From nobody Tue Feb 24 16:37:52 2026 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fL3L84f6lz6STVt for ; Tue, 24 Feb 2026 16:37:52 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4fL3L827mJz3wR8; Tue, 24 Feb 2026 16:37:52 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1771951072; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=Fs0FFJ6UOSceDQ2DEhPb5Zhmz1bEPSPUvZvDKW/qIvM=; b=RNa337T4Gfs4Bf/qEUTsYp+HSTiyO1XFtWcXP4dQeN8dAS3xNbzdyRb7bjhNiHoTEG0DTg EXX964AKWKQ+y0a5meP7Yl7mfhWoO3BkgK74cjN8ZXUpSQCh5cWWr80YR6+ZZXCQQPHRQE JqjecmG8FIwQRRBVxbyKEP1VoLrjHj3cihF4kTCUzDdupKXIb0QJL4NZ5TfAzE0V7hmrkx KHmE8tV/chhrXh75I7miXArtDUhHRIFsTGQ99vaAkkE7ULgYHQQ+7rCeVVuGFKvX89eMMm UrMdO0MF3d+ABxD3S6mjMia9Jb4SQBd5B+108+v26VNixjSNF+xbntLCLW6AWQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1771951072; a=rsa-sha256; cv=none; b=nPjBdzGGblKFfWOW/MXPJNEAWUhK3PRuesnJpsoESuF9hNIsrQIbyU3RldSq7gQ/Wuv1RN rmxfnBTB4zQ8+Cy1QFwqrGXgShRguFJ3TZiUi3cCtJmEQWU58zrNPofav4fDuOI1C5HztB luEiZkOgCgrXAuMrFra1lS13jxiNbW95ekpCygRunkzYITftWcAK3qmxMWfCBRUufDjZwF WWtKA3migD+U9q4auRMv1ltMv8YZ/Od+je5nI+AQ3yCMv1xDZU3p0avOQp8Ll/yHaHmDiD bjr7L3SNfkbeI8SAGRFq3GogN2okSPBQzRKXcbJZRPqe86sV1l2HIWkA/0V1Ww== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1771951072; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=Fs0FFJ6UOSceDQ2DEhPb5Zhmz1bEPSPUvZvDKW/qIvM=; b=yTryTtqmYhSLMjNK+a2IN77xTBjiIU5CK8XIGcdq9fhGxWM/m1zDIGBwbNgwSDOJKXtUUI JnQtMrSR0qcUHFkf1SjIrwed954tsIL5+o8ZP687pCCPF+jmZTlo9OJAzpI6bufz45x3fd zVd/qWnmewbEReM51ER3SDmD+APZesMi42Rqx6dGeSg6nZKhZybYLimrel6+kd4qBM2Nbm 2mQefwqc9pNtxy1VXxgGu4YwSKYL9FPCIwxefBFTK7XESYWVmSLB8+ZozPFpF4iNtylxHa D5DR3wW+ZU9Ts0WES9rzK/efuUzTEQ2Wq8vfeIbnXsAPiU/9Ao1eWZcfM9PLEA== Received: by freefall.freebsd.org (Postfix, from userid 945) id 3919B11DDF; Tue, 24 Feb 2026 16:37:52 +0000 (-00) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:04.jail Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260224163752.3919B11DDF@freefall.freebsd.org> Date: Tue, 24 Feb 2026 16:37:52 +0000 (-00) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security-notifications@freebsd.org Sender: owner-freebsd-security-notifications@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:04.jail Security Advisory The FreeBSD Project Topic: Jail chroot escape via fd exchange with a different jail Category: core Module: jail Announced: 2026-02-24 Affects: FreeBSD 14.3 and 13.5. Corrected: 2025-07-29 12:49:03 UTC (stable/14, 14.3-STABLE) 2026-02-24 16:01:32 UTC (releng/14.3, 14.3-RELEASE-p9) 2026-02-09 20:44:00 UTC (stable/13, 13.4-STABLE) 2026-02-24 16:04:42 UTC (releng/13.5, 13.5-RELEASE-p10) CVE Name: CVE-2025-15576 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Jails are an operating system virtualization technology which allow administrators to confine processes within an environment with limited ability to affect the system outside of that environment. In particular, jailed processes typically have their filesystem access restricted by a chroot-like mechanism. nullfs(4) is a pseudo-filesystem which allows a directory to be mounted at another point in the filesystem hierarchy. unix domain sockets are a mechanism for interprocess communication. They behave similarly to Internet sockets but are identified by names in the local filesystem. unix domain sockets allow processes to exchange file descriptors using control messages. II. Problem Description If two sibling jails are restricted to separate filesystem trees, which is to say that neither of the two jail root directories is an ancestor of the other, jailed processes may nonetheless be able to access a shared directory via a nullfs mount, if the administrator has configured one. In this case, cooperating processes in the two jails may establish a connection using a unix domain socket and exchange directory descriptors with each other. When performing a filesystem name lookup, at each step of the lookup, the kernel checks whether the lookup would descend below the jail root of the current process. If the jail root directory is not encountered, the lookup continues. III. Impact In a configuration where processes in two different jails are able to exchange file descriptors using a unix domain socket, it is possible for a jailed process to receive a directory for a descriptor that is below that process' jail root. This enables full filesystem access for a jailed process, breaking the chroot. Note that the system administrator is still responsible for ensuring that an unprivileged user on the jail host is not able to pass directory descriptors to a jailed process, even in a patched kernel. IV. Workaround No workaround is available. Note that in order to exploit this problem, an attacker requires control over processes in two jails which share a nullfs mount in which a unix socket can be installed. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, which were not installed using base system packages, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 14.3] # fetch https://security.FreeBSD.org/patches/SA-26:04/jail-14.patch # fetch https://security.FreeBSD.org/patches/SA-26:04/jail-14.patch.asc # gpg --verify jail-14.patch.asc [FreeBSD 13.5] # fetch https://security.FreeBSD.org/patches/SA-26:04/jail-13.patch # fetch https://security.FreeBSD.org/patches/SA-26:04/jail-13.patch.asc # gpg --verify jail-13.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/14/ 3ad3ab5f9b6e stable/14-n272076 releng/14.3/ fbc35b3e6615 releng/14.3-n271471 stable/13/ 73530e4c2ea9 stable/13-n259752 releng/13.5/ e6b96891ef7c releng/13.5-n259202 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmmd0NwACgkQbljekB8A Gu9WrxAAzgjxobnwhy+3RrD4XSOViKv7Dk6va/cqZtiP+SEv1lwM86P4aeUbqCOL XPGItri1El9gQoBYsLS/b5ODbevV/CBaTeZbGwm129B9xdrJ4lQgQrDBh3qgo55k OxQTnZbJgnF0YtjcSnkC+oWs4selpADEevEe2ohVUrV4OjXjVoCc3hVibPPwFh+8 G5lPqcI26kXXimjb+zC+5yFQwNy/an9sYeiVnYceCuAOxxoV0Uf23Z5Ndc5oPBUD lYMfrfuqmuhX6AtxTSU7x4BDx4MGTDIMYjU/LXptzMI5bpvqUy4F4lqx0t8vXV8F T8vpbzGt8uhyRoD9Wp9LCIS7PpjBNm3YINY4Zd9z46tiC5ItTSV5mkJzatDB2zW+ 4iMcFQxHFGksHyrGn3epYKm1C3NtbKc5lEVHnKZqg11H2xUtDkTRn8AVcy8a9Bh+ FDo1+yAb96W5by9UGA7nCdF8xwr9+ea/k6JDDfHxgVsOKzOgXsh7wmJ686kTIT2I 2REIMLY79xs50Lii5EMvN1oSjXxb7+WFphe+XCoH39JDTI3ekg7EpnFHcXLzMaVt rciDlmPBU8h5A8U8GyI359DbIlha2IY5R2yC/opHUkOq/wBDJUZcL2y41BEH11jb uFxRavagcRePVrSHSuXOH1vSdmsdrtl/h7HBP83J4X6ZG3nnr90= =cwB8 -----END PGP SIGNATURE----- From nobody Tue Feb 24 16:37:55 2026 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fL3LC4KPsz6STb9 for ; Tue, 24 Feb 2026 16:37:55 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4fL3LC2hXjz3wXr; Tue, 24 Feb 2026 16:37:55 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1771951075; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=Zum/L9ZyrXBzq2zCxkOptt9cnYpmO/y8o5N9oHZWuOQ=; b=l+Bj91L/gLOFdjt/Vzr2yeGgXbhL/cs1GlPSGbhyQ5AV2uAcJgI44BwQ7EgwqPEYtqEFhg B6lzGZaLBTEImWV7j1gTooAX43xy4NKwG6T3uvqE1qg5nOwTtawIjXFPRoY5XBqHSIUZEl TxVZlHBFz35HWeyViNIIFofsvM5BO4Oo05SVKiOhi5cgMR0NKdm9mAHyFDYIhIZsQx0F27 o5Dt0Mt5u4t1c8ZN3Fjg8GY07cdITeRrgXaQXwOLRYzsEXqbm2ao53fjPOfOEFZHKW/4Te 1DyKt8b9tEUINCQ3ooWvIBzdw02xDa005iXbmaZ8itdZPrN4jo+tUKjEIW9uGw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1771951075; a=rsa-sha256; cv=none; b=jnM54tgKrnRVxnWnP4Dx+epJjU493zuPtv/XW3EO5xgrGoFsDqtNDxcbVgnFYVaihlWZGA 7kSa4TxQ8cnL4ln6hImptvrG2IBuvAtFGRC3rh9mBrWEkEJUrOTa1VU5g79GAb8+bKGOkt XqZj2JbaRdYbQMY+mXdgzeLe02DX2K+0Zd74kNFiNNa/g2ZFM62WoSZ1LYhFtcf6nP/XW0 viwpuMFbEfg547hq9M/1yXAQwuVjiRfB3u4qu/rXpYHzv9AFY2Snq7l/ab1RCyra9Y1lK0 XwmK0ek7KAlI89+QKau3rl6qZU/POtxnrefs5Rqjjb79RD30/Bsu4nbJNqkDPw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1771951075; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=Zum/L9ZyrXBzq2zCxkOptt9cnYpmO/y8o5N9oHZWuOQ=; b=e7mz17RWqdhduvaBuL2NaYZE3VtrkyXBynInOSIoEsqWhVT0FR9RrC8E8DbtcioR1nbxzt PTe/Gdlpw2Jpq80hYnFbhyuwcDKTBw6V/g+WrVuxd390C8crDhDkrzeREKidoS8yZSy1ri OtXXl6PNCc+lXY1C0GCqF9N8RUEIBltY/aeoOlVf73+yx9scf7hpFsiIrEZnHKprmdVrjw SDEY1ew+Yx0jmDWo8DsjvF0Vv1AwRaggmRA0hShriDS96/kiUZ5W2LS3FLrSbFWwV7bhUQ /h6PNLXZ+wumZysy+Hjq/m7s1Dny01oglJZmq+Ru6m4Vp9MeT103Ecf0j8vWig== Received: by freefall.freebsd.org (Postfix, from userid 945) id 42E4011E61; Tue, 24 Feb 2026 16:37:55 +0000 (-00) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:05.route Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260224163755.42E4011E61@freefall.freebsd.org> Date: Tue, 24 Feb 2026 16:37:55 +0000 (-00) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security-notifications@freebsd.org Sender: owner-freebsd-security-notifications@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:05.route Security Advisory The FreeBSD Project Topic: Local DoS and possible privilege escalation via routing sockets Category: core Module: route Announced: 2026-02-24 Credits: Adam Crosser of the Praetorian Labs team Affects: All supported versions of FreeBSD. Corrected: 2026-02-24 16:00:26 UTC (stable/15, 15.0-STABLE) 2026-02-24 16:00:39 UTC (releng/15.0, 15.0-RELEASE-p4) 2026-02-24 16:00:56 UTC (stable/14, 14.4-STABLE) 2026-02-24 16:02:31 UTC (releng/14.4, 14.4-RC1) 2026-02-24 16:01:35 UTC (releng/14.3, 14.3-RELEASE-p9) 2026-02-24 16:03:17 UTC (stable/13, 13.5-STABLE) 2026-02-24 16:04:45 UTC (releng/13.5, 13.5-RELEASE-p10) CVE Name: CVE-2026-3038 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The routing socket interface, route(4), lets users query the state of the kernel's routing tables. Most routing socket operations require root privileges, but unprivileged users may send RTM_GET messages to obtain information about routing table entries. II. Problem Description The rtsock_msg_buffer() function serializes routing information into a buffer. As a part of this, it copies sockaddr structures into a sockaddr_storage structure on the stack. It assumes that the source sockaddr length field had already been validated, but this is not necessarily the case, and it's possible for a malicious userspace program to craft a request which triggers a 127-byte overflow. In practice, this overflow immediately overwrites the canary for the rtsock_msg_buffer() stack frame, resulting in a panic once the function returns. III. Impact The bug allows an unprivileged user to crash the kernel by triggering a stack buffer overflow in rtsock_msg_buffer(). In particular, the overflow will corrupt a stack canary value that is verified when the function returns; this mitigates the impact of the stack overflow by triggering a kernel panic. Other kernel bugs may exist which allow userspace to find the canary value and thus defeat the mitigation, at which point local privilege escalation may be possible. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, which were not installed using base system packages, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:05/route.patch # fetch https://security.FreeBSD.org/patches/SA-26:05/route.patch.asc # gpg --verify route.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ df932377e7dd stable/15-n282455 releng/15.0/ 5de6a55c70ba releng/15.0-n281009 stable/14/ 1eb2beb3686c stable/14-n273785 releng/14.4/ 7465d0b094b7 releng/14.4-n273667 releng/14.3/ d521badafdaa releng/14.3-n271474 stable/13/ 8b476ffc4ea3 stable/13-n259798 releng/13.5/ c2e2bfbd9e09 releng/13.5-n259205 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmmdz7cACgkQbljekB8A Gu+9ehAAziBGPEv4RtXdh5OPqRkmJrZbxYNsiDmsqCO1alaEq/P64uLSI3ShOEf7 K51oW4P+pukw13mJ7koDfWIFcJ5Jr4p+4vPIUenHafgXzOB9i6prn9kF0RFJN9zX ziUaz8DGKd7B01eUoFj0p5l6rm00Z8q9l47ePOXfa+CS90lZxV/9z55UbmmCioQv Ar98kPvaRmrmUqifuj72Jh1Wf69XLMDv4CI7BRumXIQnrHJ1xco4T9hHrHzPyNCf cObfVsYMew/OGL2WgqfWvOEbmmC4mSW080kjPNmJxA+WG5fc0xQWaF41Kq1YDSWD 23SLqgjzTEP7zcsN/bW1k/7maf7lkKUWjtC/sjcqJRPfgWfHjDCVcMTKSjje65ld Ml4sw4Ea2+jbOZqNcQhtFLo69atTu3oOgN2Gc677rvpkLl+HSivrX7D/1ULYfE0x TbtW8Y8fqyNaPPOc1PktUcvQsZ1Sq8OKghOd/JAv1sKLZnxs61fWEMJKTJZEMHQB NOnvw8PO2JPNMgJhPJz1CuD0pUCyTDqHYvfEI6TQikJmqKfrhAOBl8ccfNMyMmje ZPW1f6hXud7c11OQXJ/u3QyBe7E+3v9MOf7Tn/mbFviwMx/xmG2VbgAuBBOVx6qb QnHv9Ce+szmMV+9i0dj5KlsxhuFfUaDIIc9+iZ/1k8GkjkizDjE= =V8QD -----END PGP SIGNATURE-----