From nobody Wed Apr 29 18:40:58 2026 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g5R2g1n1Kz6ZtwK for ; Wed, 29 Apr 2026 18:40:59 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g5R2f48MYz47tr; Wed, 29 Apr 2026 18:40:58 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777488058; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=v4skgfLChW/sRDkqlzs4LFG1hA6MSu7RFCaDuxlk0fw=; b=QWe5iIFlrvO/7UX0R77hihndyKyEUUHlw+6OJlLp4eJFNXjmHgWSxG7HYY9e/MbHbT+FPI Uw27UJkL1xtfqshvDbvagyDSvQ6oyOdjU9zWWbjaZqpEkxfutowIQHe8eCR5JYBgc5KaTt RVyAMTuSIv1R5wkaRtkj0QBymzC6s4YUwAJ9wvt75TOXgpjTjtRzAyskkmjZoQba10+iDL Qo8j51PNxJEA8681BO0+xp5whByrRtWmGE1HXx8vOJ0yLa6sL796Dsx9eY/+G1nA+o2mUH z1UXfwTRc3jgtteB9zB3ofQOloqYPOOzaaFoBh1gRZG4MtTfbCTrByRh0UWBDQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1777488058; a=rsa-sha256; cv=none; b=XqKwrQa5XTg35RDyAfMtlB0PL7nbAn/dM2gR/seZoCjkhE7yr2QBQ193jkOYXKjXJfy2Ae InG8EzE9+sXkpghaJxrLgdlR0AmnLdQYr0SFwJ5JWVGsqVi+ffyJ7c4io0k6IJWZhhxjeD 8LGVUqG90sEETrqQAFztmA9FboX7B6h1ZR/pBH5Vg5wLAyZC6S16NjxRLByEhvlx4T/WOB pmrSN8m/blasXS1G/Afly3j6aGAlITJh+uU/udILIpDNN8C4y2OoJuGqVhGTlRj0QQlzVa /iNnoMIxdgJun/dXCbymCf0d/2aFmdS/Smc2A4N3TiOUXdAo05yYBEF5hS0E0g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777488058; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=v4skgfLChW/sRDkqlzs4LFG1hA6MSu7RFCaDuxlk0fw=; b=AGw2XDR+IfpsoJ7cl9vZ0Ze/lnBOIkCe73bulISNOSzQFNcoRNblWA809HWVr9uIjZJlgo UzendzTM9CyNNllW+if+P+VairsDRXW5OYRP2PdOdzjEdlbsYdd6GF4eelHs3kDqu05pYZ Zld4i51zkUty9oHsYrCnZr7KTAFfpy8KuGD8gwnT1mzcTh/RvyK5XSJNrLh6Fp6G8CnJZY EOvRpWz9Bupedm24MOT68fHrJS0pdRhaY7QTWFSXN4UAawvZRUmS76Q17pR94506CuIaV2 132hI8fu0OlBkaOTGDacwRBmvtfpuVbdBZBVeOVtxHF8uB2ivlKeHJa7CEUzNg== Received: by freefall.freebsd.org (Postfix, from userid 945) id 4C1B195FD; Wed, 29 Apr 2026 18:40:58 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:12.dhclient Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260429184058.4C1B195FD@freefall.freebsd.org> Date: Wed, 29 Apr 2026 18:40:58 +0000 (UTC) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security-notifications@freebsd.org Sender: owner-freebsd-security-notifications@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:12.dhclient Security Advisory The FreeBSD Project Topic: Remote code execution via malicious DHCP options Category: core Module: dhclient Announced: 2026-04-29 Credits: Joshua Rogers of AISLE Research Team Affects: All supported versions of FreeBSD. Corrected: 2026-04-29 14:47:47 UTC (stable/15, 15.0-STABLE) 2026-04-29 14:48:28 UTC (releng/15.0, 15.0-RELEASE-p7) 2026-04-29 14:48:50 UTC (stable/14, 14.4-STABLE) 2026-04-29 14:49:41 UTC (releng/14.4, 14.4-RELEASE-p3) 2026-04-29 14:49:22 UTC (releng/14.3, 14.3-RELEASE-p12) 2026-04-29 14:50:06 UTC (stable/13, 13.5-STABLE) 2026-04-29 14:50:18 UTC (releng/13.5, 13.5-RELEASE-p13) CVE Name: CVE-2026-42511 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background dhclient(8) is the default IPv4 DHCP client used on FreeBSD. It is responsible for contacting DHCP servers on a network segment and for initialising and configuring network interfaces based on received information. II. Problem Description The BOOTP file field is written to the lease file without escaping embedded double-quotes, allowing injection of arbitrary dhclient.conf directives. When the lease file is subsequently re-parsed by dhclient, e.g., after a system restart, an attacker-controlled field from the lease is passed to dhclient-script(8), which evaluates it. III. Impact A rogue DHCP server may be able to execute arbirary code as root on a system running dhclient. IV. Workaround No workaround is available. Systems not running dhclient(8) are not affected. The attacker needs to be on the same broadcast domain and respond to DHCP requests. A well-managed network will configure DHCP snooping on switches to prevent rogue DHCP servers from operating. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, which were not installed using base system packages, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:12/dhclient.patch # fetch https://security.FreeBSD.org/patches/SA-26:12/dhclient.patch.asc # gpg --verify dhclient.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 2621f6c5d4ae stable/15-n283377 releng/15.0/ e7b4fb41aafa releng/15.0-n281029 stable/14/ b3087e05e848 stable/14-n274076 releng/14.4/ 73b801e3b5b3 releng/14.4-n273691 releng/14.3/ dda71167a101 releng/14.3-n271492 stable/13/ 46c01e4dd102 stable/13-n259859 releng/13.5/ a2d45189b9ee releng/13.5-n259215 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmnySScbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv/HEQANr71RMaW0408Cp2xZ/n DN8DsU7vCXPDcZWF/HAl+COurXipEycxnP6pBdm2uCqRGWXmNPkjyA5nyoAM2qYP 9b3rXQHKdrqc0vvbjJuahzqfttwcv1jFQp+8Z8N8TYWUnETprai5VOwZ+7p2caGC gZg3UkS8qx7+qUZn1c1nOpYgW7AE1cxuBzSM3O/4pyaSnnMGgeUcz/utv+F272rn /rdDaC1nvH09OKIJOqBxOQ7m7izTBu70P1zhuWmGDAzmvy1sNCUpv325iFBc7B78 fRvINps878aSqheJqIx2jpeykW+nBjbVpsh++0ZUNjoWQTbZM7WaxNJxD4KjdInW zvK24qX34aMrY4pS0BjpQ46RTkEIDFnzSYTUAN+33LQ9rQ+1DaUF0UJAlO10XBQ+ 6J1ZDXnSmqOsXu2pnRyXWKrsliz6+j3LOzkJoc2gQFwiDzex20ZJtO3Jd2dVMJ5a F/jN5SY800LhvCbPFPL4k03xK98n7fLs432jsJOMYtRvY9N62oEbufBj0dCS0S15 A7Vj537ziRZuGt4xz3vdE48GEBdxm+frPNadS8IurW1gDN4Rr0d5VLfKFwMsiSXr baVMWTjn6kcfpomYDhl5451lDAyhZ20qFxx9M1lRNj7ploz4khmdv1e1zqENocQd t4eQrptk4YUgxEIZ0R56b2qf =h/Vp -----END PGP SIGNATURE----- From nobody Wed Apr 29 18:41:03 2026 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g5R2m58H1z6Zv0w for ; Wed, 29 Apr 2026 18:41:04 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g5R2l75Llz47sB; Wed, 29 Apr 2026 18:41:03 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777488064; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=Eek2XY4nJcTQATsNfh1hGkkrRe7p0UmcElpBX96ViXw=; b=wx/vpDRczGWnI0zeao85EmKchMgVU4dezLqmoGMm1nG3QnZsnaO6EeTmmXHskdybkddoju ItW++CQOAykB2YxXcPuU7YVR7RqfjvpVVFhcT+mnjtCDeHwL5ycM+zRvwf9iNQgEsG6yN1 ug7a9R8GvLcYiJJb6hlYACo/L5mUqUhz1Bi37Nf+9o0ZWdAWYHd526yBzQgjykZs9JMq06 dilHMJ3kwIwDrbgx5jYHiF+MM5H4i67r4/roBRmHTnCtAV4+C6qcuLiEwTfwm4YjkbrENB z/aKTu9RqjkWyy4scPyh0c8DQGdSffzPwIqJ5P2bfTJzTimhfOJHu4me++mgfA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1777488064; a=rsa-sha256; cv=none; b=V89sLld1MDVtmd8zwENU7Y7D66XYT12MPqeSmzfGcl1dSTNNYmYLlx4sM9ZPEXdYK8Tfzh v6JlrIHFeqrRi9RXLt3RvRjcy1pgyAx+vynBcPNVAWaBz7usBvRTqImgVzie65p9Cy48nv BvPp0ZvS87kJLj01BEPi/VrPItvftlVRTwSLVl95l0XrZhENecceT3RG9lesQIokIOncm3 +VbVOWXLrTQQ8nLKoBnlDoxPXWhQtYEjglsAxsfxLfy2qIvRIZkaI1BKolEe2ZVS/gKb3v FhzKMbYkz8NAoqNMbIACjvDnyRqUvrsx/yIDggLZfQCGHgbF7GQKzkSkvcJXOw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777488064; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=Eek2XY4nJcTQATsNfh1hGkkrRe7p0UmcElpBX96ViXw=; b=F6CC1MzgSlsgjCjYDu8mqcxBJnaOSUqwcckMQ+95jWylfIhdwiL69tMO3K3kerZux/4nEo Nz0wzPX05o6dc9ZurGtAQW8/jq/ul8lF0YdUGuA0PwrSzFjl/FoZZt2zK7Tfw2f+Ir3Mkq OvKx5xnTYI84NfwTZUTAiFc7kSMPFL01qNWX9ckNwJEHSSXlBU1wzquwKSQWjDfK5DoyMi tVG7U8FAvDo4KeY6vwAc+398mvjpaugtZHr8T7B62FwA5lZO4ISA5MxF7z1Ijh/vniTDYE E8o7KrgXbIGqKLeQG5g6z5QlS2CKi2nZqlvtTrKRaMkLOn447hWponjlq6wiLQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id CF0519850; Wed, 29 Apr 2026 18:41:03 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:14.pf Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260429184103.CF0519850@freefall.freebsd.org> Date: Wed, 29 Apr 2026 18:41:03 +0000 (UTC) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security-notifications@freebsd.org Sender: owner-freebsd-security-notifications@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:14.pf Security Advisory The FreeBSD Project Topic: pf can overflow the stack parsing crafted SCTP packets Category: core Module: pf Announced: 2026-04-29 Credits: Igor Gabriel Sousa e Souza Affects: All supported versions of FreeBSD. Corrected: 2026-04-29 14:47:50 UTC (stable/15, 15.0-STABLE) 2026-04-29 14:48:30 UTC (releng/15.0, 15.0-RELEASE-p7) 2026-04-29 14:48:52 UTC (stable/14, 14.4-STABLE) 2026-04-29 14:49:44 UTC (releng/14.4, 14.4-RELEASE-p3) 2026-04-29 14:49:20 UTC (releng/14.3, 14.3-RELEASE-p12) 2026-04-29 14:50:08 UTC (stable/13, 13.5-STABLE) 2026-04-29 14:50:20 UTC (releng/13.5, 13.5-RELEASE-p13) CVE Name: CVE-2026-7164 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background pf is an Internet Protocol packet filter originally written for OpenBSD. SCTP is a transport protocol with multihome support. pf parses SCTP packets to discover additional addresses for SCTP endpoints, allowing it to create states allowing connections between these additional addresses. II. Problem Description Incorrect packet validation allowed unbounded recursion parsing SCTP chunk parameters. This can eventually result in a stack overflow and panic. III. Impact Remote attackers can craft packets which cause affected systems to panic. This affects any system where pf is configured to process traffic, independent of the configured ruleset. IV. Workaround No workaround is available. Systems not using pf are not affected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, which were not installed using base system packages, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.0] # fetch https://security.FreeBSD.org/patches/SA-26:14/pf-150.patch # fetch https://security.FreeBSD.org/patches/SA-26:14/pf-150.patch.asc # gpg --verify pf-150.patch.asc [FreeBSD 14.4] # fetch https://security.FreeBSD.org/patches/SA-26:14/pf-144.patch # fetch https://security.FreeBSD.org/patches/SA-26:14/pf-144.patch.asc # gpg --verify pf-144.patch.asc [FreeBSD 14.3] # fetch https://security.FreeBSD.org/patches/SA-26:14/pf-143.patch # fetch https://security.FreeBSD.org/patches/SA-26:14/pf-143.patch.asc # gpg --verify pf-143.patch.asc [FreeBSD 13.5] # fetch https://security.FreeBSD.org/patches/SA-26:14/pf-135.patch # fetch https://security.FreeBSD.org/patches/SA-26:14/pf-135.patch.asc # gpg --verify pf-135.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ e1c9f92130e8 stable/15-n283379 releng/15.0/ c01d9bcf0cf6 releng/15.0-n281031 stable/14/ ba21845e94dd stable/14-n274078 releng/14.4/ 0cbe512c7a80 releng/14.4-n273693 releng/14.3/ 63495b09ccf5 releng/14.3-n271490 stable/13/ ed0e766f1256 stable/13-n259861 releng/13.5/ 0ab05345fb40 releng/13.5-n259217 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmnySS0bFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvIZAP/1GsgtB+t9rl+cOV5dv6 EeW82SX6ivf2GdmjiuXGSKoGuw3VsXPUC4RCcnFoewr1dmh+p0mGGnN0mH7lwXlT 8HG/ZF5sRXAvbaqMt2t2kPh6RbSUTfDm9TWpFQRCUmCn2PjAtrZtjQAjEZZOhfAS domShW7gUMTHl5AA3bpSWyL/GL2/WicOkhczJAoRg8rlUiFmTg8OYWPmSZfXfLtf E5AeXlfn5OaXFFupB+FKsdQDShU2p01kh6BtpyfH6TXa7a2yM3Cu4OdL37oy+TSi OgH3G7/CveNXqRknOD5DJi/kwIGbWpGLGnyAerOepY3MMq8Wag5Wz0Ive2H6B6Ud 45v7cmXhDUUaNv/vAW/q+oiru0qJKzEvOlL7RWOxDLz1eL1P8Cqj9fJBLmD9Z3GW t4QwGS09bkDcvkxyLh4HkrHwuOmZIP/OXfdHZji98N7tgmvepiNdv8e+Ww2Pm/Oc M+E+44nx2grOpo5kewoUUT9KPxNMwn2h91Pdh2qLFCAb/HTuJ9cpPcoKvw2DAsYz 6IGLxUjQA13kkD9J7ehlvEd1/OaYxBeRIBVIJAxV2Y3OJMLhQRCu1HKz1ACNkQY0 /wHT5DXf4Q8PfGCEyEjtRI/tVAtVFdojSAfyWuxfusSjTxGD6SAz/MjWKI0oqGPZ oTn0P+vVYzU3/bYgLl6DYOCP =dRoD -----END PGP SIGNATURE----- From nobody Wed Apr 29 18:41:08 2026 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g5R2s0yl7z6Zv7t for ; Wed, 29 Apr 2026 18:41:09 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g5R2r5b8Yz48R1; Wed, 29 Apr 2026 18:41:08 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777488068; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=ZPzjWcqe2VnMZOeJXvNp7SfBFjE4uSwP4KMGn48wjY4=; b=ZIV7eGsM+BJVO36jeNzN0Pa9k/ZlR/v5BS+a/VkA7DKXxKn7v54z4jZH17mr4LhijmzU4n DmBCl3is1wfLuPGkGj8uUygzZmlKtTjh7fJNyNmEL5tOsqJ3HInM4bDXmH0LavhNKGYKkU oepn2SXdz1SK60BtzP4aFGLrOcbb18qZD7jV6EJhJmEJv9Y1hIqShN4ckZKeKrXdj+GyLG IBReIVU0E9YISybcGNVNobq4i1jN/fYwiRBCMXXfYObqs9m0uj9RVexm5gGBWTw3mEDrG1 8jpnkmJBAO7drxsNxC/HXEGhMzVdScvGlmvHqSn8RuHjUfKs1RliBHNJlP/Mew== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1777488068; a=rsa-sha256; cv=none; b=lEXssHLtEmDAxTNJjab/paK2U6uDQUjG8B9CxA/gYOC71dhIN3S5SHQ22VVFtgEqBIOEGr +WFxsBjUyLPTolCG7ca9F/Bil83QOl4zAHuX2UnAiH858m9X/5czIRMZgEZECx7tKuiiMV qfDsl0TnwRtaAMNKFBgu1Ae7tGrvcGFPau1xiz8FpqNWiATyQnovOkH3qs8WrX0bdtPdz/ 0Hy4f9ZMWBpqMbz3gdnhESNIlWBCqLmyT3rrcThJ6VQyqJ/cprq6sY0OjNBXA1e80m8JOd 7nxc0+U7TWyw7hLSz0VtR5p7V03KOqLhPDauga0tY+mUzeJEeINKuI57FQF0Vg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777488068; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=ZPzjWcqe2VnMZOeJXvNp7SfBFjE4uSwP4KMGn48wjY4=; b=jjvVOI+eVuN+PPuAbD4n0vnigj7QcwnqykPYyG9D1eBmsJU4OZgw3r2Qua/sRZVsK+JjxQ l1QZvQHrt/ytcqV+ZfS6o4YU6bjratqq3kw69oq8uWe7oBC5vR2MUmouI+EX06Jj3hyy7y nOqCilXc8uh+SkBxu5MT+TtZrXdT7ic4736mEF1dXeO6fYA7v/QWBfLM2yDhw419cPODPU PQbEwzpNavamTExVy9/TbAMjkSE2qIln4Egf1cyCB37uOTtgT0pKu8RLaFIo/mRGRT+Bbs 71Z+InAg2o8A4nae5jKzqZ03BIlalRHBWkEsvmOBIPujH9feKwyFDyopIY3P4g== Received: by freefall.freebsd.org (Postfix, from userid 945) id A151F97F0; Wed, 29 Apr 2026 18:41:08 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:15.dhclient Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260429184108.A151F97F0@freefall.freebsd.org> Date: Wed, 29 Apr 2026 18:41:08 +0000 (UTC) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security-notifications@freebsd.org Sender: owner-freebsd-security-notifications@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:15.dhclient Security Advisory The FreeBSD Project Topic: Remotely triggerable out-of-bounds heap write in dhclient Category: core Module: dhclient Announced: 2026-04-29 Credits: Joshua Rogers of AISLE Research Team Affects: All supported versions of FreeBSD. Corrected: 2026-04-29 14:47:49 UTC (stable/15, 15.0-STABLE) 2026-04-29 14:48:29 UTC (releng/15.0, 15.0-RELEASE-p7) 2026-04-29 14:48:51 UTC (stable/14, 14.4-STABLE) 2026-04-29 14:49:42 UTC (releng/14.4, 14.4-RELEASE-p3) 2026-04-29 14:49:24 UTC (releng/14.3, 14.3-RELEASE-p12) 2026-04-29 14:50:07 UTC (stable/13, 13.5-STABLE) 2026-04-29 14:50:19 UTC (releng/13.5, 13.5-RELEASE-p13) CVE Name: CVE-2026-42512 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background dhclient(8) is the default IPv4 DHCP client used on FreeBSD. It is responsible for contacting DHCP servers on a network segment and for initialising and configuring network interfaces based on received information. When processing a DHCP offer, dhclient passes various parameters provided by the server to dhclient-script(8). DHCP options, as documented in dhcp-options(5), are passed via the environment. II. Problem Description As dhclient is building an environment to pass to dhclient-script, it may need to resize the array of string pointers. The code which expands the array incorrectly calculates its new size when requesting memory, resulting in a heap buffer overrun. III. Impact A specially crafted packet can cause dhclient to overrun its buffer of environment entries. This can result in a crash, but it may be possible to leverage this bug to achieve remote code execution. IV. Workaround No workaround is available. Systems not running dhclient(8) are not affected. The attacker needs to be on the same broadcast domain and respond to DHCP requests. A well-managed network will configure DHCP snooping on switches to prevent rogue DHCP servers from operating. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, which were not installed using base system packages, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:15/dhclient.patch # fetch https://security.FreeBSD.org/patches/SA-26:15/dhclient.patch.asc # gpg --verify dhclient.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 4408b683d237 stable/15-n283378 releng/15.0/ 66d6c32ce7b8 releng/15.0-n281030 stable/14/ a813012f4b76 stable/14-n274077 releng/14.4/ d60456d859a1 releng/14.4-n273692 releng/14.3/ 76734958a098 releng/14.3-n271493 stable/13/ 5d3e93fda7ce stable/13-n259860 releng/13.5/ 5a5e7883a3bb releng/13.5-n259216 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmnySTMbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvvwIP/3DfD428ehRM/ukPC7bY 2AUpIfE5s+AHvE6JiRF8IcbsuVRHsMfO1Z6YWYMfPxhzTpoKhjBcC1XuM6fMugcP 9GFRoW1u4f17trfSSTFMbgTA6q7EC1hab1wQsGhpgazQA+lGpUjoISC88ah+jiEu +Z1b9ubyuYURnstf5V5gj3cRunt9YL3ZuBC0oJJaybODJSuVvuvgZL3QvtwSGM98 OJmqEANEYO3uGpkbeJsIXBYvzqJdzVHpp/rVF84+PHYLp/uqVaWFllflWLwEp6wE 0oSKmsWljjPjL2bIcbsxu+aJH4XJDwDizgYRq6IVnbV/G3XYqQPJwMyQh/qGDhIq 8hA3tG/aQrs5ukL4WE7eMMM+fNzy+LTBfD3vWyfuabFHmKXBCI+Kc6q+oNcPGXeq /ofaJav+ivO4d0H6XHIJ/MtZOO9782EXYWmR8X8E4myZ4z6/vtmqUzL457Kh2v7b rdGE/1tdd+CyIVobfcuPJBq0cx8Fp8gVydcQ7Ts6i5Hqx/Grz2za5qvQgsHsruqo ZQxb3rw7J6wp7w7duqEl9cYVZRgz9CdmTSmjCPi8Ws3nO0PCBV220/dHBHi/kPtl f2GPmIBJA2s0HjTiPQJp9LAFaAnUuCsleo4PEj04NDe6QFMt/u1W22AZbO50zCOQ wuVe9dL9HWnNoKuR1hjIWB27 =rnNn -----END PGP SIGNATURE----- From nobody Wed Apr 29 18:41:12 2026 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g5R2x25cSz6ZvKl for ; Wed, 29 Apr 2026 18:41:13 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g5R2w6LLQz487P; Wed, 29 Apr 2026 18:41:12 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777488072; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=JhrmztvykV13LAtB00giocImtvWNZM7PyGbt1l63Zb4=; b=usBft/qLCcVDwpetPBFwAojmeqQaSdKAjNRs4g3NQdE1Ef0CikA+fMzy2S3zeMeS6AIvXP t5rMnPMse8e++bLseEpAGs3/sXFSbUo47EwfgfukjOavVavLFJL3IC9K3d/eWS4dUTWE9p HtiSoTZhJhnJ4PtFAysrxwfR2gQcEI2C8EpEH72JtrKrGyeUdd+foFCwjPJfzL3wN69Rkg pTrX7ODZNLvinCDDhwKCzPP9mCPYByPpEij4MN5GH679xmT3WIlbxpRPzLlCjeMK/SLWQO QULEDVSBPQsMfVdcIPYaNQDgbIpI3kUAkIFTyTY3KQWCfeWDRKn3WXZWNsDi9g== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1777488072; a=rsa-sha256; cv=none; b=VweuG/giFCD67HYfHnHVliwDTsAS6pavm3z/O/gEJKlnzIyNOqX+bMEAzZREBEXO4GZene TB3LD/axKfzZlZqoltG9TPytLw1rUwdddXdg/ixEU8ysTeIwvIXD9CtlwnJyPRxVHAmzhs O5mHhI4sdWbjVLkiy1wraSIPszq4jMRemFofBQbYaxkiQzK/4iXqb19gRCLN007UShudlS kvx95tyrY4aiuVyNcoxRuzTiXt7aOF/j8kK1ph7WQdfBTmNTotSBOgUeW8dKDkjnlcHy6k r7xtPVetmmmMwbqo7DXqMDTvwUdSP8pDDK17F5uRV29H2ztw8drFNQbBM+dYcQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777488072; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=JhrmztvykV13LAtB00giocImtvWNZM7PyGbt1l63Zb4=; b=r+FtFHodVSFp2FZH2Tp/mPwPTeTLddQpgyHbzkv1sn3e7k2T+Am8V/t2CEwmdLE66QeJl/ Im434Nf2n78WpM97jp580LyyIGagLCEk6XVtgmXICZ5kTRSt8R0kcQX+or6NOfRxP8mr6e Jz8o9o5W8d3rvED0q29hJhBEn83a5khemfBYsEUv7W8AwHf2V03Wx37ZcK6206r3yUlAf8 WGFgRs/UBHp6ho4/+A9HdK96gbC+gpUjvBciLie7S2ml8vXIilarT5U+zqk4vlufEen4CP ygRnrqFvmCTTeBN4AQFGrPAzTYblGtrLi4ogXAB3+tZHNalEGp21odmkZAdDTw== Received: by freefall.freebsd.org (Postfix, from userid 945) id BAEFA98C1; Wed, 29 Apr 2026 18:41:12 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:16.libnv Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260429184112.BAEFA98C1@freefall.freebsd.org> Date: Wed, 29 Apr 2026 18:41:12 +0000 (UTC) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security-notifications@freebsd.org Sender: owner-freebsd-security-notifications@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:16.libnv Security Advisory The FreeBSD Project Topic: Stack overflow via select() file descriptor set overflow Category: core Module: libnv Announced: 2026-04-29 Credits: Joshua Rogers of AISLE Research Team Affects: All supported versions of FreeBSD. Corrected: 2026-04-29 14:47:51 UTC (stable/15, 15.0-STABLE) 2026-04-29 14:48:32 UTC (releng/15.0, 15.0-RELEASE-p7) 2026-04-29 14:48:56 UTC (stable/14, 14.4-STABLE) 2026-04-29 14:49:47 UTC (releng/14.4, 14.4-RELEASE-p3) 2026-04-29 14:49:27 UTC (releng/14.3, 14.3-RELEASE-p12) 2026-04-29 14:50:09 UTC (stable/13, 13.5-STABLE) 2026-04-29 14:50:21 UTC (releng/13.5, 13.5-RELEASE-p13) CVE Name: CVE-2026-39457 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background libnv is a general-purpose library designed for storing and exchanging sets of name-value pairs. This library can serve as an Inter-Process Communication (IPC) framework, enabling processes to exchange data and file descriptors. For example, it is used in libcasper to establish communication between privileged and unprivileged processes. Additionally, libnv can function as an interface for communication between userland and kernel. Originally, libnv was inspired by OpenZFS' nvlist implementation. However, the implementations are separate. This advisory relates only to the base system implementation of libnv, not to the one in OpenZFS. II. Problem Description When exchanging data over a socket, libnv uses select(2) to wait for data to arrive. However, it does not verify whether the provided socket descriptor fits in select(2)'s file descriptor set size limit of FD_SETSIZE (1024). III. Impact An attacker who is able to force a libnv application to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, can trigger stack corruption. If the target application is setuid-root, then this could be used to elevate local privileges. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:16/libnv.patch # fetch https://security.FreeBSD.org/patches/SA-26:16/libnv.patch.asc # gpg --verify libnv.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . d) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 025789eaa648 stable/15-n283380 releng/15.0/ 7e4d5363ddce releng/15.0-n281032 stable/14/ 45809b0e1bc1 stable/14-n274081 releng/14.4/ a5cb4863d65a releng/14.4-n273696 releng/14.3/ a872c32f389e releng/14.3-n271496 stable/13/ 4acc2b5c61a7 stable/13-n259862 releng/13.5/ 32d12677ff45 releng/13.5-n259218 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmnySTUbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvEdwQAKF0kwMDT0ZjvcDnvqXa NmJEse7XRdFDWDcMp8NtSQK5DTYBRpUgwWiC7M+HRr4QIf/aIjzwuJdu1luK913i vAJJUbAaEAdGbNqd35FtDlnTWQE638R4HQ0TqMBrUfGTSp0O5SPOpTSPXB1Fw/F7 Q3c22lNDHgxgZ8+DOoJH70HgjdVskz3ezZroYUKfmk5vh9yZtVM9zMr6iGr6TUA7 OEbIrMlRCJ3pI9dOSGNKz1i/3s8bMS3U3nvAWIYPdSjKQBOyRdHoZHtk4SfY9TVs epqQQccUv9g5+E1QgxxoQHLR4dLkCHEJKOU2sqc/qW9KISX2rsTd2UYgYubxtb+j CIzTg23/rkMMhCi3VZ9NVLmGrxZclxyvAVJ/V3942jjag0c1onc+5RH0IGAljgay hobn3CBqE2NIOjoFyCJK9RcZ+wtvxFoQFdX6A56h5vDD2I/H7MIFJ0EnW3aWvT8f 0xiWhD4//9AU3+06soPt6l4tE/YaXJbcvYb92kC1JbbGVApMrDYbdxu3QK8HwAlV mNTFd3hgoEzlCiFH9vDNK/RIsVE67kb4KjqZKC1ElWrQbawQZtnKUigpxGcZbhCC 9zwXgoFRHCzeBiO77anQMgArNuY3Wj29beepzCvOA7u/KRyDTvDat8YRWNKbWS5L T3cMyFqgRkUgr7tajk0L51Xx =Edvm -----END PGP SIGNATURE----- From nobody Wed Apr 29 18:41:15 2026 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g5R2z5Xhrz6ZvFD for ; Wed, 29 Apr 2026 18:41:15 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g5R2z3xk4z48w0; Wed, 29 Apr 2026 18:41:15 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777488075; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=12hx3gdyvyd4jDmZfazu7fjld61j0sJcmSvqqFiAhgY=; b=oYJtCRZ+Z3z3OrcLxiYSuDL5PCKGy0N0fEfEmifUB975//f22Ue/OfWjNhDkivtk0+TFRk iSKyKcWjPmIXPUyZqjtZ2zYbiqg5NE4JJlHthBe6fPEcKP21WGwpktzLUgFiSCLNsFHuL8 cr5e2wTGmHUIsInlYqb5ei60gJSW/jhlkMJUu1mz+0Yf8nkoCX4dokrGrQZER+W+iwEbUC tK0NJoq2g3iCaVGkgkRe/pWl9VBRsAoA9+xgjb/0DQmBRoYJEXs2phru2NazU8rgP6nBl7 7+SE5jGiMh7SbwSCb7BwFOUfLfgeKdMVMwur1/VLyhY/LF7AvZW+IHExBmF5ig== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1777488075; a=rsa-sha256; cv=none; b=IbIpuCrkP+EGGMKvdJTVs3UGIN41NnhkbwRVlFNEZDLsgw9lkYWAWT7VBw/8RATwa1HdMm jmB7lOauEdeQ5Zv00QaqazW9QSkGeQj03zOiPPImULEVTUvbEslMaFuRtxuBqVNQIpEsVk NyUX4ESNLYqzzHuSHnx4QgMEfjkt/hrIo69mX70yKUm0++2PmL5NrjziyGwZr1pmclipYv lbTlDlptXn0F3VDxKM9VIkhvspyBt5z+q5urC6C8ZkvQsk1lOuQiY/rT7nevjAFQsjNzDJ kROnEbuvu/FaSanHTaf6npAUYawEKVCoq9tlL/jKcOMTJxB28tbri1a8ta1IqA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777488075; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=12hx3gdyvyd4jDmZfazu7fjld61j0sJcmSvqqFiAhgY=; b=FPzgETEBy6I9+RGuqPx95JpQm48zroweDIGFmTSMYhFJKWQQlXdFunYYh+tjU7dpxDYRyI WeI+km+oBJqK31OaX1gUIuDzj1PT9IrsnauVO2AKByzLPYTt6FVJcFh2X5lr+XJO/cUb59 EH7K7Eh7joc+G/qDV8XmG2WJnjiE5i0UbC+yBx2ugfKkEq9dbNK7wHQ4H8cluZCMNJw4tk 9QhimVT74qU3xc5nzDEsG7M/mNNeaLxMVWpjiXeCPHlIL5ICKVqpgCxJKOfwjdGrGjXc4H mQSVcZLoBXEOf5kKphldYBq9NKtL/BtQwxw6ZjHE45ANAxw/M6nnUrr3XTPfog== Received: by freefall.freebsd.org (Postfix, from userid 945) id 6C4A395FF; Wed, 29 Apr 2026 18:41:15 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:17.libnv Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260429184115.6C4A395FF@freefall.freebsd.org> Date: Wed, 29 Apr 2026 18:41:15 +0000 (UTC) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security-notifications@freebsd.org Sender: owner-freebsd-security-notifications@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:17.libnv Security Advisory The FreeBSD Project Topic: Heap overflow in libnv Category: core Module: libnv Announced: 2026-04-29 Credits: Mariusz Zaborski Affects: All supported versions of FreeBSD. Corrected: 2026-04-29 14:47:52 UTC (stable/15, 15.0-STABLE) 2026-04-29 14:48:33 UTC (releng/15.0, 15.0-RELEASE-p7) 2026-04-29 14:48:57 UTC (stable/14, 14.4-STABLE) 2026-04-29 14:49:48 UTC (releng/14.4, 14.4-RELEASE-p3) 2026-04-29 14:49:28 UTC (releng/14.3, 14.3-RELEASE-p12) 2026-04-29 14:50:10 UTC (stable/13, 13.5-STABLE) 2026-04-29 14:50:22 UTC (releng/13.5, 13.5-RELEASE-p13) CVE Name: CVE-2026-35547 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background libnv is a general-purpose library designed for storing and exchanging sets of name-value pairs. This library can serve as an Inter-Process Communication (IPC) framework, enabling processes to exchange data and file descriptors. For example, it is used in libcasper to establish communication between privileged and unprivileged processes. Additionally, libnv can function as an interface for communication between userland and kernel. Originally, libnv was inspired by OpenZFS' nvlist implementation. However, the implementations are separate. This advisory relates only to the base system implementation of libnv, not the one in OpenZFS. II. Problem Description When processing the header of an incoming message, libnv failed to properly validate the message size. III. Impact The lack of validation allows a malicious program to write outside the bounds of a heap allocation. This can trigger a crash or system panic, and it may be possible for an unprivileged user to exploit the bug to elevate their privileges. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, which were not installed using base system packages, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:17/libnv.patch # fetch https://security.FreeBSD.org/patches/SA-26:17/libnv.patch.asc # gpg --verify libnv.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 414e25d7d512 stable/15-n283381 releng/15.0/ b345e07c8d71 releng/15.0-n281033 stable/14/ 1cbd6e148249 stable/14-n274082 releng/14.4/ 4f0992ce23b0 releng/14.4-n273697 releng/14.3/ aa15809f85de releng/14.3-n271497 stable/13/ 05b91c2a7106 stable/13-n259863 releng/13.5/ f7f48005fbe2 releng/13.5-n259219 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmnySTgbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvV+cQANyoTjQKCgT/ObIaHIvn /ZHiHhWtxqpnOGHiJQ/Pu32XfF4zngUmxH3RFM4V+p2QTKd+OnCojcr/nWjS1Xh4 D2G0TUYeTfEUzERLxODtWSxD6Px0n7qutRgpTx9yLid3N34av93aoQYnK+1FkqAf PonQlVKqI2Ab44879/Aw4glrjNQg2kGzAwSA4Nzik96BZMePQk6sDnzNKODz914O khZ6KDSc9Fc0jUS4RZUh1AXnAEV2a7vD3fQLg+8aegFiaIajnC4dFZPjl1jioawp 0Jm0f1UI/n5jfp/zyHCJZIgDNvcX+laFnLRJuB8XCrWk8luFdpVOTUjsuPMSA737 TwdSG05ZnGhWsJhQjK0mdkDxoH81wWW7mz21jjVBJ9UhaWhGMNV4mBSevfFYkFkb JHuHO0aCUB6e6/MJ/7O6d0tG9etdQUjCpQeLqXKiYQKqjQkplUUL0C2Uy7A4otEu MelMjHsQMQEjUpRVxX4IADyNQgtJjrroFDdoez3oBF1dfBxQrKkWBnKTTYrV6cbl fIVmkl2b6B/0FcGhAekDh1tLvHj4Ul0n8wzb19F7vT1+4QlnLOtIrXZcJdsTbqde tKRoUYcwvBpUn2bsefxWzEPZ9jvSBoIkSwPmSnu8zQ1jY44eyiHodaXkMsZygplL WfRkGmyutQ0XdUuhcCSyfi/G =K9xn -----END PGP SIGNATURE----- From nobody Wed Apr 29 18:46:09 2026 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g5R8d41Gpz6bg5C for ; Wed, 29 Apr 2026 18:46:09 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4g5R8d1tZFz3Lcc; Wed, 29 Apr 2026 18:46:09 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777488369; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=A/XwNBpbF2sN/Hdonm448dGX9avMSxaoy2aNIzE1owU=; b=QIF/VayLMyLEmRVshPuSYLsG9gbORomg09M2oCNUujBX0EMsKo+DwzLWr7YeL2dzQIl7by WVkKHpjoyKrvin6Y0g0r9ajvIHQ7DXZO0It0SmJ59R20nAqqAbtjkqZCfQsiuzDFwdtNeK RUZu1HD3/yPr9hhvyohtIVN7bjx7RFbTvJgcHPPAwAE181FipOQOdMaAFxTVmHFoBTKyLG 4v/T4KxgdGeyAshC5iv59IKAcrlsbtJeMfX/KULKcIlpjBCDKzjoEi6yYCkWCLdfJ6NLbw eemX08TxhdXzpF8HZm2ZHfQJMvcVZRu6+fzKrFme5tjN1F7/k85VjskaGSYAjw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1777488369; a=rsa-sha256; cv=none; b=uAzbYygCOZg6QMQIwtv6vHy0DuiTk4XmrKuwcEltMmUhdDeok315HNyVcHATbrilaRS8KC C8wRgalKeVjCIdYcTrye/GD53GSaSqhIeoYmvWXEUUff7s9dqf7CNqIbHdz3ktHQAGvjSp wbNVSdvHuMiJKl/7Hl/foR/vs9AvEld4I9e1XAYHYuAmi+wyENsrhSU8wD0doWwRIsAKj5 8/VETTgma9fwCR2aoyb1J4uYK6gjbwjfDiDSFU9KcbEDF5yvuAp24dfZxgoraG7LUUVENR VDj4cS7xqOOXSxG/cSEYIxY1gvAPTwvGRhg0Ve5pXB3j6p4NGoCWXP79iO5ABA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1777488369; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=A/XwNBpbF2sN/Hdonm448dGX9avMSxaoy2aNIzE1owU=; b=rcl5tcSWoxh5czR3dAMz9KuUXy/FxCcHSl9k4r8eYkTP+h6m/amTz0eCk4XyE0CRnuzile hAx8tOZeEY7xlvNk/dSK4LAaUhGt8aH9N7rFG27gR4H91lWtBHZtC+7u2rzCXFfugjtcg2 K/zXjlW3SP0FzILhGQu/5ngCA0K+lLcFYVsZJ3cUhlFqUTjMHukZs26DGptYgueP0HVHzi lA4pYFG06fbwGdH7aCRwabZ7Pc4SZJ1onh/NLw3Wh3GXjzLYWNESLc3Ccpjdd1zQEqGxVD HOrkx42L9gJCUFnxTbnsCg+xMYknuKHEJREKvxGduqFqNOHXL2CCChJuqz8DIA== Received: by freefall.freebsd.org (Postfix, from userid 945) id 28EFB9920; Wed, 29 Apr 2026 18:46:09 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:13.exec Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260429184609.28EFB9920@freefall.freebsd.org> Date: Wed, 29 Apr 2026 18:46:09 +0000 (UTC) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security-notifications@freebsd.org Sender: owner-freebsd-security-notifications@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:13.exec Security Advisory The FreeBSD Project Topic: Local privilege escalation via execve() Category: core Module: execve(2) Announced: 2026-04-29 Credits: Ryan of Calif.io Affects: All supported versions of FreeBSD. Corrected: 2026-04-29 14:47:46 UTC (stable/15, 15.0-STABLE) 2026-04-29 14:48:27 UTC (releng/15.0, 15.0-RELEASE-p7) 2026-04-29 14:48:49 UTC (stable/14, 14.4-STABLE) 2026-04-29 14:49:40 UTC (releng/14.4, 14.4-RELEASE-p3) 2026-04-29 14:49:21 UTC (releng/14.3, 14.3-RELEASE-p12) 2026-04-29 14:50:05 UTC (stable/13, 13.5-STABLE) 2026-04-29 14:50:17 UTC (releng/13.5, 13.5-RELEASE-p13) CVE Name: CVE-2026-7270 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background execve(2) is a system call is used to launch an executable image, including scripts prefixed with a path to the interpreter. The system call takes a path to the image as a parameter, followed by extra arguments and environment variables to be passed to the new image. II. Problem Description An operator precedence bug in the kernel results in a scenario where a buffer overflow causes attacker-controlled data to overwrite adjacent execve(2) argument buffers. III. Impact The bug may be exploitable by an unprivileged user to obtain superuser privileges. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, which were not installed using base system packages, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:13/exec.patch # fetch https://security.FreeBSD.org/patches/SA-26:13/exec.patch.asc # gpg --verify exec.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ c3e943e78e06 stable/15-n283376 releng/15.0/ 934b48683c4f releng/15.0-n281028 stable/14/ ae00a52921ca stable/14-n274075 releng/14.4/ 943aa64ba91a releng/14.4-n273690 releng/14.3/ f04c40607b8f releng/14.3-n271491 stable/13/ d619e3a3c0ec stable/13-n259858 releng/13.5/ 7c5c37ac8f8f releng/13.5-n259214 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmnyTiobFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvVDoP/2CASXfMizRLg2uhf7ab Rq2AlXil/b3uDA316fV30LeAEc1X16VVRwuZbOPd8oovXnpt6ACj26Yg+4IsPyU9 ZEMNcm5tA0eEqicFrrVBNxyA41QMwB1S36+tyzoZ3CTWndTAu/5yVLb0VWoniW9S cvf8xULDWBVI48DUKuJ86Bh5aUPNMy2bCMaQc5V88aK5Cc4CG2ZWJu3pJa4+MWq2 CBXgOA3k3qqTIQ5imrRl+9RFYe5WAEnAYNWRauXmQKeJA41bDseUB/Bghy6KY3y+ uuIelphX3pz36cRQd83CIs6IjH0TQ0slizGsmdQ8jVDEbK+kWzSegOo90E8hepQg p929lZbUhpg98G2Fv7cLQ1W7+39dqrqcJubXb0xUcvBp6b9uEUJigRaYJJjxFBUc wtR6sTMqZeyQE/EDubgKMepaY7BWe8K/kDRFzPuGf3LSxZUFtXdsXHixOz6GUBjT oRgtF/QyPIDBlxzWriBI7hbY/4vcQ/XQ7/Q4+x5Q28CNsmw9dmqrolCel8Tvaqmy eFbbIDl+tQn+GolIs9xudzTx4lu1DGYrONoK7Gpb83UxQahkeUEryqhUJApxBskk 3Yt8nG0wWP2U8rZ8JbrWAFNIZU4/j6t+FcFctuh1bnyd88bSuQgEMbcGZ40AP9nS LBz716wDKXX8EOoJT6jjwZ7u =VIf8 -----END PGP SIGNATURE-----