Date: Tue, 21 Apr 2026 16:14:38 +0000 From: Gordon Tetlow <gordon@FreeBSD.org> To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org Subject: git: 7eaa453c1d - main - Add EN-26:05 through EN-26:07, SA-26:10, and SA-26:11. Message-ID: <69e7a26e.39894.641eed19@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by gordon: URL: https://cgit.FreeBSD.org/doc/commit/?id=7eaa453c1d9de4d94e26f675d428ddb341308621 commit 7eaa453c1d9de4d94e26f675d428ddb341308621 Author: Gordon Tetlow <gordon@FreeBSD.org> AuthorDate: 2026-04-21 16:13:41 +0000 Commit: Gordon Tetlow <gordon@FreeBSD.org> CommitDate: 2026-04-21 16:13:41 +0000 Add EN-26:05 through EN-26:07, SA-26:10, and SA-26:11. Approved by: so --- website/data/security/advisories.toml | 8 + website/data/security/errata.toml | 12 + .../security/advisories/FreeBSD-EN-26:05.vm.asc | 158 ++++++++ .../advisories/FreeBSD-EN-26:06.timerfd.asc | 140 ++++++++ .../advisories/FreeBSD-EN-26:07.pkgbase.asc | 113 ++++++ .../security/advisories/FreeBSD-SA-26:10.tty.asc | 165 +++++++++ .../security/advisories/FreeBSD-SA-26:11.amd64.asc | 163 +++++++++ .../static/security/patches/EN-26:05/vm-13.patch | 37 ++ .../security/patches/EN-26:05/vm-13.patch.asc | 16 + .../static/security/patches/EN-26:05/vm-14.patch | 37 ++ .../security/patches/EN-26:05/vm-14.patch.asc | 16 + .../static/security/patches/EN-26:05/vm-15.patch | 37 ++ .../security/patches/EN-26:05/vm-15.patch.asc | 16 + .../static/security/patches/EN-26:06/timerfd.patch | 39 ++ .../security/patches/EN-26:06/timerfd.patch.asc | 16 + .../static/security/patches/EN-26:07/pkgbase.patch | 22 ++ .../security/patches/EN-26:07/pkgbase.patch.asc | 16 + .../static/security/patches/SA-26:10/tty-13.patch | 108 ++++++ .../security/patches/SA-26:10/tty-13.patch.asc | 16 + .../security/patches/SA-26:10/tty-14.3.patch | 108 ++++++ .../security/patches/SA-26:10/tty-14.3.patch.asc | 16 + .../security/patches/SA-26:10/tty-14.4.patch | 108 ++++++ .../security/patches/SA-26:10/tty-14.4.patch.asc | 16 + .../static/security/patches/SA-26:10/tty-15.patch | 108 ++++++ .../security/patches/SA-26:10/tty-15.patch.asc | 16 + .../security/patches/SA-26:11/amd64-13.patch | 397 +++++++++++++++++++++ .../security/patches/SA-26:11/amd64-13.patch.asc | 16 + .../security/patches/SA-26:11/amd64-14.patch | 397 +++++++++++++++++++++ .../security/patches/SA-26:11/amd64-14.patch.asc | 16 + .../security/patches/SA-26:11/amd64-15.patch | 397 +++++++++++++++++++++ .../security/patches/SA-26:11/amd64-15.patch.asc | 16 + 31 files changed, 2746 insertions(+) diff --git a/website/data/security/advisories.toml b/website/data/security/advisories.toml index 45d0ba9cb2..491abb8a37 100644 --- a/website/data/security/advisories.toml +++ b/website/data/security/advisories.toml @@ -1,6 +1,14 @@ # Sort advisories by year, month and day # $FreeBSD$ +[[advisories]] +name = "FreeBSD-SA-26:11.tty" +date = "2026-04-21" + +[[advisories]] +name = "FreeBSD-SA-26:10.tty" +date = "2026-04-21" + [[advisories]] name = "FreeBSD-SA-26:09.pf" date = "2026-03-26" diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml index 63b6c21292..f14683655b 100644 --- a/website/data/security/errata.toml +++ b/website/data/security/errata.toml @@ -1,6 +1,18 @@ # Sort errata notices by year, month and day # $FreeBSD$ +[[notices]] +name = "FreeBSD-EN-26:07.pkgbase" +date = "2026-04-21" + +[[notices]] +name = "FreeBSD-EN-26:06.timerfd" +date = "2026-04-21" + +[[notices]] +name = "FreeBSD-EN-26:05.vm" +date = "2026-04-21" + [[notices]] name = "FreeBSD-EN-26:04.arm64" date = "2026-02-10" diff --git a/website/static/security/advisories/FreeBSD-EN-26:05.vm.asc b/website/static/security/advisories/FreeBSD-EN-26:05.vm.asc new file mode 100644 index 0000000000..449b58b25b --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-26:05.vm.asc @@ -0,0 +1,158 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-26:05.vm Errata Notice + The FreeBSD Project + +Topic: The page fault handler fails to zero memory + +Category: core +Module: vm +Announced: 2026-04-21 +Affects: All supported versions of FreeBSD. +Corrected: 2026-04-13 10:57:44 UTC (stable/15, 15.0-STABLE) + 2026-04-21 15:44:24 UTC (releng/15.0, 15.0-RELEASE-p6) + 2026-04-13 02:56:40 UTC (stable/14, 14.4-STABLE) + 2026-04-21 15:45:29 UTC (releng/14.4, 14.4-RELEASE-p2) + 2026-04-21 15:45:59 UTC (releng/14.3, 14.3-RELEASE-p11) + 2026-04-13 02:58:42 UTC (stable/13, 13.5-STABLE) + 2026-04-21 15:47:06 UTC (releng/13.5, 13.5-RELEASE-p12) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +The mmap(2) system call allows applications and system libraries to allocate +heap memory using the MAP_ANON flag. The system call allocates virtual memory +in the calling thread's address space and phyiscal memory is allocated on demand +as page faults occur. Memory allocated this way is allocated to be zero-filled. + +II. Problem Description + +Due to a regression introduced a previous erratum which attempted to fix a +similar problem, under some conditions, particularly heavy memory pressure with +swapping, the phyiscal pages allocated and mapped by the kernel may not be +zero-filled. + +III. Impact + +This bug has been observed to cause process crashes. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date, and reboot the system. + +Perform one of the following: + +1) To update your system installed from base system packages: + +Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 +platforms, which were installed using base system packages, can be updated +via the pkg(8) utility: + +# pkg upgrade -r FreeBSD-base +# shutdown -r now + +2) To update your system installed from binary distribution sets: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, which were not installed using base +system packages, can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r now + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 15.0] +# fetch https://security.FreeBSD.org/patches/EN-26:05/vm-15.patch +# fetch https://security.FreeBSD.org/patches/EN-26:05/vm-15.patch.asc +# gpg --verify vm-15.patch.asc + +[FreeBSD 14.4 and 14.3] +# fetch https://security.FreeBSD.org/patches/EN-26:05/vm-14.patch +# fetch https://security.FreeBSD.org/patches/EN-26:05/vm-14.patch.asc +# gpg --verify vm-14.patch.asc + +[FreeBSD 13.5] +# fetch https://security.FreeBSD.org/patches/EN-26:05/vm-13.patch +# fetch https://security.FreeBSD.org/patches/EN-26:05/vm-13.patch.asc +# gpg --verify vm-13.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/15/ 58718cf36593 stable/15-n282974 +releng/15.0/ ffb21713d9fd releng/15.0-n281019 +stable/14/ 9b7c0f4f81f0 stable/14-n273947 +releng/14.4/ 1abe7ead45c3 releng/14.4-n273683 +releng/14.3/ 4d22b3925df8 releng/14.3-n271483 +stable/13/ 50f7b62f0862 stable/13-n259839 +releng/13.5/ 6c9dd7528350 releng/13.5-n259209 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>; + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=294039>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-26:05.vm.asc>; +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmnnoZoACgkQbljekB8A +Gu+Nvg/+Nac6V7x8ELgRlc0dJfzvEeQgxfcu1acAfpr8Bskew+0c8vjwB1dmBAMp +ENDYyI4+kgVFTG+i6KvFVEISTtlji6VWEul4BBgYow93Auk/S492mvOfaQapnW7V +31hjo0jBrT+ZsBW/inRgjy7QQpukqFiz2+aaXjFs8Q426gmW0SizgOFWinVcWaI1 +/xbp5mQ76VnoPMda5+8VDU4NImqcCTUNsUbsfUGLUjYlFhbVR96BODTYIyxB7lsp ++seXVbnk4SdkRwOVXotoCvi2nhnuVc4P3tmUvpmiuOjRQpvAA43VLbgrQJeZjwad +Xda8vzwScbhHZtkrQ5CqInH+4eSLbPYsz3ST1TGKCMh1GwKzQ1b2hqJ52QKHDYbM +NMl5/PhRcfpQNU2dbJqo2X16weowu4N/fSfMPSZrJE7TBdPqBSK/M1bKk/5nBmga +68PLhPPV/q8MbIaf7+19dGO1vsRiM/XpX0IF4XWwURs+ScQCJom1LXX7bQUv+2N/ +i5iPF+JS+PIUsNgwLBz/oR15nyNpZf6kl+ZAKLlZcHdlW1kFHzDW/4DGcIM1Kvx6 +hpwCYx7othSMy6tSxenOM8DLBx2fvvdtxTE+aSRwgnYjxSFquZkN6iSJZ2TP2LnY +koDdRwMajUcxXXB/+RmaoP3/yqK3v156ilntTmolipfMEocGtnE= +=JBjP +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-26:06.timerfd.asc b/website/static/security/advisories/FreeBSD-EN-26:06.timerfd.asc new file mode 100644 index 0000000000..2636dc9aa0 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-26:06.timerfd.asc @@ -0,0 +1,140 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-26:06.timerfd Errata Notice + The FreeBSD Project + +Topic: Periodic timerfd(2) timers may produce incorrect results + +Category: core +Module: timerfd +Announced: 2026-04-21 +Affects: FreeBSD 14.3 and later. +Corrected: 2026-04-03 15:26:14 UTC (stable/15, 15.0-STABLE) + 2026-04-21 15:44:25 UTC (releng/15.0, 15.0-RELEASE-p6) + 2026-04-03 15:27:26 UTC (stable/14, 14.4-STABLE) + 2026-04-21 15:45:30 UTC (releng/14.4, 14.4-RELEASE-p2) + 2026-04-21 15:46:00 UTC (releng/14.3, 14.3-RELEASE-p11) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +The timerfd(2) family of system calls provides a file descriptor-based +interface for managing timers. + +II. Problem Description + +timerfd(2) implements periodic timers. The implementation had a bug which +caused it to fire too early in some cases. + +III. Impact + +The bug has been observed to cause excessive CPU usage in some applications, +particularly in some KDE desktop programs. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date, and reboot the system. + +Perform one of the following: + +1) To update your system installed from base system packages: + +Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 +platforms, which were installed using base system packages, can be updated +via the pkg(8) utility: + +# pkg upgrade -r FreeBSD-base +# shutdown -r now + +2) To update your system installed from binary distribution sets: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, which were not installed using base +system packages, can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r now + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-26:06/timerfd.patch +# fetch https://security.FreeBSD.org/patches/EN-26:06/timerfd.patch.asc +# gpg --verify timerfd.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/15/ 9b785380f307 stable/15-n282826 +releng/15.0/ b0be1af0c48b releng/15.0-n281020 +stable/14/ 3c00f603a280 stable/14-n273878 +releng/14.4/ df8d2f945028 releng/14.4-n273684 +releng/14.3/ f37c6e3a133e releng/14.3-n271484 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>; + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=293368>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-26:06.timerfd.asc>; +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmnnoZ8ACgkQbljekB8A +Gu9aeRAA28qaGYm351M3YdLLoo6XeT5iklKRCvPPZoIJtoP5V9UPUkW6NFkpYUqp +7sB3VrZ5xPImfCK1o6qE0oT9lnXqQZnGoPyqwoUJwcmRmLY/Js2s1zzn5q7qqdw0 +L/LseIFkvRelhy3KYSO9xnxm/eNQj/A0YK8w/Hi1tM0KR2IBtUjYVMKDvWLrPENH +z+mhlDBOCX1rbSz/E87WAZxZfarBG5XaGIytoBla8IEEsgaARVKr6iYqZaX17ZIZ +u0UgedQ38pQK0QQDhBE26gxwDu+2AZYo0SxdRXnVDkXUOgGkCoiGInyPLVQtrVcb +rmojbUDGDGbwraNkrUZ6wZjKJEArVJ9eC13AROSRc9vAneG3z2i52YaOGURrOZui +7yzj2d0SyglWhlV6sG/rJUAuTV7XB53JqzNyzLFm2tK3tlxOBMOEJp/qm0QG4sL/ +chXc/VIu8VqXeb3MmHtyWrMW+0hoLKI7pBVFdISiefjLRMHVscUZp3Ph7xvZT3GT ++hpvkMz2cp2CSn/N7+qHnEpoP8tgXPEneRPj3MgE0F6pqm3nVx/tAhoUBo9HYBRc +J6zWq5wkyRzIej6OFUM6gT3xRLeNLEODpDyKkcwanh9nvITVB7QbfmmC0E3fUfYM +NSGmlRNwnS9Nsuz0uF5Fj3gxEyhBMkBMfHRqV9rPimHgThrWcLM= +=omqs +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-EN-26:07.pkgbase.asc b/website/static/security/advisories/FreeBSD-EN-26:07.pkgbase.asc new file mode 100644 index 0000000000..f89f748f26 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-26:07.pkgbase.asc @@ -0,0 +1,113 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-26:07.pkgbase Errata Notice + The FreeBSD Project + +Topic: Base packages fail to build with newer versions of libucl + +Category: core +Module: packages +Announced: 2026-04-21 +Affects: FreeBSD 15.0 +Corrected: 2026-04-07 11:27:02 UTC (stable/15, 15.0-STABLE) + 2026-04-21 15:44:26 UTC (releng/15.0, 15.0-RELEASE-p6) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +The libucl library is used for parsing documents in the UCL markup format. +The base system private Lua (flua) exposes libucl to Lua applications via +the "ucl" module. + +II. Problem Description + +In libucl version 0.9.3, an API change was made in the Lua ucl module +to prohibit the use of certain syntax by default, specifically the +".include" directive. This change causes the base system package build +("make update-packages") to fail when the host system is using libucl +0.9.3 or later. + +III. Impact + +Future versions of FreeBSD, which include libucl 0.9.3 or later, will +be unable to build FreeBSD 15.0 base system packages from source. + +IV. Workaround + +No workaround is available. + +V. Solution + +Update the base system source tree to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +No action is required on the host (build) system. + +To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-26:07/pkgbase.patch +# fetch https://security.FreeBSD.org/patches/EN-26:07/pkgbase.patch.asc +# gpg --verify pkgbase.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/15/ 976b2ebf4309 stable/15-n282865 +releng/15.0/ f3bbb238daa1 releng/15.0-n281021 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>; + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-26:07.pkgbase.asc>; +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmnnoaEACgkQbljekB8A +Gu9oRhAAog+a+4hJ3OtOel1VVHOgB+JrKfKQHedMitP5RDZAy0e3tWBkm2lKXitv +akZIxFeqmJufBtZRQQSqa9Y9GSFklYHOXh+p/YvObshgkyXijHt+6DtcMtQEmryd +ZDSpVxBpmFP/taGHO7KdSOYuhoyaF5zYUzbuh62AlYHWD/48TPCyBWnEBzcPrGXz +Ew3FltDqKwtccACBZyI9VZFUMCTfCQeaOxB41zEhNGAbxu9DAmpD1t3e5kxHr8ji +imFRVwi0CsKvB9JGcU5BXKU1YtmG4hXEl9CvacNwxOFGjONB+MYZCNfdNXA9SDjn +9fRhz1TzVcFN6i4zWgu2YCV8id5YtaFQuYYjLZQczWgtoNKxBhqpEjeNGKTp1YIb +kwCdF+K+bbLPdtOl6w8E7q3Ksm7AluwbtjJaXskABgUYfXTSDlo6N/HHFd8WNRM0 ++u+XZ/DRhpgNVUDlQJU2XhfYKQyGyd3H//ZtD+ExQeMnTQYASBll3t6hhHx5wTWo +ZHpWJ1dUTZfv0vJMcNrIF0H81AgTigA6Saq4OrIYiec/4HBAIs+MeVO0oWCvF0bs +0g67n6+1Kxz29mXi2nWIbFmILZGEYq3J0y+hEJsr8gmRBgmWpFQJBOYUHXnZwYUG +q4YDpXvE9WWKATm/KB3clAd08QQej26P+Qow0ck1Gq17aPWCL6w= +=jKUS +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-26:10.tty.asc b/website/static/security/advisories/FreeBSD-SA-26:10.tty.asc new file mode 100644 index 0000000000..42488b11cb --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-26:10.tty.asc @@ -0,0 +1,165 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-26:10.tty Security Advisory + The FreeBSD Project + +Topic: Kernel use-after-free bug in the TIOCNOTTY handler + +Category: core +Module: tty +Announced: 2026-04-21 +Credits: Nicholas Carlini using Claude, Anthropic +Affects: All supported versions of FreeBSD. +Corrected: 2026-04-21 15:43:02 UTC (stable/15, 15.0-STABLE) + 2026-04-21 15:44:27 UTC (releng/15.0, 15.0-RELEASE-p6) + 2026-04-21 15:43:13 UTC (stable/14, 14.4-STABLE) + 2026-04-21 15:45:31 UTC (releng/14.4, 14.4-RELEASE-p2) + 2026-04-21 15:46:01 UTC (releng/14.3, 14.3-RELEASE-p11) + 2026-04-21 15:43:56 UTC (stable/13, 13.5-STABLE) + 2026-04-21 15:47:07 UTC (releng/13.5, 13.5-RELEASE-p12) +CVE Name: CVE-2026-5398 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +TIOCNOTTY is an ioctl(2) operation which allows a process to detach itself +from its controlling terminal. Unprivileged processes may use this ioctl. +See the tty(4) manual page for more information on its usage. + +II. Problem Description + +The implementation of TIOCNOTTY failed to clear a back-pointer from the +structure representing the controlling terminal to the calling process' +session. If the invoking process then exits, the terminal structure +may end up containing a pointer to freed memory. + +III. Impact + +A malicious process can abuse the dangling pointer to grant itself root +privileges. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, +and reboot the system. + +Perform one of the following: + +1) To update your vulnerable system installed from base system packages: + +Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 +platforms, which were installed using base system packages, can be updated +via the pkg(8) utility: + +# pkg upgrade -r FreeBSD-base +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system installed from binary distribution sets: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, which were not installed using base +system packages, can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 15.0] +# fetch https://security.FreeBSD.org/patches/SA-26:10/tty-15.patch +# fetch https://security.FreeBSD.org/patches/SA-26:10/tty-15.patch.asc +# gpg --verify tty-15.patch.asc + +[FreeBSD 14.4] +# fetch https://security.FreeBSD.org/patches/SA-26:10/tty-14.4.patch +# fetch https://security.FreeBSD.org/patches/SA-26:10/tty-14.4.patch.asc +# gpg --verify tty-14.4.patch.asc + +[FreeBSD 14.3] +# fetch https://security.FreeBSD.org/patches/SA-26:10/tty-14.3.patch +# fetch https://security.FreeBSD.org/patches/SA-26:10/tty-14.3.patch.asc +# gpg --verify tty-14.3.patch.asc + +[FreeBSD 13.5] +# fetch https://security.FreeBSD.org/patches/SA-26:10/tty-13.patch +# fetch https://security.FreeBSD.org/patches/SA-26:10/tty-13.patch.asc +# gpg --verify tty-13.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/15/ 0c6b1e0864b8 stable/15-n283065 +releng/15.0/ fdee312d0c97 releng/15.0-n281022 +stable/14/ f46210a7ab32 stable/14-n273997 +releng/14.4/ af294329c57f releng/14.4-n273685 +releng/14.3/ 44077c07f19f releng/14.3-n271485 +stable/13/ 5eae7f23fe0e stable/13-n259845 +releng/13.5/ 2862a33bdd1c releng/13.5-n259210 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>; + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://www.cve.org/CVERecord?id=CVE-2026-5398>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:10.tty.asc>; +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmnnoaMACgkQbljekB8A +Gu8qzA//fuGHRB8Y+n+EUyAGycr0PGMeG423hykkYBAvfBJJP5RYv4Ter79YAeuu +zqXqijjr+yyKcE1+km63/koxUXZmkbpR2Xt/0i2d3jAqnrUioZqwc+llCgqhh6Dr +AhyDn+xCtCWJow0Iktlk6ZHEuQLX6kwGxT/1cvmcnhZE8XQf2PNEbRk8oit+kf8c +LQZF2EBK4wPh5Lik8DvqoyX1k7B44jVhL2AMqs/2fRdTFluY/MIgvbRsRdCQRLJE +doXA2YdDljkTJpAPIg31WP6C7L0LPkeyRm4Xn3zBt4SalyiChfQ9kQYcdQS7/lt4 +LUyrQKQHVtVx2SseYFTtPoncYl2IEmaHOAZkQrfzxFybYryoq4macGbuNZh0Aygq +mpIAIIDKAyKQCcDGzluRL4ksoPyw9Kav7SJJ83P9khrKINaNg5NZc1Ptc7K/UvSk +H5XKwHBaURcXGzl1crBtqbbK5lEvO/UaxXraMwqCTM+WqF7dND2KvSbZEma/FJ8l +7Wcszs2dvgC2dQghlmRlxxYvMGzf49XO4+Y64WarMqmLTAyDV9nBrZGMUj1M2nqC +rgylEscbOn8z/Yq8vpr0sydYRVDBHtVMOaztsqFylGnzRfSjQQH3yuJ40ngvy9yo +GexBhYXFyrruuuuz9p9xplIRzVkHVjkrm9/zwe4bSBylQ+/MeGQ= +=crMa +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-26:11.amd64.asc b/website/static/security/advisories/FreeBSD-SA-26:11.amd64.asc new file mode 100644 index 0000000000..99e84cbf24 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-26:11.amd64.asc @@ -0,0 +1,163 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-26:11.amd64 Security Advisory + The FreeBSD Project + +Topic: Missing large page handling in pmap_pkru_update_range() + +Category: core +Module: amd64 +Announced: 2026-04-21 +Credits: Nicholas Carlini using Claude, Anthropic +Affects: All supported versions of FreeBSD. +Corrected: 2026-04-21 15:43:03 UTC (stable/15, 15.0-STABLE) + 2026-04-21 15:44:28 UTC (releng/15.0, 15.0-RELEASE-p6) + 2026-04-21 15:43:14 UTC (stable/14, 14.4-STABLE) + 2026-04-21 15:45:32 UTC (releng/14.4, 14.4-RELEASE-p2) + 2026-04-21 15:46:03 UTC (releng/14.3, 14.3-RELEASE-p11) + 2026-04-21 15:43:57 UTC (stable/13, 13.5-STABLE) + 2026-04-21 15:47:08 UTC (releng/13.5, 13.5-RELEASE-p12) +CVE Name: CVE-2026-6386 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +Memory protection keys are an amd64 CPU feature, available in modern Intel and +AMD CPUs, which allow applications to apply access restrictions to regions of +virtual memory. On FreeBSD this functionality is provided by the pkru(3) +interface. + +II. Problem Description + +In order to apply a particular protection key to an address range, the kernel +must update the corresponding page table entries. The subroutine which handled +this failed to take into account the presence of 1GB largepage mappings created +using the shm_create_largepage(3) interface. In particular, it would always +treat a page directory page entry as pointing to another page table page. + +III. Impact + +The bug can be abused by an unprivileged user to cause pmap_pkru_update_range() +to treat userspace memory as a page table page, and thus overwrite memory to +which the application would otherwise not have access. + +IV. Workaround + +No workaround is available. The bug only affects amd64 systems. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, +and reboot the system. + +Perform one of the following: + +1) To update your vulnerable system installed from base system packages: + +Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 +platforms, which were installed using base system packages, can be updated +via the pkg(8) utility: + +# pkg upgrade -r FreeBSD-base +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system installed from binary distribution sets: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, which were not installed using base +system packages, can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 15.0] +# fetch https://security.FreeBSD.org/patches/SA-26:11/amd64-15.patch +# fetch https://security.FreeBSD.org/patches/SA-26:11/amd64-15.patch.asc +# gpg --verify amd64-15.patch.asc + +[FreeBSD 14.4 and 14.3] +# fetch https://security.FreeBSD.org/patches/SA-26:11/amd64-14.patch +# fetch https://security.FreeBSD.org/patches/SA-26:11/amd64-14.patch.asc +# gpg --verify amd64-14.patch.asc + +[FreeBSD 13.5] +# fetch https://security.FreeBSD.org/patches/SA-26:11/amd64-13.patch +# fetch https://security.FreeBSD.org/patches/SA-26:11/amd64-13.patch.asc +# gpg --verify amd64-13.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/15/ 9331e62e8b80 stable/15-n283066 +releng/15.0/ 649db49403a7 releng/15.0-n281023 +stable/14/ 4c0e5e3cc441 stable/14-n273998 +releng/14.4/ 5787df30dc3e releng/14.4-n273686 +releng/14.3/ 979e645dd25e releng/14.3-n271486 +stable/13/ b8fc56193068 stable/13-n259846 +releng/13.5/ a2f6f2d00125 releng/13.5-n259211 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>; + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://www.cve.org/CVERecord?id=CVE-2026-6386>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:11.amd64.asc>; +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmnnoakACgkQbljekB8A +Gu8xHBAA0UShf6OLTcPprJ4YbzORKrmUeN6MPSwrvtn792T01Fi7zXj1IeBd1/N1 +25SI2GBhoMWP1wBR9G0Er8Vjv9cn4lnuWCeBIMmaofgLUi/UahT5lLhQGG7e3ypq +DdmfyWwnJ7tAkDvxHUH2t3STjzIsQaH2NSTpxcg5bdSbGSPGr7On2RBKalvLLBon +SUx8FtlOpDj+TttxidoQcYeez8vCkdgn9PCbA/9cxZlFmy+ioE/14PQU2TAYbcnK +mZ3BWOKxRDlBN9zHBwkaSdIgjs6+t0/pCYrlUu2nCaZ9o6dtn/6WtulcuCB/l9DQ +UABsdc2uhCZvafdN316lABxaPLm3+uvcOFqRZs24tkLOYk5JxBYQQdaHrZ4cP+xS +IgQf/Zl5s/ZlwfzOjzTg54KLyH7yxR5iJ/JIJ2mRJ5PZ9wavYGM6czf4l9w+sYQw +wTTQSO/zdLRHgcKUYdq+xpv2AWEkjkZSRxRQhgMZ9rS5V+1MqhnCLs9uCsG/Ns7c +Yv7t8I+r7j3gjdEFJRDVW+awHQR2ppI/odmyABaThG3bBdPxXy9pR0IvSYtZKGEW +cUjYp2intHCDna0TSa4nzrTlCZCAZijVKeVLXSrYNvrJ9nE3dB8oESP2YASjyJBM +VxpRYXmjprazBYcRgt7kf/tSfpky7Cq59H1NU+pVxaR5TAzWvaI= +=kWUu +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/EN-26:05/vm-13.patch b/website/static/security/patches/EN-26:05/vm-13.patch new file mode 100644 index 0000000000..17aea3c29f --- /dev/null +++ b/website/static/security/patches/EN-26:05/vm-13.patch @@ -0,0 +1,37 @@ +--- sys/vm/vm_fault.c.orig ++++ sys/vm/vm_fault.c +@@ -242,8 +242,6 @@ + static void + fault_deallocate(struct faultstate *fs) + { +- +- fs->m_needs_zeroing = true; + fault_page_release(&fs->m_cow); + fault_page_release(&fs->m); + vm_object_pip_wakeup(fs->object); +@@ -1202,7 +1200,8 @@ + vm_waitpfault(dset, vm_pfault_oom_wait * hz); + return (FAULT_RESTART); + } +- fs->m_needs_zeroing = (fs->m->flags & PG_ZERO) == 0; ++ if (fs->object == fs->first_object) ++ fs->m_needs_zeroing = (fs->m->flags & PG_ZERO) == 0; + fs->oom_started = false; + + return (FAULT_CONTINUE); +@@ -1462,7 +1461,6 @@ + fs.fault_flags = fault_flags; + fs.map = map; + fs.lookup_still_valid = false; +- fs.m_needs_zeroing = true; + fs.oom_started = false; + fs.nera = -1; + faultcount = 0; +@@ -1470,6 +1468,7 @@ + + RetryFault: + fs.fault_type = fault_type; ++ fs.m_needs_zeroing = true; + + /* + * Find the backing store object and offset into it to begin the diff --git a/website/static/security/patches/EN-26:05/vm-13.patch.asc b/website/static/security/patches/EN-26:05/vm-13.patch.asc new file mode 100644 index 0000000000..03a52af1a4 --- /dev/null +++ b/website/static/security/patches/EN-26:05/vm-13.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmnnoZsACgkQbljekB8A +Gu8G9xAAr5GsurThSC4pSyxC7DbYuXK9YZzMlPH8vRR03O3fF/j59FYQrbzh+ZmC +YsBjOh6p1ljOZrO3VWohjr7VzLtALgifKT2HL8Rn3Etmlpf5TUnEkjksFTSRhVZZ +jOKow4pyR95n/7eC3R51sz5euxSvlqMfLYlmx32f1gZ6TEAOaTUjtCneQ1QCvLNq +6lrtvMIs1BUkG6/aAVGe+GvkpBLuuoT5nhXRHHbHICR5mtgmf26YxbttLHvSATJn +NYISF8yiesjVXy4uU7lFBmRQ7ZZmBtltsULjQ3uNiksw04+RTNRS/QNVzI7G4ha6 +gHfSKE3F4lb5vuxKGXKXwXkwXF90fO5436HgWlePjZGn+GFPA/mCwKrJVa4MawfZ +LE/iEhu60wncTT/ivjdEeg8bcvQlG951yif6z2aqwoIz0BD650ufllxpIINCZdsW +Iz8Yw8z2uzkyvPamvSQlAN7JENStza/pbdfnu3GZgwrjLJtf+RJon4F/v1JzBtSG +P/8s1PReEyaiIDOifB0NSpopTW6satPC1dThg1LW2Y+lfyy6U3rCgKXHCzPGjQsI +ZV/90eUDX+uwfM9TvRo8znt/zFqh2Q90pr/qbJUdpZsTsNxC/ZEN0AzVkrrwp46/ +v/q1wJfmNaQfYSQLc8y+FmhwvesvDLy/dxy8eq0w8CqUqqBa19s= +=csNp +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/EN-26:05/vm-14.patch b/website/static/security/patches/EN-26:05/vm-14.patch new file mode 100644 index 0000000000..2e6979c244 --- /dev/null +++ b/website/static/security/patches/EN-26:05/vm-14.patch @@ -0,0 +1,37 @@ +--- sys/vm/vm_fault.c.orig ++++ sys/vm/vm_fault.c +@@ -272,8 +272,6 @@ + static void + vm_fault_deallocate(struct faultstate *fs) + { +- +- fs->m_needs_zeroing = true; + vm_fault_page_release(&fs->m_cow); + vm_fault_page_release(&fs->m); + vm_object_pip_wakeup(fs->object); +@@ -1321,7 +1319,8 @@ + vm_waitpfault(dset, vm_pfault_oom_wait * hz); + return (FAULT_RESTART); + } +- fs->m_needs_zeroing = (fs->m->flags & PG_ZERO) == 0; ++ if (fs->object == fs->first_object) ++ fs->m_needs_zeroing = (fs->m->flags & PG_ZERO) == 0; + fs->oom_started = false; + + return (FAULT_CONTINUE); +@@ -1653,7 +1652,6 @@ + fs.fault_flags = fault_flags; + fs.map = map; + fs.lookup_still_valid = false; +- fs.m_needs_zeroing = true; + fs.oom_started = false; + fs.nera = -1; + fs.can_read_lock = true; +@@ -1662,6 +1660,7 @@ + + RetryFault: + fs.fault_type = fault_type; ++ fs.m_needs_zeroing = true; + + /* + * Find the backing store object and offset into it to begin the diff --git a/website/static/security/patches/EN-26:05/vm-14.patch.asc b/website/static/security/patches/EN-26:05/vm-14.patch.asc new file mode 100644 index 0000000000..940e150b3d --- /dev/null +++ b/website/static/security/patches/EN-26:05/vm-14.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmnnoZwACgkQbljekB8A +Gu9FrxAAxQaGukd6JDEY/DliFPK97voostmMZD8S1Yn4FamsDVC+3qrkggPSu4TP +x10jLXIYIO2LpkVDabAJNA3tHgKzuy1Z3ORjudYTcodNIaab1JUWfgAw0Lw7V4g5 +Xl6OWHBml8fpzekxE35/x4MLXeokRZz8aNZUWFZbmQ5gA+gg1QpzNMmpytk6l6FM +Sp2nUEMUOsa+VXJBSIktgVWErtQ8n0NjwlKo69qHZwLyWtuprf5iMI2LZ5DYUQns +wjr/gvZe8Du8/cwgzeDuPRuTkDAxvfh7JyDhpgm26Tp4weXMuBOqBK9jycp6jh/y +GxoFcp/DL5EjqK06N4Ht8ZheNKJOdSLkTnQe3khgVXM01TN+VtwpsN4GfLmpsrt+ +7NesWyiW3HgTMSL6ulUT5HaE2q/8IG+FKYLQDCoBRiu7gqQkEBsX/72V0byxlZ0W +K+c/ASELy53ZF7UqBkdA/+4qWFxO9qTKiZrwmNM8g0Ss1bA72WEmk+a766YV4ioM +fWpyP9+Py2Rth5B8DyzgIX7JkstFxZNhg+oN0aQ6khIzeoLiahjO+7CKaYWIqMVh +TXKRJJyAwXj6cllekELQmwG97JeKbK22jgqEvzDxA4HWASjXjpwbNtrrOJNPtpeh +QbpzHOLM++6/LmtUsQaLD+4DJyYYBeFI1daSxe6X19gHubbhgIU= +=19Gd *** 2002 LINES SKIPPED ***home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69e7a26e.39894.641eed19>