEd6XRyucKcAXKZLFsIiz66jjyVifK fdzEErMEhlgeObHKx7i72ca6W0gG7pxBfZ1ZgBD3t+VOklw+H/nx6qc4s6Ep801Afv3qgy 7PdNK5KTALjF0vuW/jYG/jMRtrOk4xOOtRofkg4NrgsfORNM4b0GJNVNWwUCkc1tdmkDCC Fe0vF2aYTv85qYUTFyN8KgP/UTVzJGetosYnN3Iz83fkfwzOPG+3Rzb0eHDJmCPi+PBhNp bRZwBcnm4I9hhFQJx87Afcp+m27TvLjxht+eBcBS/xKXHPzG54VxYgAr1i0siw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1782849380; a=rsa-sha256; cv=none; b=tzNmqJujNAjvHdn3e/HZFSXZJe10PyQTbGK1FrWDaw5IAVn9tB8mIaIHyXMZzbbT8uni/Q qirYJLFdy95Fy81P9LVMretul3h+RjdZ9iMsdMM1wNmANHX75MbnZeQ9UIXm5Wh+L13644 8hmj3xikcvpg7WGWYnPf8GszhZheSlHCF8NCmx4fCGA8RvM7o4v11+mZVJUKWZlM2UCjrg cU1Q3pXDrOl1IBO/RSiC1rqkRfyqLIQRFLMWMyKYgIMrjdkTcsqtvnM0/myIvED7DPbSy8 9wM9m1pzgKD+XeXuJPXoptKwdcvYDgPOjd2ZwSrXfGOQs2iFORRObAC+MQKb3w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1782849380; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=RZSASVVQPRiHE9QnZwinG3k/TiYAUsU4PlmWNVGtdMs=; b=BfypmBrb/uHBo4I2ldPsUL3csWVUijPDcvCtmHbkIbT5vqfge27VqCpZ3TDIJ+t6J4pQAO GrP0zMQGbK9HcKOnxDJtMli0tJg0E4IgCtrQyMa4BVSvpvvT4/yqKle4OhUajdzpPnbCj5 TI7/rw4nbVOd6yt6do5u1vAHkHHbD/Iw9/ZLcgSSMh1gV8TBW2nAdLqiJ5ixikhihuq1z+ rH7qZjnvUo4DXjctLzPo+6qCMh3Zj0MTzsCp2AaVuN2J6o4yV0ukf8o3sMUzELRunIL/oU 5MEo3OFoe6n3a4UBmLVPeF5KYU2+F6HPbt4mxT0ZcPlKGqm/Fj/5qXLl3M4ofA== Received: by freefall.freebsd.org (Postfix, from userid 945) id B9BD01BA6C; Tue, 30 Jun 2026 19:56:20 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:46.ktls Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260630195620.B9BD01BA6C@freefall.freebsd.org> Date: Tue, 30 Jun 2026 19:56:20 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:46.ktls Security Advisory The FreeBSD Project Topic: Remote DOS via uninitialized memory access in KTLS receive Category: core Module: ktls Announced: 2026-06-30 Credits: Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai Affects: All supported versions of FreeBSD. Corrected: 2026-06-30 17:20:17 UTC (stable/15, 15.1-STABLE) 2026-06-30 17:22:06 UTC (releng/15.1, 15.1-RELEASE-p1) 2026-06-30 17:21:33 UTC (releng/15.0, 15.0-RELEASE-p11) 2026-06-30 17:19:58 UTC (stable/14, 14.4-STABLE) 2026-06-30 17:21:06 UTC (releng/14.4, 14.4-RELEASE-p7) 2026-06-30 17:20:39 UTC (releng/14.3, 14.3-RELEASE-p16) CVE Name: CVE-2026-49423 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Kernel TLS (KTLS) moves Transport Layer Security (TLS) record processing into the kernel, allowing applications to encrypt and decrypt socket data without copying it to and from userspace and to serve TLS data with sendfile(2). When a connection uses software KTLS on the receive path, the kernel decrypts each incoming TLS record in place within the socket buffer. II. Problem Description When building the iovec array for a received TLS 1.2 CBC record, ktls_ocf_tls_cbc_decrypt() incremented the iovec index for every mbuf in the chain, including mbufs that were skipped because they contained only TLS header bytes. This left uninitialized entries in the iovec array. The iovec array was allocated without zeroing. III. Impact A remote TLS peer can cause the kernel to read from uninitialized iovec entries during HMAC computation, resulting in a kernel panic. The peer must be able to control TCP segmentation such that the first mbuf of a CBC record contains only the 5-byte TLS record header. IV. Workaround Only users running an application which enables receive-side KTLS are affected. Systems with the kern.ipc.tls.enable sysctl set to 0 are unaffected. The kern.ipc.tls.cbc_enable sysctl prevents applications from using AES-CBC with KTLS. Setting it to 0 will prevent applications from establishing new KTLS sessions using AES-CBC. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE or later version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:46/ktls.patch # fetch https://security.FreeBSD.org/patches/SA-26:46/ktls.patch.asc # gpg --verify ktls.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch -E -p0 < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ e4e6250999aa stable/15-n284332 releng/15.1/ 54372e3b56b7 releng/15.1-n283577 releng/15.0/ 5357f822416a releng/15.0-n281079 stable/14/ a7787f9f8b8e stable/14-n274457 releng/14.4/ 5f83a1c159a3 releng/14.4-n273739 releng/14.3/ f769a69b2da3 releng/14.3-n271539 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmpEElEbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv30sP/iVFbjgTnP8WcG8GwxN7 DDoO/1HOui5ZbmNNJlgDWxwhmJXEOPlvJeZRy7H4r/+HQ3ri+sUX1cwNyhJx26X6 TE74fmwj2Q/cC2FOUDUNYEz6VpIHzTgJjZreFwCZV59oxwKVc2tcqZvWaj7yXphq nfDqr3hQ8xJbdpCH+3Zl7JZh/CQwmzjmXkmHB7PqAlkV8OUpO6WzuOBLPqEVISf7 nIoasmrYAxRNy1IISCMCufHMGRoSACHdd1LWzJlP+rs0H3GisB3hcFttUf+PY+0B EGo0D93/RtfnLAiE/6yqbUETwtNpoGT7QcIKmeOWAA8VY3VDdtBkn3Y78VRD4CW1 iUUO7WoFs72vYr8WVcSKgUFXuWgnNQsOTmJypm1Vh+RjgXa8Jai+vUYRNW3gHUWp WTKRNmhvrn08owFnAiWeT0Os3dIieRZEcgETiJRt7dqz0+FkOTtPWdOGKjGEkUTM k8BxI/Uvvxn0uXEPKVQINhjBD5VBlYSehRWzkfGDgWmYQVqsLsuNL0TMOrPvqTsq y2qS9jcfmzh5LWzfoPPFfAE/vvBCHn+MtSZLcPNPeVWnNzBVKvG1RQ194pOGUxMp AxrXRGR8/8AcjusG4D/AC7fIEK7POpsYoo95BEoGnqJafZiBp9VRs5bKk7WLYB1t TSdVgqVBAwCVixX6+dqoX9c4 =rk8Z -----END PGP SIGNATURE----- From nobody Tue Jun 30 19:56:26 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gqYn70KzBz6jqDm for ; Tue, 30 Jun 2026 19:56:27 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gqYn648Zlz43fg; Tue, 30 Jun 2026 19:56:26 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1782849386; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=XO9BCP2/dSiNktX9SCoQHNWnhXU0qjcZ9Nv4oVRGdg0=; b=efI+JF1+QDxXxth3/cJTNu7tBo81L+DwpfkOJ7BVjMGOwlTRdsRBNxRaVMCcYq8Y5U/0r6 NTvPb3xX8rH14f510w0Ubu7/b1DsvYQ1QsXbFV2uoYoMaE5os7mPJAzgI9cog4rrZojoBx s5fuZj6vUheWkS688KEWdrn4vSJNtMzFo2IWhaa1VCjlM3k+ADf15ISo/1Df5u4hMuSR7Y rBRvH+28MCVYhVa5sMdPeNEEbZj3SFltdjiwPmh30mbRWZaaUc1jm2ZK1pqTlts1Ul+ieI jWTAaFsMOMwvfsyMasYmUUfiTixKOe5pkKRtbUWvIPmjDJWNf9wrqxg+NK7afA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1782849386; a=rsa-sha256; cv=none; b=grfT/Nl5FaYw+bge3DDrEoX/w7TLvkS3tCYkzqr7yx2XIIE9ET0ZiiXhG+tSk93iQ2i5t8 zOybIGhWVHCGyQKzTtuHPqRT/KlERut5bCWR7bdCR8Kdhl7QOHMzpQ0HGqes4kYsMOIWg8 IPqoGaigmI9W5TT4xCZvkNToV0JOcBrx24d3JujKTylIa+Q0DXqggRJhapRS6KivNJFPOy ORwOs/09chYQ4q+uY/UETRCg4nF7zPxhq1ExbgkTQKEJnykWC9tAk0juzLLo3VMTYzWb9X FEoJmjzEt7xWWRHRnJWkR/itLcS6325EB/s9x5M1I+RVt7zCS73ZuIRxgNnxOw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1782849386; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=XO9BCP2/dSiNktX9SCoQHNWnhXU0qjcZ9Nv4oVRGdg0=; b=xQEthpOy4dEwfnt8pasemtYQZVJbE5K6Gdt16EevE2aPPousMKq9XK9oEr3094dNpp8+Dn lcZD5T7Pf+/1b1/uMRsFrOZiRkXc2j0Wz711epvdxWcHWJkL/OoeR1ECvHjndKywNKLABy zquDImfBI5XqZZPdFKnc2sNPVfAgffn5LSX2RAZQa1b/sFlE5J7LOO7N7viJiuS66QENLX qjajP2OGK56HUgUSktQ6QuPtdkJtT+lW028lBGyjTMTkFiNVxxDKH5fH1M52ReiBObnPlc Xdqj3whHujoLoE9+hwZYDw89rViE9rEaRMGT1tRvweno9PfxK+0S2g/TgGAdNQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id 788CB1BCA3; Tue, 30 Jun 2026 19:56:26 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:47.linux Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260630195626.788CB1BCA3@freefall.freebsd.org> Date: Tue, 30 Jun 2026 19:56:26 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:47.linux Security Advisory The FreeBSD Project Topic: Kernel stack disclosure in Linux compatibility layer Category: core Module: linux(4) Announced: 2026-06-30 Credits: Adam Crosser, Praetorian Affects: FreeBSD 14.3, FreeBSD 14.4 and FreeBSD 15.0 Corrected: 2026-03-20 13:36:36 UTC (stable/15, 15.0-STABLE) 2026-06-30 17:21:34 UTC (releng/15.0, 15.0-RELEASE-p11) 2026-03-20 13:37:14 UTC (stable/14, 14.4-STABLE) 2026-06-30 17:21:07 UTC (releng/14.4, 14.4-RELEASE-p7) 2026-06-30 17:20:41 UTC (releng/14.3, 14.3-RELEASE-p16) CVE Name: CVE-2026-49424 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The Linux ABI layer (Linuxulator) allows Linux binaries to be executed on a FreeBSD kernel. This compatibility layer is supported on the amd64, aarch64 and i386 architectures. II. Problem Description The Linux waitid() implementation translates a FreeBSD siginfo_t struct into a stack-declared Linux siginfo_t. It did not first zero the stack struct. III. Impact An unprivileged user may observe 104 bytes of uninitialized kernel stack data, which may contain sensitive information. IV. Workaround No workaround is available, but systems not using the Linux binary compatibility layer are not vulnerable. The Linux compatibility layer is not included in the default GENERIC kernel. The following command can be used to test if the Linux binary compatibility layer is loaded: # kldstat -m linuxelf V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE or later version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:47/linux.patch # fetch https://security.FreeBSD.org/patches/SA-26:47/linux.patch.asc # gpg --verify linux.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch -E -p0 < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 9f8db9cc67fb stable/15-n282671 releng/15.0/ 008ca5def63b releng/15.0-n281080 stable/14/ a347e6e20e75 stable/14-n273828 releng/14.4/ 99d936f98589 releng/14.4-n273740 releng/14.3/ 6d0438693721 releng/14.3-n271540 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmpEElQbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrveFIQAMbywS1crIKLqntgDjOA VHkUEsq7B3MGFnx8BfEDLZ/IubBmXpUsqYjA2mGy/4dZhnIKWq280RUAK/fXpTRU NhXJtaaeRfq/rOOGLdiTozltDohiPWUHZ1ITyZICJsfTbNaFHFGvRNNnVcWTJh3T 15D6/j8tJMbRccAK+Bb3mjWBP5wkxtRvZ8wDFqmem7TYg+em742ZYBxMJyV8DJat LzsRfOk7WV5lh+h0zLl5qlsYbr8WqYwxY+l2L+qVsmtuLRTy26Fx1qSivxPDjQjg erQRy/UeudTkzQpKpVHcNmier1TW349ZyQrL+5ZB2A1+UvhBnPMztiAu8ubtxC2j cZNnK9b/tesd6fubKtSvg+xFFzsAM6/vLwLVoMFkdGCw9hA4Z/+53uGqqaSN+KqJ n6BaZ7kyQowYxAwvOWnN0h3zrmRBueB+C2zPwwOo6vDptZJNcj5omssjg3KYZ0/3 bqVbA3VEhWsY4sKjh637h0m/R92fYynjcduRYhSw3pbMXmA0SROKpdTxMgnrHEXG vViKW0cOHVRZDNZqDcI5YzfvPlXMEdAvrkWrlxvqyQOeTWei7dPLQiPKFxe/6SeQ 3qICnzzVgOkZDdjs44ued+10FacDCB6M1ixU0uPcWfoPaR79rQdNzQ8mpS1p0vbS ixppeXaxrot6sTGKW4n7V5ek =xA+Q -----END PGP SIGNATURE----- From nobody Tue Jun 30 19:56:31 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gqYnC6k6Gz6jqPY for ; Tue, 30 Jun 2026 19:56:31 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gqYnC3pyMz43SD; Tue, 30 Jun 2026 19:56:31 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1782849391; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=bFG3PhIMqoVuG0GwgyxSstZ0dcsK4mUHMyrWMvSZGbA=; b=TMEn2IfT77QKkGauJp+H9KzZYiqrBNu1aaMKoAmYHqoUpUB9FFfSobebV9iajKsTEDRqP9 9npOArlZ/a791CWu+orX5QgzfriovRUhN0HtmWjnlajqQHPpdhCUJFaqZ3dHZJPzGB4Zfv suAKIB2WzW2jSmahX2agus3sytxTl/d3fcWZ6z7gvOhUVTOV0jzWarpzN6zVy1xA28HQXk lvuogfWG1d+5feWpY4znS5r7PvMXM29nPp+3z+UCPAWxaFWYJab438HUM1ixKfIK9whH8i DP9YXNTisT8diwhnl3LANYwXR5zHth+DmLO92Bq1q6SlTy6fUkCkbfMMQkS4+w== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1782849391; a=rsa-sha256; cv=none; b=yj4990Bc0AF5UuKmI2ubx9s4MtJ2lRHOZ9eVJctB/Pbat2+BFZp0EMgywOZV4f2WemQBwN md1upM+hYSI3OIxoHutWvTVWhdAGgNnk3+Ss+XwHrdsWYP2dtiMU2Cb5yCuLuG1tcoIjnD RPFYc0R5g9p+2A2+PA423F3xqIbECWrDZUrVQOXGO5UraMDPy5CZ/v8SoGO+aZDWMTH3Cq GOWBB0AH2eNB17D6uyR/DHkqxZlaO5kYdZwJAqWFcZCDlztmCxaRZ1J175GIuIAck3U+oc m5ykcTPmwvi0PrhM6Z/GDIEo5Znfaa2NuovY3N8ch+KRa+QtvwQkx41JVjWSWQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1782849391; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=bFG3PhIMqoVuG0GwgyxSstZ0dcsK4mUHMyrWMvSZGbA=; b=cFFIuzRBtmzXgycKvggSR4dZP/pUdOseoBdgVfVvragQ2b4sS6xP+uIu7xUA+wXgdDU42P zRjv4GnhkeqgITfaNDPIzwtybr784dNAntqeB4AI1/dvuHLN1/k37NWmzrvkse82UO0UPw 5fSrYDGaIy68oUneI4jmAa7SoJ5E785DIf6Hlwly6CJQ2Q17fK4y4kUPMvVV7JPhZyAQh3 daXdBEbrnhv3t8FGODAXrk/IYfTBvH42XEEgjIRFMSIen8Um3d9f8OlNt56+8lr52MvL9l 8ikjUQtfr7UK+0nU45T8mjTF+eYw/wv7JReTeeS2JT/j8RV+ORK1Z5ImyPmk7g== Received: by freefall.freebsd.org (Postfix, from userid 945) id 6D0841BC25; Tue, 30 Jun 2026 19:56:31 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:48.compat32 Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260630195631.6D0841BC25@freefall.freebsd.org> Date: Tue, 30 Jun 2026 19:56:31 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:48.compat32 Security Advisory The FreeBSD Project Topic: Kernel stack disclosure in 32-bit compatibility support Category: core Module: kernel compat32 Announced: 2026-06-30 Credits: Adam Crosser, Praetorian Affects: FreeBSD 14.3, FreeBSD 14.4 and FreeBSD 15.0 Corrected: 2026-03-20 13:36:44 UTC (stable/15, 15.0-STABLE) 2026-06-30 17:21:36 UTC (releng/15.0, 15.0-RELEASE-p11) 2026-03-20 19:35:28 UTC (stable/14, 14.4-STABLE) 2026-06-30 17:21:08 UTC (releng/14.4, 14.4-RELEASE-p7) 2026-06-30 17:20:42 UTC (releng/14.3, 14.3-RELEASE-p16) CVE Name: CVE-2026-49425 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD provides the compat32 subsystem, used to enable execution of 32-bit binaries on 64-bit platforms. System calls whose parameters require translation are handled by compat32 before being dispatched to the native system call handler. II. Problem Description The compat32 kevent() handler translates a 64-bit kevent struct into a stack- declared 32-bit struct. It did not first zero the stack struct. III. Impact An unprivileged user may observe a small amount of uninitialized kernel stack data, which may contain sensitive information. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE or later version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:48/compat32.patch # fetch https://security.FreeBSD.org/patches/SA-26:48/compat32.patch.asc # gpg --verify compat32.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch -E -p0 < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 4551ea3b3f04 stable/15-n282670 releng/15.0/ 760b3f0b86a9 releng/15.0-n281081 stable/14/ 6a808cd75348 stable/14-n273827 releng/14.4/ f145e3c02b46 releng/14.4-n273741 releng/14.3/ 495ee4943cd5 releng/14.3-n271541 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmpEElYbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv5lMP/2tqpzYyN/2QSC81XID2 XO3UEpYV6qeSo8barAlApENp+86yhCIo98DfinHqpRjdogFkiMBCJ42x6eBDP4xT dlf0VAGuNxddb2hR11HWqq+h9v+sOfKmcHBWoPa8S4n2Duq52tq3/n+3y6laXOIh uVowVNKsrQrFqcaNaLT5RB2bub7g6+a3ebWZxoLnOtJyYMYJbgb6EQBu0wFtR70O 69wl+47jkf5gIzJyHVVjSYzbuO28pkdNT0nPYVFwnxTCxasoANhMkL1hfI9Uv03x pdjJoJAAKDQ4nfwVH7q6SowR3uk1nyXhNEv22sFzWytz9NnVILA4LS9KtpqHymoN Ksmsf2lkzm8DZC0hKR9Ez4NhE4OuQGVWQmQ5hZrxf9RnEcPzcFQtxMJkLqGFxz7Q JIXB1f7y0FxOormmcDIl8Sm8Ov0AkcWfen3hgA8Kf9WEPvW1GCetPGFqp7ju7LV3 fQQfByS7YTK2kakhvYjskTown1rLKk6ZrL+YRB0DMwbOY0g6pjKUKz3X0+cKU71C A+HLV/yBPsuKwZFBqkfKp5bVIuNeQ0nsvvlZR6sK2SifhCOzH40EcPFaK72RvP8i hv3j/dQBWfSCY+fUuQBJBkq+UcbQlnyP18ASzMBA735utyzoWFKw/vAA6hRMKY1O Jo5LDYRwsp8sxkWGc2nvRAtx =W3+y -----END PGP SIGNATURE----- From nobody Tue Jun 30 19:56:36 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gqYnK1j36z6jq9S for ; Tue, 30 Jun 2026 19:56:37 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gqYnJ54TXz43bS; Tue, 30 Jun 2026 19:56:36 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1782849396; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=8Dorrji4GzY+XismX5z5yDsQxxl2BxrUYcFP2H8XQ5o=; b=NKC87vyjV0Zzd2+rLv/D/GjWPIm0A/jbmmxTB7JSAp1KBZ++plAzPy1FsNwNHWlwH52hBd GoQ8+1n8F/VSZ+W6bwTNuf7dHqcOXisR2gtcybnY10SzT7lQ8DJaz2F+nUdfriMfcVicG6 vR6mTDiqiOa9Wh7UE12+bBBsNiY6xChAFMajwDfTWP59mCw0T/H06svNtDG18lx2oDt7vJ lOcGFC9kKOMx+bEHv7pji03lGC1+m27A24qXqgMMqnmshxzAERhfD18HJazYVgWJbvmZ3K MDevW8oOsW7OqHRTkyCTsKjX2x4hRw9aHKKh0Wqhq0L7XFo1DvhlIfzy4lb5xg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1782849396; a=rsa-sha256; cv=none; b=gDxO1JAubwYww7dHHZ9NN/N9SwV8fhDXd2xlDxMi+8flouZ3w/HkLCdQjQoWTjdmvgUaow L0K5FekZa1zIHY9sEABVTTE1d/3xdNEKZXoNkW9lzfgHMyrDxRAw4zq4oq6quaKFNTySIP 1U2or8CmutJpRRKm+kUGZqhZmjQd2jHxdD5kYiJgy2Hv12wt/3u0ixGi4XtSOCFPOMNqJ7 be/+NaRQVvgzFKXvw7XjGBR5mA9hs+GrCfw9FOEE7X8vVisXaZZkPU0RpqwGHvOa1653TC bjlWtbXdqT0NIrV5j6YPWeqTcUzgCH9IdjQfXf0d19j4vii/SOJjg1yiO8EmwA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1782849396; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=8Dorrji4GzY+XismX5z5yDsQxxl2BxrUYcFP2H8XQ5o=; b=vHXu4ciUZr3G3NXDDkMwvCcByXyaJhZxb+JNF4uV/CpQxBZqJ0SreHzSUUDxpzf9JYQLoo 5Eaq1s8QTcuDzolZRtDmZSZ+vUcMI5V+Kk7X2CYEVQT6ZtXC6p1oHY3pIRei/RS60ecMQj kCziQEiwCmu8PA5yby2MrOfchPdgj0h2Wyg8EIr4Ww/yjQxzMMap+IOtT8GRoIx+KPigaC lug4TKs/E7WFokJjnl3ha4+b/3BV0Gn2feB1OTOgeabe2iMWObOyXZkrTJqj4AOy/i80d8 4x3y08AC9ts7b0ndpMDw7879EW3I+0StVVZhwXUB2rJ6fkq715ZaBxpkS+lD6Q== Received: by freefall.freebsd.org (Postfix, from userid 945) id 987951BD91; Tue, 30 Jun 2026 19:56:36 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:49.iconv Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260630195636.987951BD91@freefall.freebsd.org> Date: Tue, 30 Jun 2026 19:56:36 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:49.iconv Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in iconv(3) Category: core Module: iconv Announced: 2026-06-30 Credits: Nick Wellnhofer Credits: Mark Johnston Affects: All supported versions of FreeBSD. Corrected: 2026-06-30 17:20:21 UTC (stable/15, 15.1-STABLE) 2026-06-30 17:22:10 UTC (releng/15.1, 15.1-RELEASE-p1) 2026-06-30 17:21:40 UTC (releng/15.0, 15.0-RELEASE-p11) 2026-06-30 17:20:02 UTC (stable/14, 14.4-STABLE) 2026-06-30 17:21:12 UTC (releng/14.4, 14.4-RELEASE-p7) 2026-06-30 17:20:46 UTC (releng/14.3, 14.3-RELEASE-p16) CVE Name: CVE-2026-58081, CVE-2026-58082 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background iconv(3) converts text between character encodings. It is implemented as a set of loadable encoding modules in the C library, and is used by many applications and libraries to process internationalized text. II. Problem Description Several encoding modules, including HZ, UTF-7, VIQR, and ZW, did not properly check the size of the caller-supplied output buffer before writing converted characters. [CVE-2026-58081] The ISO-2022 encoding module used a stack buffer sized to MB_LEN_MAX (6 bytes) for intermediate character output. Some ISO-2022 variants can require up to 10 bytes per character, in which case conversions can trigger a stack buffer overflow of up to four bytes. [CVE-2026-58082] III. Impact An application that uses iconv(3) to convert untrusted input to or from one of the affected encodings may be vulnerable to buffer overflows if it uses one of the affected encoding modules. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Restart all applications that use iconv(3), or reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE or later version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:49/iconv.patch # fetch https://security.FreeBSD.org/patches/SA-26:49/iconv.patch.asc # gpg --verify iconv.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch -E -p0 < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all daemons that use the library, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 034e21efa19d stable/15-n284336 releng/15.1/ 6b2dad9fe87d releng/15.1-n283581 releng/15.0/ 2ac85d131d91 releng/15.0-n281085 stable/14/ d62d0b6586a8 stable/14-n274461 releng/14.4/ b819674449de releng/14.4-n273745 releng/14.3/ 32f296b69571 releng/14.3-n271545 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmpEElkbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvlQ0QAIUrLFvc4tG5ODV7cBy/ 1b+aodwSy+bdS2pm7/YtuQ26bpqb8Qy+YVHn5reblXtuhkKcf3UJNqi+tQV2JQYp 2MsRW06fbOADHAPjKygC3I+MtvTJTb9kW2qNK8L3jalrNJQ2guqdFfl1OGyh7dqE akBGJKMI4nSQQJePwISqp9HUTxdzw8m5V/YiYxRIlbfMjs27E2fKMXGe8Dc7aiwv 31mDg76JsYy0r3BeTEGnRHLOeMNTqxqfaSGOr1E6n93s8sbOMHMqEQogc9E6sBSK EdSXugXdnCj2OVjnQYptlBOMZ9nVtth7hk0E/zS29DbbPlePcWiyypOKMcP3lh1t aXTUuO8FsoCrB185k8F5y+Bo0YsgUXtKCj/aQ/cN+guxPhA1EdK+WB5aPn25AipN UeiWBu2Lm9WdUs68telVgDAxSbXxAq+On5qjv1BTTVzT/yvu78d/CBYSHP3VRqRW BLgV8W17UKn+0bH3tdpyaxcUN1dmbmi3Htrs/u/gqt+7bjYIxMQceg6E5sV+XIH8 YOGiMDYSlBHzSJ7gNyN+fvhs6Gcb6NIJgP8+XfU+ov4ZbkFNmoQPxn+0uMTBsCcs DKO4tSXQjJIg5sldGttuBfMc9+YJd1JAp+qFRadRt6j2Xzy/ntu1EZ42XQt+YGaN HfQrYuwmrO49ZKaci+WKrWOY =2Xrt -----END PGP SIGNATURE----- From nobody Sun Jul 5 09:26:51 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gtMbC6ySrz6kPm6; Sun, 05 Jul 2026 09:27:35 +0000 (UTC) (envelope-from me@runxiyu.org) Received: from mail.runxiyu.org (runxiyu.org [IPv6:2001:19f0:b002:f4c:5400:4ff:fee1:b896]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4gtMbC32rMz3h09; Sun, 05 Jul 2026 09:27:35 +0000 (UTC) (envelope-from me@runxiyu.org) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=runxiyu.org header.s=mail header.b=QFdNtIyQ; dmarc=pass (policy=reject) header.from=runxiyu.org; spf=pass (mx1.freebsd.org: domain of me@runxiyu.org designates 2001:19f0:b002:f4c:5400:4ff:fee1:b896 as permitted sender) smtp.mailfrom=me@runxiyu.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=runxiyu.org; s=mail; t=1783243655; bh=6NXOKvbjK09RrAoKl4Ekr/ki+vkbqtvGI1gZGyK2Kg4=; h=From:To:Cc:Subject:Date:From; b=QFdNtIyQunjqEPV7AH5BokahoSr8HE3PNLLYF8KkVYMwBtFbnY61mJNqhM394Lq3l IUcnZl3ZQquJzeZuLlIFt6EC/vXQCVTKs8QYkxgyUjL/EGJJhOQ55c0rtT83qm4R2s Gmrb40CnH8NrRRkFOjE7xz/LepiM+u/GrsUzysAQIkPV7W0GJjYG97yH0HEX8hk5yg bBg6bmdEuKelJyMV6iz5J+BAKOBUduGFmIrlT7UhUddRcZS4MQY0eMew0TL1sc9b62 PFa+f0/C2H4cJxo5VnqxWfPXm8d6TARPaFbIO62MPOWViw62ue9XL3umX3fWOKY91e eIUaj2G4KKzRw== From: Runxi Yu To: freebsd-jail@freebsd.org, freebsd-security@freebsd.org, freebsd-hackers@freebsd.org Cc: Kory Heard , Runxi Yu Subject: [PATCH] jail: Add Capsicum rights for jail descriptor operations Date: Sun, 5 Jul 2026 09:26:51 +0000 Message-ID: <20260705092706.40242-2-me@runxiyu.org> X-Mailer: git-send-email 2.54.0 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spamd-Result: default: False [-2.39 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; MID_CONTAINS_FROM(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.994]; R_MISSING_CHARSET(0.50)[]; DMARC_POLICY_ALLOW(-0.50)[runxiyu.org,reject]; R_DKIM_ALLOW(-0.20)[runxiyu.org:s=mail]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[text/plain]; ONCE_RECEIVED(0.10)[]; FREEFALL_USER(0.00)[me]; ASN(0.00)[asn:20473, ipnet:2001:19f0:b000::/38, country:US]; TO_DN_SOME(0.00)[]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_COUNT_ZERO(0.00)[0]; MLMMJ_DEST(0.00)[freebsd-hackers@freebsd.org,freebsd-jail@freebsd.org,freebsd-security@freebsd.org]; FREEMAIL_CC(0.00)[icloud.com,umich.edu]; RCPT_COUNT_FIVE(0.00)[5]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; DKIM_TRACE(0.00)[runxiyu.org:+] X-Spamd-Bar: -- X-Rspamd-Queue-Id: 4gtMbC32rMz3h09 From: Kory Heard Add CAP_JAIL_ATTACH, CAP_JAIL_REMOVE, and CAP_JAIL_SET, and use them when JAIL_USE_DESC on jail_attach_jd(2), jail_remove_jd(2), and jail_set(2). Note that that rights are attenuated according to creds at descriptor creation. Co-authored-by: Runxi Yu --- Sending to here instead of phabricator for now because my phabricator auth seems broken. share/man/man4/rights.4 | 28 ++ sys/kern/kern_jail.c | 50 ++- sys/kern/kern_jaildesc.c | 48 ++- sys/kern/subr_capability.c | 5 + sys/sys/caprights.h | 3 + sys/sys/capsicum.h | 9 +- sys/sys/jaildesc.h | 4 +- tests/sys/kern/Makefile | 3 + tests/sys/kern/jaildesc_cap_test.c | 512 +++++++++++++++++++++++++++++ 9 files changed, 611 insertions(+), 51 deletions(-) create mode 100644 tests/sys/kern/jaildesc_cap_test.c diff --git a/share/man/man4/rights.4 b/share/man/man4/rights.4 index 396222a84579..8b86b0a281bf 100644 --- a/share/man/man4/rights.4 +++ b/share/man/man4/rights.4 @@ -336,6 +336,33 @@ global scope for some objects. The list of permitted ioctl commands can be further limited with the .Xr cap_ioctls_limit 2 system call. +.It Dv CAP_JAIL_ATTACH +Permit +.Xr jail_attach_jd 2 +on a jail descriptor. +.It Dv CAP_JAIL_REMOVE +Permit +.Xr jail_remove_jd 2 +on a jail descriptor. +.It Dv CAP_JAIL_SET +Permit +.Xr jail_set 2 +with the +.Dv JAIL_USE_DESC +flag on a jail descriptor. +.Pp +Unlike most rights, +these three are not necessarily present on a newly created descriptor. +A jail descriptor returned by +.Xr jail_get 2 +or +.Xr jail_set 2 +is granted only those of +.Dv CAP_JAIL_ATTACH , +.Dv CAP_JAIL_REMOVE , +and +.Dv CAP_JAIL_SET +that the creating credential is itself privileged to exercise. .It Dv CAP_KQUEUE An alias to .Dv CAP_KQUEUE_CHANGE @@ -685,6 +712,7 @@ is also required. .Xr getsockname 2 , .Xr getsockopt 2 , .Xr ioctl 2 , +.Xr jail 2 , .Xr kevent 2 , .Xr kqueue 2 , .Xr linkat 2 , diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index dd4df0353015..fee922d59ce5 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -49,6 +49,7 @@ #include #include #include +#include #include #include #include @@ -1020,7 +1021,6 @@ kern_jail_set(struct thread *td, struct uio *optuio, int flags) struct vfsopt *opt; struct vfsoptlist *opts; struct prison *pr, *deadpr, *dinspr, *inspr, *mypr, *ppr, *tpr; - struct ucred *jdcred; struct vnode *root; char *domain, *errmsg, *host, *name, *namelc, *p, *path, *uuid; char *g_path, *osrelstr; @@ -1128,7 +1128,7 @@ kern_jail_set(struct thread *td, struct uio *optuio, int flags) */ struct prison *jdpr; - error = jaildesc_find(td, jfd_in, &jdpr, NULL); + error = jaildesc_find(td, jfd_in, &cap_no_rights, &jdpr); if (error != 0) { vfs_opterror(opts, error == ENOENT ? "descriptor to dead jail" : @@ -1152,8 +1152,9 @@ kern_jail_set(struct thread *td, struct uio *optuio, int flags) } /* - * Delay the permission check if using a jail descriptor, - * until we get the descriptor's credentials. + * When using a jail descriptor, authority comes from the + * descriptor's capability rights, checked in jaildesc_find(); + * otherwise check the calling thread's privilege. */ if (!(flags & JAIL_USE_DESC)) { error = priv_check(td, PRIV_JAIL_SET); @@ -1550,8 +1551,17 @@ kern_jail_set(struct thread *td, struct uio *optuio, int flags) goto done_deref; } if (flags & JAIL_USE_DESC) { + cap_rights_t set_attach_rights; + const cap_rights_t *descrightsp; + /* Get the jail from its descriptor. */ - error = jaildesc_find(td, jfd_in, &pr, &jdcred); + if (flags & JAIL_ATTACH) { + cap_rights_init(&set_attach_rights, CAP_JAIL_SET, + CAP_JAIL_ATTACH); + descrightsp = &set_attach_rights; + } else + descrightsp = &cap_jail_set_rights; + error = jaildesc_find(td, jfd_in, descrightsp, &pr); if (error) { vfs_opterror(opts, error == ENOENT ? "descriptor to dead jail" : @@ -1559,12 +1569,6 @@ kern_jail_set(struct thread *td, struct uio *optuio, int flags) goto done_deref; } drflags |= PD_DEREF; - error = priv_check_cred(jdcred, PRIV_JAIL_SET); - if (error == 0 && (flags & JAIL_ATTACH)) - error = priv_check_cred(jdcred, PRIV_JAIL_ATTACH); - crfree(jdcred); - if (error) - goto done_deref; mtx_lock(&pr->pr_mtx); drflags |= PD_LOCKED; if (cuflags == JAIL_CREATE) { @@ -2619,7 +2623,7 @@ kern_jail_get(struct thread *td, struct uio *optuio, int flags) } if (flags & JAIL_USE_DESC) { /* Get the jail from its descriptor. */ - error = jaildesc_find(td, jfd_in, &pr, NULL); + error = jaildesc_find(td, jfd_in, &cap_no_rights, &pr); if (error) { vfs_opterror(opts, error == ENOENT ? "descriptor to dead jail" : @@ -2635,7 +2639,7 @@ kern_jail_get(struct thread *td, struct uio *optuio, int flags) /* Look up jails based on the descriptor's prison. */ struct prison *jdpr; - error = jaildesc_find(td, jfd_in, &jdpr, NULL); + error = jaildesc_find(td, jfd_in, &cap_no_rights, &jdpr); if (error != 0) { vfs_opterror(opts, error == ENOENT ? "descriptor to dead jail" : @@ -3024,22 +3028,18 @@ int sys_jail_remove_jd(struct thread *td, struct jail_remove_jd_args *uap) { struct prison *pr; - struct ucred *jdcred; int error; - error = jaildesc_find(td, uap->fd, &pr, &jdcred); + error = jaildesc_find(td, uap->fd, &cap_jail_remove_rights, &pr); if (error) return (error); - error = priv_check_cred(jdcred, PRIV_JAIL_REMOVE); - crfree(jdcred); #ifdef MAC - if (error == 0) - error = mac_prison_check_remove(td->td_ucred, pr); -#endif + error = mac_prison_check_remove(td->td_ucred, pr); if (error) { prison_free(pr); return (error); } +#endif sx_xlock(&allprison_lock); mtx_lock(&pr->pr_mtx); prison_remove(pr); @@ -3115,7 +3115,6 @@ int sys_jail_attach_jd(struct thread *td, struct jail_attach_jd_args *uap) { struct prison *pr; - struct ucred *jdcred; int drflags, error; /* Only let a single thread in the process try to attach at a time. */ @@ -3126,18 +3125,15 @@ sys_jail_attach_jd(struct thread *td, struct jail_attach_jd_args *uap) sx_slock(&allprison_lock); drflags = PD_LIST_SLOCKED; pr = NULL; - error = jaildesc_find(td, uap->fd, &pr, &jdcred); + error = jaildesc_find(td, uap->fd, &cap_jail_attach_rights, &pr); if (error) goto done; drflags |= PD_DEREF; - error = priv_check_cred(jdcred, PRIV_JAIL_ATTACH); #ifdef MAC - if (error == 0) - error = mac_prison_check_attach(td->td_ucred, pr); -#endif - crfree(jdcred); + error = mac_prison_check_attach(td->td_ucred, pr); if (error) goto done; +#endif /* Do not allow a process to attach to a prison that is not alive. */ if (!prison_isalive(pr)) { diff --git a/sys/kern/kern_jaildesc.c b/sys/kern/kern_jaildesc.c index e2e3246ea92b..cace3e7608bb 100644 --- a/sys/kern/kern_jaildesc.c +++ b/sys/kern/kern_jaildesc.c @@ -27,6 +27,7 @@ */ #include +#include #include #include #include @@ -38,6 +39,7 @@ #include #include #include +#include #include #include #include @@ -106,31 +108,21 @@ jaildesc_get_prison_impl(struct file *fp, struct prison **prp) } /* - * Given a jail descriptor number, return its prison and/or its - * credential. They are returned held, and will need to be released - * by the caller. + * Given a jail descriptor number, return its prison. It is returned + * held, and will need to be released by the caller. */ int -jaildesc_find(struct thread *td, int fd, struct prison **prp, - struct ucred **ucredp) +jaildesc_find(struct thread *td, int fd, const cap_rights_t *rightsp, + struct prison **prp) { struct file *fp; int error; - error = fget(td, fd, &cap_no_rights, &fp); + error = fget(td, fd, rightsp, &fp); if (error != 0) return (error); error = jaildesc_get_prison_impl(fp, prp); - if (error == 0) { - /* - * jaildesc_get_prison validated the file and held the prison - * for us if the caller wants it, so we just need to grab the - * ucred on the way out. - */ - if (ucredp != NULL) - *ucredp = crhold(fp->f_cred); - } fdrop(fp, td); return (error); @@ -144,8 +136,11 @@ jaildesc_find(struct thread *td, int fd, struct prison **prp, int jaildesc_alloc(struct thread *td, struct file **fpp, int *fdp, int owning) { + struct filecaps fcaps; + struct ucred *cred; struct file *fp; struct jaildesc *jd; + bool jail_set_ok; int error; if (owning) { @@ -153,14 +148,31 @@ jaildesc_alloc(struct thread *td, struct file **fpp, int *fdp, int owning) if (error != 0) return (error); } + + /* + * A jaildesc is born with only the rights that the creating credential + * is itself privileged to exercise + */ + cred = td->td_ucred; + jail_set_ok = priv_check_cred(cred, PRIV_JAIL_SET) == 0; + filecaps_init(&fcaps); + CAP_ALL(&fcaps.fc_rights); + fcaps.fc_fcntls = CAP_FCNTL_ALL; + if (!jail_set_ok) + cap_rights_clear(&fcaps.fc_rights, CAP_JAIL_SET); + if (priv_check_cred(cred, PRIV_JAIL_REMOVE) != 0) + cap_rights_clear(&fcaps.fc_rights, CAP_JAIL_REMOVE); + if (priv_check_cred(cred, PRIV_JAIL_ATTACH) != 0) + cap_rights_clear(&fcaps.fc_rights, CAP_JAIL_ATTACH); + jd = malloc(sizeof(*jd), M_JAILDESC, M_WAITOK | M_ZERO); - error = falloc_caps(td, &fp, fdp, 0, NULL); + error = falloc_caps(td, &fp, fdp, 0, &fcaps); if (error != 0) { free(jd, M_JAILDESC); return (error); } - finit(fp, priv_check_cred(fp->f_cred, PRIV_JAIL_SET) == 0 ? - FREAD | FWRITE : FREAD, DTYPE_JAILDESC, jd, &jaildesc_ops); + finit(fp, jail_set_ok ? FREAD | FWRITE : FREAD, DTYPE_JAILDESC, jd, + &jaildesc_ops); JAILDESC_LOCK_INIT(jd); knlist_init_mtx(&jd->jd_selinfo.si_note, &jd->jd_lock); if (owning) diff --git a/sys/kern/subr_capability.c b/sys/kern/subr_capability.c index 6e23525186ea..868b498f9206 100644 --- a/sys/kern/subr_capability.c +++ b/sys/kern/subr_capability.c @@ -79,6 +79,11 @@ const cap_rights_t cap_inotify_add_rights = const cap_rights_t cap_inotify_rm_rights = CAP_RIGHTS_INITIALIZER(CAP_INOTIFY_RM); const cap_rights_t cap_ioctl_rights = CAP_RIGHTS_INITIALIZER(CAP_IOCTL); +const cap_rights_t cap_jail_attach_rights = + CAP_RIGHTS_INITIALIZER(CAP_JAIL_ATTACH); +const cap_rights_t cap_jail_remove_rights = + CAP_RIGHTS_INITIALIZER(CAP_JAIL_REMOVE); +const cap_rights_t cap_jail_set_rights = CAP_RIGHTS_INITIALIZER(CAP_JAIL_SET); const cap_rights_t cap_listen_rights = CAP_RIGHTS_INITIALIZER(CAP_LISTEN); const cap_rights_t cap_linkat_source_rights = CAP_RIGHTS_INITIALIZER(CAP_LINKAT_SOURCE); diff --git a/sys/sys/caprights.h b/sys/sys/caprights.h index 904d9b4e843a..90a05b4ba51f 100644 --- a/sys/sys/caprights.h +++ b/sys/sys/caprights.h @@ -82,6 +82,9 @@ extern const cap_rights_t cap_getsockname_rights; extern const cap_rights_t cap_inotify_add_rights; extern const cap_rights_t cap_inotify_rm_rights; extern const cap_rights_t cap_ioctl_rights; +extern const cap_rights_t cap_jail_attach_rights; +extern const cap_rights_t cap_jail_remove_rights; +extern const cap_rights_t cap_jail_set_rights; extern const cap_rights_t cap_linkat_source_rights; extern const cap_rights_t cap_linkat_target_rights; extern const cap_rights_t cap_listen_rights; diff --git a/sys/sys/capsicum.h b/sys/sys/capsicum.h index 9ef2f0d48d38..d7ae827911a6 100644 --- a/sys/sys/capsicum.h +++ b/sys/sys/capsicum.h @@ -301,9 +301,10 @@ #define CAP_INOTIFY_ADD CAPRIGHT(1, 0x0000000000200000ULL) #define CAP_INOTIFY_RM CAPRIGHT(1, 0x0000000000400000ULL) -#define CAP_UNUSED1_24 CAPRIGHT(1, 0x0000000000800000ULL) -#define CAP_UNUSED1_25 CAPRIGHT(1, 0x0000000001000000ULL) -#define CAP_UNUSED1_26 CAPRIGHT(1, 0x0000000002000000ULL) +#define CAP_JAIL_ATTACH CAPRIGHT(1, 0x0000000000800000ULL) +#define CAP_JAIL_REMOVE CAPRIGHT(1, 0x0000000001000000ULL) +#define CAP_JAIL_SET CAPRIGHT(1, 0x0000000002000000ULL) + #define CAP_UNUSED1_27 CAPRIGHT(1, 0x0000000004000000ULL) #define CAP_UNUSED1_28 CAPRIGHT(1, 0x0000000008000000ULL) #define CAP_UNUSED1_29 CAPRIGHT(1, 0x0000000010000000ULL) @@ -337,7 +338,7 @@ #define CAP_UNUSED1_57 CAPRIGHT(1, 0x0100000000000000ULL) /* All used bits for index 1. */ -#define CAP_ALL1 CAPRIGHT(1, 0x00000000007FFFFFULL) +#define CAP_ALL1 CAPRIGHT(1, 0x0000000003FFFFFFULL) /* Backward compatibility. */ #define CAP_POLL_EVENT CAP_EVENT diff --git a/sys/sys/jaildesc.h b/sys/sys/jaildesc.h index 22a03bfbb1fa..21b8b30da577 100644 --- a/sys/sys/jaildesc.h +++ b/sys/sys/jaildesc.h @@ -74,8 +74,8 @@ struct jaildesc { #define JDF_REMOVED 0x00000002 /* jail was removed */ #define JDF_OWNING 0x00000004 /* closing descriptor removes jail */ -int jaildesc_find(struct thread *td, int fd, struct prison **prp, - struct ucred **ucredp); +int jaildesc_find(struct thread *td, int fd, const cap_rights_t *rightsp, + struct prison **prp); int jaildesc_alloc(struct thread *td, struct file **fpp, int *fdp, int owning); int jaildesc_get_prison(struct file *jd, struct prison **prp); void jaildesc_set_prison(struct file *jd, struct prison *pr); diff --git a/tests/sys/kern/Makefile b/tests/sys/kern/Makefile index f7e06968520a..b22635ac671f 100644 --- a/tests/sys/kern/Makefile +++ b/tests/sys/kern/Makefile @@ -25,6 +25,7 @@ ATF_TESTS_C+= getdirentries_test ATF_TESTS_C+= jail_lookup_root ATF_TESTS_C+= jail_thread ATF_TESTS_C+= jaildesc +ATF_TESTS_C+= jaildesc_cap_test ATF_TESTS_C+= inotify_test ATF_TESTS_C+= kill_zombie .if ${MK_OPENSSL} != "no" @@ -100,6 +101,8 @@ LIBADD.copy_file_range+= md LIBADD.jail_lookup_root+= jail util LIBADD.jail_thread+= jail pthread LIBADD.jaildesc+= kvm pthread +CFLAGS.jaildesc_cap_test+= -I${SRCTOP}/tests +LIBADD.jaildesc_cap_test+= jail LIBADD.ssl_sendfile+= pthread crypto ssl CFLAGS.sys_getrandom+= -I${SRCTOP}/sys/contrib/zstd/lib LIBADD.sys_getrandom+= zstd diff --git a/tests/sys/kern/jaildesc_cap_test.c b/tests/sys/kern/jaildesc_cap_test.c new file mode 100644 index 000000000000..4d3e8e80919d --- /dev/null +++ b/tests/sys/kern/jaildesc_cap_test.c @@ -0,0 +1,512 @@ +/*- + * SPDX-License-Identifier: BSD-2-Clause + * + * Copyright (c) 2026 Kory Heard + */ + +/* + * Test Capsicum capability rights for jail descriptors: + * CAP_JAIL_ATTACH, CAP_JAIL_REMOVE, and CAP_JAIL_SET. + */ + +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include + +#include + +#include "freebsd_test_suite/macros.h" + +/* + * Create a jail and return an owning descriptor for it. + */ +static int +create_jail_with_desc(const char *name) +{ + char descstr[16]; + int jid; + + descstr[0] = '\0'; + jid = jail_setv(JAIL_CREATE | JAIL_GET_DESC, + "name", name, + "path", "/", + "persist", "true", + "desc", descstr, + NULL); + if (jid < 0) + return (-1); + + return ((int)strtol(descstr, NULL, 10)); +} + +/* + * Return a non-owning descriptor for an existing jail. + */ +static int +get_jail_desc(const char *name) +{ + char descstr[16]; + + descstr[0] = '\0'; + if (jail_getv(JAIL_GET_DESC, + "name", name, + "desc", descstr, + NULL) < 0) + return (-1); + + return ((int)strtol(descstr, NULL, 10)); +} + +/* + * Remove a jail by name. + */ +static void +remove_jail_by_name(const char *name) +{ + int jid; + + jid = jail_getid(name); + if (jid > 0) + jail_remove(jid); +} + +/* + * Modify a jail. Sets allow.raw_sockets as a test. + */ +static int +modify_jail_via_desc(int fd) +{ + char descstr[16]; + + snprintf(descstr, sizeof(descstr), "%d", fd); + return (jail_setv(JAIL_UPDATE | JAIL_USE_DESC, + "desc", descstr, + "allow.raw_sockets", "true", + NULL)); +} + +/* + * Modify a jail and attach to it in a single jail_set(JAIL_USE_DESC | + * JAIL_ATTACH). This enters the jail, so callers should run it in a child + * process. + */ +static int +modify_attach_jail_via_desc(int fd) +{ + char descstr[16]; + + snprintf(descstr, sizeof(descstr), "%d", fd); + return (jail_setv(JAIL_UPDATE | JAIL_USE_DESC | JAIL_ATTACH, + "desc", descstr, + "allow.raw_sockets", "true", + NULL)); +} + +/* + * Verify CAP_JAIL_SET permits jail_set and denies without it. + */ +ATF_TC_WITH_CLEANUP(cap_jail_set); +ATF_TC_HEAD(cap_jail_set, tc) +{ + atf_tc_set_md_var(tc, "require.user", "root"); + atf_tc_set_md_var(tc, "descr", + "Test CAP_JAIL_SET permits jail_set and denies without it"); +} +ATF_TC_BODY(cap_jail_set, tc) +{ + cap_rights_t rights; + int fd, error; + + ATF_REQUIRE_FEATURE("security_capabilities"); + + remove_jail_by_name("cap_set_test"); + + fd = create_jail_with_desc("cap_set_test"); + ATF_REQUIRE_MSG(fd >= 0, "create_jail_with_desc failed: %s", + strerror(errno)); + + /* jail_set with CAP_JAIL_SET should succeed. */ + + cap_rights_init(&rights, CAP_JAIL_SET); + error = cap_rights_limit(fd, &rights); + ATF_REQUIRE_MSG(error == 0, "cap_rights_limit failed: %s", + strerror(errno)); + + error = modify_jail_via_desc(fd); + ATF_REQUIRE_MSG(error >= 0, "jail_set with CAP_JAIL_SET failed: %s", + strerror(errno)); + + /* Now limit to empty rights and it must fail. */ + + cap_rights_init(&rights); + error = cap_rights_limit(fd, &rights); + ATF_REQUIRE_MSG(error == 0, "cap_rights_limit failed: %s", + strerror(errno)); + + error = modify_jail_via_desc(fd); + ATF_REQUIRE_MSG(error == -1 && errno == ENOTCAPABLE, + "jail_set without CAP_JAIL_SET should fail with ENOTCAPABLE, got %s", + error >= 0 ? "success" : strerror(errno)); + + close(fd); +} +ATF_TC_CLEANUP(cap_jail_set, tc) +{ + remove_jail_by_name("cap_set_test"); +} + +/* + * Verify a descriptor limited to CAP_JAIL_ATTACH cannot remove. + */ +ATF_TC_WITH_CLEANUP(cap_jail_attach); +ATF_TC_HEAD(cap_jail_attach, tc) +{ + atf_tc_set_md_var(tc, "require.user", "root"); + atf_tc_set_md_var(tc, "descr", + "Test CAP_JAIL_ATTACH permits attach and denies remove"); +} +ATF_TC_BODY(cap_jail_attach, tc) +{ + cap_rights_t rights; + int fd, error; + + ATF_REQUIRE_FEATURE("security_capabilities"); + + remove_jail_by_name("cap_attach_test"); + + fd = create_jail_with_desc("cap_attach_test"); + ATF_REQUIRE_MSG(fd >= 0, "create_jail_with_desc failed: %s", + strerror(errno)); + + /* Limit to CAP_JAIL_ATTACH. */ + + cap_rights_init(&rights, CAP_JAIL_ATTACH); + error = cap_rights_limit(fd, &rights); + ATF_REQUIRE_MSG(error == 0, "cap_rights_limit failed: %s", + strerror(errno)); + + /* jail_remove_jd should fail. */ + + error = jail_remove_jd(fd); + ATF_REQUIRE_MSG(error == -1 && errno == ENOTCAPABLE, + "jail_remove_jd should fail with ENOTCAPABLE, got %s", + error == 0 ? "success" : strerror(errno)); + + close(fd); +} +ATF_TC_CLEANUP(cap_jail_attach, tc) +{ + remove_jail_by_name("cap_attach_test"); +} + +/* + * Test CAP_JAIL_REMOVE: verify it permits remove and denies attach. + */ +ATF_TC_WITH_CLEANUP(cap_jail_remove); +ATF_TC_HEAD(cap_jail_remove, tc) +{ + atf_tc_set_md_var(tc, "require.user", "root"); + atf_tc_set_md_var(tc, "descr", + "Test CAP_JAIL_REMOVE permits remove and denies attach"); +} +ATF_TC_BODY(cap_jail_remove, tc) +{ + cap_rights_t rights; + int fd, fd_for_attach, error, status; + pid_t pid; + + ATF_REQUIRE_FEATURE("security_capabilities"); + + remove_jail_by_name("cap_remove_test"); + + fd = create_jail_with_desc("cap_remove_test"); + ATF_REQUIRE_MSG(fd >= 0, "create_jail_with_desc failed: %s", + strerror(errno)); + + fd_for_attach = dup(fd); + ATF_REQUIRE(fd_for_attach >= 0); + + /* Limit both to CAP_JAIL_REMOVE. */ + cap_rights_init(&rights, CAP_JAIL_REMOVE); + error = cap_rights_limit(fd, &rights); + ATF_REQUIRE_MSG(error == 0, "cap_rights_limit failed: %s", + strerror(errno)); + error = cap_rights_limit(fd_for_attach, &rights); + ATF_REQUIRE_MSG(error == 0, "cap_rights_limit failed: %s", + strerror(errno)); + + /* jail_attach_jd should fail. */ + pid = fork(); + ATF_REQUIRE(pid >= 0); + if (pid == 0) { + error = jail_attach_jd(fd_for_attach); + if (error == -1 && errno == ENOTCAPABLE) + _exit(0); + _exit(1); + } + waitpid(pid, &status, 0); + ATF_REQUIRE_MSG(WIFEXITED(status) && WEXITSTATUS(status) == 0, + "jail_attach_jd should fail with ENOTCAPABLE"); + + /* jail_remove_jd should succeed. */ + error = jail_remove_jd(fd); + ATF_REQUIRE_MSG(error == 0, "jail_remove_jd failed: %s", + strerror(errno)); + + close(fd_for_attach); + close(fd); +} +ATF_TC_CLEANUP(cap_jail_remove, tc) +{ + remove_jail_by_name("cap_remove_test"); +} + +/* + * Test that CAP_JAIL_ATTACH | CAP_JAIL_REMOVE permits both operations. + */ +ATF_TC_WITH_CLEANUP(cap_jail_both); +ATF_TC_HEAD(cap_jail_both, tc) +{ + atf_tc_set_md_var(tc, "require.user", "root"); + atf_tc_set_md_var(tc, "descr", + "Test combined rights permit both attach and remove"); +} +ATF_TC_BODY(cap_jail_both, tc) +{ + cap_rights_t rights; + int fd, error, status; + pid_t pid; + + ATF_REQUIRE_FEATURE("security_capabilities"); + + remove_jail_by_name("cap_both_test"); + + fd = create_jail_with_desc("cap_both_test"); + ATF_REQUIRE_MSG(fd >= 0, "create_jail_with_desc failed: %s", + strerror(errno)); + + cap_rights_init(&rights, CAP_JAIL_ATTACH, CAP_JAIL_REMOVE); + error = cap_rights_limit(fd, &rights); + ATF_REQUIRE_MSG(error == 0, "cap_rights_limit failed: %s", + strerror(errno)); + + pid = fork(); + ATF_REQUIRE(pid >= 0); + if (pid == 0) { + error = jail_attach_jd(fd); + _exit(error == 0 ? 0 : 1); + } + waitpid(pid, &status, 0); + ATF_REQUIRE_MSG(WIFEXITED(status) && WEXITSTATUS(status) == 0, + "jail_attach_jd should succeed with combined rights"); + + error = jail_remove_jd(fd); + ATF_REQUIRE_MSG(error == 0, "jail_remove_jd failed: %s", + strerror(errno)); + + close(fd); +} +ATF_TC_CLEANUP(cap_jail_both, tc) +{ + remove_jail_by_name("cap_both_test"); +} + +/* + * A descriptor created by a privileged process is born with all three + * jail-management rights. + */ +ATF_TC_WITH_CLEANUP(cap_jail_born_privileged); +ATF_TC_HEAD(cap_jail_born_privileged, tc) +{ + atf_tc_set_md_var(tc, "require.user", "root"); + atf_tc_set_md_var(tc, "descr", + "A root-created jail descriptor is born with all jail rights"); +} +ATF_TC_BODY(cap_jail_born_privileged, tc) +{ + cap_rights_t rights; + int fd; + + ATF_REQUIRE_FEATURE("security_capabilities"); + + remove_jail_by_name("cap_born_priv_test"); + + fd = create_jail_with_desc("cap_born_priv_test"); + ATF_REQUIRE_MSG(fd >= 0, "create_jail_with_desc failed: %s", + strerror(errno)); + + ATF_REQUIRE_MSG(cap_rights_get(fd, &rights) == 0, + "cap_rights_get failed: %s", strerror(errno)); + ATF_REQUIRE(cap_rights_is_set(&rights, CAP_JAIL_ATTACH)); + ATF_REQUIRE(cap_rights_is_set(&rights, CAP_JAIL_REMOVE)); + ATF_REQUIRE(cap_rights_is_set(&rights, CAP_JAIL_SET)); + + close(fd); +} +ATF_TC_CLEANUP(cap_jail_born_privileged, tc) +{ + remove_jail_by_name("cap_born_priv_test"); +} + +/* + * An fd obtained by an unprivileged process is born without the + * jail-management rights that process is not privileged to exercise, + * even though the fd itself was never explicitly limited. + */ +ATF_TC_WITH_CLEANUP(cap_jail_born_unprivileged); +ATF_TC_HEAD(cap_jail_born_unprivileged, tc) +{ + atf_tc_set_md_var(tc, "require.user", "root"); + atf_tc_set_md_var(tc, "descr", + "An unprivileged jail descriptor is born without jail rights"); +} +ATF_TC_BODY(cap_jail_born_unprivileged, tc) +{ + struct passwd *pw; + int fd, status; + pid_t pid; + + ATF_REQUIRE_FEATURE("security_capabilities"); + + pw = getpwnam("nobody"); + if (pw == NULL) + atf_tc_skip("the 'nobody' user is not available"); + + remove_jail_by_name("cap_born_unpriv_test"); + + fd = create_jail_with_desc("cap_born_unpriv_test"); + ATF_REQUIRE_MSG(fd >= 0, "create_jail_with_desc failed: %s", + strerror(errno)); + close(fd); + + pid = fork(); + ATF_REQUIRE(pid >= 0); + if (pid == 0) { + cap_rights_t rights; + int cfd; + + if (setgid(pw->pw_gid) != 0 || setuid(pw->pw_uid) != 0) + _exit(1); + + cfd = get_jail_desc("cap_born_unpriv_test"); + if (cfd < 0) + _exit(2); + if (cap_rights_get(cfd, &rights) != 0) + _exit(3); + + if (!cap_rights_is_set(&rights, CAP_FSTAT)) + _exit(4); + if (cap_rights_is_set(&rights, CAP_JAIL_ATTACH) || + cap_rights_is_set(&rights, CAP_JAIL_REMOVE) || + cap_rights_is_set(&rights, CAP_JAIL_SET)) + _exit(5); + + _exit(0); + } + waitpid(pid, &status, 0); + ATF_REQUIRE_MSG(WIFEXITED(status) && WEXITSTATUS(status) == 0, + "unprivileged descriptor carried unexpected rights (status %d)", + WIFEXITED(status) ? WEXITSTATUS(status) : -1); +} +ATF_TC_CLEANUP(cap_jail_born_unprivileged, tc) +{ + remove_jail_by_name("cap_born_unpriv_test"); +} + +/* + * Folding an attach into jail_set(2) with JAIL_ATTACH enters the jail and + * must therefore require CAP_JAIL_ATTACH, not just CAP_JAIL_SET. + */ +ATF_TC_WITH_CLEANUP(cap_jail_set_attach_bypass); +ATF_TC_HEAD(cap_jail_set_attach_bypass, tc) +{ + atf_tc_set_md_var(tc, "require.user", "root"); + atf_tc_set_md_var(tc, "descr", + "CAP_JAIL_SET alone cannot attach via jail_set(JAIL_ATTACH)"); +} +ATF_TC_BODY(cap_jail_set_attach_bypass, tc) +{ + cap_rights_t rights; + int fd, fd_both, error, status; + pid_t pid; + + ATF_REQUIRE_FEATURE("security_capabilities"); + + remove_jail_by_name("cap_set_attach_test"); + + fd = create_jail_with_desc("cap_set_attach_test"); + ATF_REQUIRE_MSG(fd >= 0, "create_jail_with_desc failed: %s", + strerror(errno)); + + fd_both = dup(fd); + ATF_REQUIRE(fd_both >= 0); + + cap_rights_init(&rights, CAP_JAIL_SET); + error = cap_rights_limit(fd, &rights); + ATF_REQUIRE_MSG(error == 0, "cap_rights_limit failed: %s", + strerror(errno)); + + cap_rights_init(&rights, CAP_JAIL_SET, CAP_JAIL_ATTACH); + error = cap_rights_limit(fd_both, &rights); + ATF_REQUIRE_MSG(error == 0, "cap_rights_limit failed: %s", + strerror(errno)); + + error = modify_jail_via_desc(fd); + ATF_REQUIRE_MSG(error >= 0, "jail_set with CAP_JAIL_SET failed: %s", + strerror(errno)); + + pid = fork(); + ATF_REQUIRE(pid >= 0); + if (pid == 0) { + error = modify_attach_jail_via_desc(fd); + if (error == -1 && errno == ENOTCAPABLE) + _exit(0); + _exit(error >= 0 ? 1 : 2); + } + waitpid(pid, &status, 0); + ATF_REQUIRE_MSG(WIFEXITED(status) && WEXITSTATUS(status) == 0, + "jail_set(JAIL_ATTACH) with only CAP_JAIL_SET should fail with " + "ENOTCAPABLE (child status %d)", + WIFEXITED(status) ? WEXITSTATUS(status) : -1); + + pid = fork(); + ATF_REQUIRE(pid >= 0); + if (pid == 0) { + error = modify_attach_jail_via_desc(fd_both); + _exit(error >= 0 ? 0 : 1); + } + waitpid(pid, &status, 0); + ATF_REQUIRE_MSG(WIFEXITED(status) && WEXITSTATUS(status) == 0, + "jail_set(JAIL_ATTACH) with CAP_JAIL_ATTACH should succeed " + "(child status %d)", + WIFEXITED(status) ? WEXITSTATUS(status) : -1); + + close(fd_both); + close(fd); +} +ATF_TC_CLEANUP(cap_jail_set_attach_bypass, tc) +{ + remove_jail_by_name("cap_set_attach_test"); +} + +ATF_TP_ADD_TCS(tp) +{ + ATF_TP_ADD_TC(tp, cap_jail_set); + ATF_TP_ADD_TC(tp, cap_jail_attach); + ATF_TP_ADD_TC(tp, cap_jail_remove); + ATF_TP_ADD_TC(tp, cap_jail_both); + ATF_TP_ADD_TC(tp, cap_jail_born_privileged); + ATF_TP_ADD_TC(tp, cap_jail_born_unprivileged); + ATF_TP_ADD_TC(tp, cap_jail_set_attach_bypass); + + return (atf_no_error()); +} -- 2.54.0