From nobody Tue Jun 9 23:14:01 2026 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZl8n4jYQz6gqY2 for ; Tue, 09 Jun 2026 23:14:01 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZl8n14xXz3Q62; Tue, 09 Jun 2026 23:14:01 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046841; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=Vm+SqV7N3mqFN2q6T8hiC3FY/oljTsgurocxAreXDOo=; b=q7ltNezViOfqZWqW3SYHdYHe9aMHpPx8n9uRclHvY8aXBrplOgzhwC/0W8BEjhmz06dPsi CmKiA3fQp10dUY2l5phNeUtovE+nOh9IQlcP6rOY6cB/az4l97ait2D6/Aciv3iZL6POxy VSP8WXm7GvwSKR0umnWCR7S07P7+G9fkqJydIQONVDIiWrjlIrTOkPPLW1yG4zEzWwRHhp WcqRsYDusX0zwgb/XSfL7zE3hITdU76NO4E1NCUwwSLHFPkA41NYB8NbzhXY0WsBSuiJgM Wfjgwu/BXIY5wv25FzWRKPzwX7VIQozkqOMM9lLjrFZeRduDX9wtOSUUHJGTtQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781046841; a=rsa-sha256; cv=none; b=S/baweG0HaFWB/A1FV+2Cm98oBMYwtUgjRk76+p1nqT2hC36p1CkvkEz+UTeo8IF91nZGZ krnx/T/rIHuuVHNifKe/+idol6FkOHD0UaWwglGQbRqJ930VJ6ixj0x0V4HyD0g246aLal Z3uXRma159Ne8VTBRqgpvtPA8MzFzo6KZGvPH6QnQhN+vDBvwApijWyfAibaj7WRctJTz9 8VelVU5yEaAOeBVtyvSXIsTn2BxqPDazuWx4nfL2ia6RiXuyVRVsxySKDx+3rPqVrD5vQ2 7H1ad0kfy1tliLfckm1uFjKYnmm2r+PL4ntRN8GK2eLx0THmG3bq1A+0UOC/Ag== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046841; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=Vm+SqV7N3mqFN2q6T8hiC3FY/oljTsgurocxAreXDOo=; b=Lk+lFuVjaCu+bIYkLEGBuhk01/6eI/Dt8fdbYjfgePuC6EvQ6uBtXnoxGDJiN6u55dy70W Rxn0xaF+9pTztgckb376CU+3AvNjQLyAM/wvdS4tVmbmnM3rrageirSTz634ehHM+lWhc7 w6AgXfDkLswQigmfrcXDHXxoEV3EEeQs27MKN/exULv+CrxA3WC1QSTGHmJYWPf5nXDoJ7 ru7wm9lSWZuGfUghXAJFnuJ+X1w1i4XrpdFMMwUEm2amRvdUbOuzPr2ik2xygAIhLCcEty mtPZ2SPbAupGDREZ2j0qnhuNGARXQJOiBNeXzbQmVm7SUh630NR7t5wKegFUmg== Received: by freefall.freebsd.org (Postfix, from userid 945) id 1D5841FB71; Tue, 09 Jun 2026 23:14:01 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:34.vt Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260609231401.1D5841FB71@freefall.freebsd.org> Date: Tue, 09 Jun 2026 23:14:01 +0000 (UTC) List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-announce@freebsd.org Sender: owner-freebsd-announce@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:34.vt Security Advisory The FreeBSD Project Topic: Integer overflow in vt(4) CONS_HISTORY ioctl Category: core Module: vt Announced: 2026-06-09 Credits: Ed Maste Affects: All supported versions of FreeBSD Corrected: 2026-06-07 17:10:53 UTC (stable/15, 15.1-STABLE) 2026-06-09 19:20:14 UTC (releng/15.1, 15.1-RC3-p1) 2026-06-09 19:19:53 UTC (releng/15.0, 15.0-RELEASE-p10) 2026-06-07 17:12:28 UTC (stable/14, 14.4-STABLE) 2026-06-09 19:19:15 UTC (releng/14.4, 14.4-RELEASE-p6) 2026-06-09 19:18:45 UTC (releng/14.3, 14.3-RELEASE-p15) CVE Name: CVE-2026-49416 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background vt(4) is FreeBSD's default system console driver. It provides virtual terminals on the physical console, including a scrollback history buffer. The CONS_HISTORY ioctl(2) allows a user to resize the scrollback history of a virtual terminal. II. Problem Description The CONS_HISTORY ioctl handler did not adequately validate the requested history size. A large value caused an integer overflow in the buffer size calculation, resulting in a heap allocation smaller than expected. Subsequent initialization of the buffer wrote beyond the end of the allocation. III. Impact An unprivileged local user with access to a vt(4) device can trigger an out-of-bounds write in the kernel, potentially escalating privileges. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:34/vt.patch # fetch https://security.FreeBSD.org/patches/SA-26:34/vt.patch.asc # gpg --verify vt.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ deaaddf1d3c4 stable/15-n283854 releng/15.1/ 8ed11b21e544 releng/15.1-n283558 releng/15.0/ f4cf977dfe92 releng/15.0-n281061 stable/14/ b5a4f4bfbc95 stable/14-n274300 releng/14.4/ 799e830134d5 releng/14.4-n273723 releng/14.3/ 9cba21c2de16 releng/14.3-n271523 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmooiW4bFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvpd8P/0WOqL3COrZKAvzgZO+u tOfo4MhWYDw+jMAHtFLU5qH6GNfgUA8j5OaLaN1Rf+Z0+UNyy6CC5wehumdzRHm8 dPdfW9mKA932rsrOMM5/RtgLmBjVok4VjzC+KZbpO2b2cEJN5Tq1ZIYqZyvhbUV5 ZXjgdTZ1w2osE7IzPK2v0OOCRh+uiVLjpBiE4M18K0bmsnEytHm3xOpUUIkSNGWe gwunylrC0FstCKI778agymVHf4LX/xzEm7E62B4Ydk21GbB5QEx8ZnOOWWY8OehJ O48CBQILxnsIYSySx258nO9K8SwrZ45IonJmxb+N1OTTl+qDeSQo9Wfw2zTR4YZl qBBXpl9Ra/dL4zOGM0HOBEwlOXruCC4vm84vipZowJwO5e97/XZVdhNhkU8HHNWO 256nEIRwAFx/KqJ63AseOsq6REIP6hhCLo8NyWqLYpdp0MGClZ7UBQ5ay6TvwVHD Qf+KyZrfGh6q7pU2ADmLdzf0H6FiUASsbPiRjcd5o/T4qPY9vJKJGOfd8EVHqzsH Rh2yhdtbsbCqTvfOjnUIuj5vJnk3sr/HG9wJXNqEgLcBz33/jmNaNhHXcyc2Yw9N 7lBHW20nj3jDFhK8MdKSvBUZ4WSmr8yBYb85v4L6kb9EKDiUQMa7eJ6cCaHYYRff NH418v0qjh1t7fJRdmx1HtvQ =ZGXy -----END PGP SIGNATURE-----