Date: Wed, 20 May 2026 21:36:16 +0000 From: Gordon Tetlow <gordon@FreeBSD.org> To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org Subject: git: d3922bf62f - main - Add EN-26:13 and SA-26:18 through SA-26:24. Message-ID: <6a0e2950.447f9.1a3463a8@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by gordon: URL: https://cgit.FreeBSD.org/doc/commit/?id=d3922bf62f621a59b5f1e6ddaba23eb877aaade7 commit d3922bf62f621a59b5f1e6ddaba23eb877aaade7 Author: Gordon Tetlow <gordon@FreeBSD.org> AuthorDate: 2026-05-20 21:35:50 +0000 Commit: Gordon Tetlow <gordon@FreeBSD.org> CommitDate: 2026-05-20 21:35:50 +0000 Add EN-26:13 and SA-26:18 through SA-26:24. Approved by: so --- website/data/security/advisories.toml | 28 ++ website/data/security/errata.toml | 4 + .../advisories/FreeBSD-EN-26:13.freebsd-update.asc | 166 +++++++ .../advisories/FreeBSD-SA-26:18.setcred.asc | 170 +++++++ .../security/advisories/FreeBSD-SA-26:19.file.asc | 173 +++++++ .../advisories/FreeBSD-SA-26:20.fusefs.asc | 164 +++++++ .../advisories/FreeBSD-SA-26:21.ptrace.asc | 163 +++++++ .../advisories/FreeBSD-SA-26:22.libcasper.asc | 155 ++++++ .../advisories/FreeBSD-SA-26:23.bsdinstall.asc | 155 ++++++ .../advisories/FreeBSD-SA-26:24.cap_net.asc | 160 ++++++ .../security/patches/EN-26:13/freebsd-update.patch | 11 + .../patches/EN-26:13/freebsd-update.patch.asc | 17 + .../security/patches/SA-26:18/setcred-14.patch | 15 + .../security/patches/SA-26:18/setcred-14.patch.asc | 17 + .../security/patches/SA-26:18/setcred-15.patch | 15 + .../security/patches/SA-26:18/setcred-15.patch.asc | 17 + .../static/security/patches/SA-26:19/file-14.patch | 203 ++++++++ .../security/patches/SA-26:19/file-14.patch.asc | 17 + .../static/security/patches/SA-26:19/file-15.patch | 467 ++++++++++++++++++ .../security/patches/SA-26:19/file-15.patch.asc | 17 + .../security/patches/SA-26:20/fusefs-14.3.patch | 146 ++++++ .../patches/SA-26:20/fusefs-14.3.patch.asc | 17 + .../security/patches/SA-26:20/fusefs-14.4.patch | 146 ++++++ .../patches/SA-26:20/fusefs-14.4.patch.asc | 17 + .../security/patches/SA-26:20/fusefs-15.patch | 147 ++++++ .../security/patches/SA-26:20/fusefs-15.patch.asc | 17 + .../security/patches/SA-26:21/ptrace-14.3.patch | 164 +++++++ .../patches/SA-26:21/ptrace-14.3.patch.asc | 17 + .../security/patches/SA-26:21/ptrace-14.4.patch | 154 ++++++ .../patches/SA-26:21/ptrace-14.4.patch.asc | 17 + .../security/patches/SA-26:21/ptrace-15.patch | 154 ++++++ .../security/patches/SA-26:21/ptrace-15.patch.asc | 17 + .../security/patches/SA-26:22/libcasper-14.patch | 539 +++++++++++++++++++++ .../patches/SA-26:22/libcasper-14.patch.asc | 17 + .../security/patches/SA-26:22/libcasper-15.patch | 538 ++++++++++++++++++++ .../patches/SA-26:22/libcasper-15.patch.asc | 17 + .../security/patches/SA-26:23/bsdinstall-14.patch | 102 ++++ .../patches/SA-26:23/bsdinstall-14.patch.asc | 17 + .../security/patches/SA-26:23/bsdinstall-15.patch | 102 ++++ .../patches/SA-26:23/bsdinstall-15.patch.asc | 17 + .../static/security/patches/SA-26:24/cap_net.patch | 60 +++ .../security/patches/SA-26:24/cap_net.patch.asc | 17 + 42 files changed, 4573 insertions(+) diff --git a/website/data/security/advisories.toml b/website/data/security/advisories.toml index 3c30ea9bd5..1a44fe400f 100644 --- a/website/data/security/advisories.toml +++ b/website/data/security/advisories.toml @@ -1,6 +1,34 @@ # Sort advisories by year, month and day # $FreeBSD$ +[[advisories]] +name = "FreeBSD-SA-26:24.cap_net" +date = "2026-05-20" + +[[advisories]] +name = "FreeBSD-SA-26:23.bsdinstall" +date = "2026-05-20" + +[[advisories]] +name = "FreeBSD-SA-26:22.libcasper" +date = "2026-05-20" + +[[advisories]] +name = "FreeBSD-SA-26:21.ptrace" +date = "2026-05-20" + +[[advisories]] +name = "FreeBSD-SA-26:20.fusefs" +date = "2026-05-20" + +[[advisories]] +name = "FreeBSD-SA-26:19.file" +date = "2026-05-20" + +[[advisories]] +name = "FreeBSD-SA-26:18.setcred" +date = "2026-05-20" + [[advisories]] name = "FreeBSD-SA-26:17.libnv" date = "2026-04-29" diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml index 494f54d35d..6cb37b7b15 100644 --- a/website/data/security/errata.toml +++ b/website/data/security/errata.toml @@ -1,6 +1,10 @@ # Sort errata notices by year, month and day # $FreeBSD$ +[[notices]] +name = "FreeBSD-EN-26:13.freebsd-update" +date = "2026-05-20" + [[notices]] name = "FreeBSD-EN-26:12.freebsd-update" date = "2026-05-01" diff --git a/website/static/security/advisories/FreeBSD-EN-26:13.freebsd-update.asc b/website/static/security/advisories/FreeBSD-EN-26:13.freebsd-update.asc new file mode 100644 index 0000000000..6369b75b23 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-26:13.freebsd-update.asc @@ -0,0 +1,166 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-26:13.freebsd-update Errata Notice + The FreeBSD Project + +Topic: freebsd-update attempts to merge a generated file + +Category: core +Module: freebsd-update +Announced: 2026-05-20 +Affects: All supported versions of FreeBSD. +Corrected: 2026-05-19 13:59:37 UTC (stable/15, 15.0-STABLE) + 2026-05-20 19:39:27 UTC (releng/15.0, 15.0-RELEASE-p9) + 2026-05-19 13:59:57 UTC (stable/14, 14.4-STABLE) + 2026-05-20 19:39:53 UTC (releng/14.4, 14.4-RELEASE-p5) + 2026-05-20 19:40:31 UTC (releng/14.3, 14.3-RELEASE-p14) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +The freebsd-update utility is used both to apply binary updates for security +advisories and errata notices, and to upgrade from one FreeBSD release to +another. + +In the latter scenario, when it detects local changes to a configuration file +which is affected by the upgrade, freebsd-update will perform a three-way +merge and prompt the user to manually resolve any conflicts between local and +incoming changes. + +The certctl utility has been used since FreeBSD 12.0 to manage a hashed +directory of root certificates for use when validating TLS server +certificates. Since FreeBSD 15.0, certctl also maintains a bundle for the +benefit of applications which either do not support the hashed directory +format or need to preload the trust store prior to entering capability mode, +a chroot, or similar. + +II. Problem Description + +When upgrading from FreeBSD 15.0 to FreeBSD 15.1, freebsd-update incorrectly +treats the certificate bundle /etc/ssl/cert.pem as a configuration file. In +most cases, the three-way merge results in conflicts which the user is then +asked to resolve. The bundle is not human-readable, and merging it serves no +purpose since freebsd-update regenerates the entire certificate store at the +end of the upgrade. + +When upgrading from an older FreeBSD release to FreeBSD 15.0 or 15.1, if +/etc/ssl/cert.pem is present (e.g. as provided by the ETCSYMLINK option of +the security/ca_root_nss port, or manually created by an administrator), +freebsd-update will emit a non-fatal error message and pause until the user +acknowledges the message. + +III. Impact + +Users upgrading from 15.0 to 15.1 may be presented with one or more merge +conflicts in thousands of lines of Base64-encoded ASN.1 data. + +Users upgrading from older releases to 15.0 or 15.1 may encounter a non-fatal +error message with no clear resolution, reducing user confidence in the +upgrade process. + +IV. Workaround + +If prompted to resolve conflicts, exit the editor and force freebsd-update +to accept the unmerged file by typing "ACCEPT" (all upper-case, without the +quotes). The bundle will be regenerated at the end of the upgrade process +and the system will be fully functional. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your system installed from base system packages: + +Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 +platforms, which were installed using base system packages, can be updated +via the pkg(8) utility: + +# pkg upgrade -r FreeBSD-base + +2) To update your system installed from binary distribution sets: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms +which were not installed using base system packages can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +3) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-26:13/freebsd-update.patch +# fetch https://security.FreeBSD.org/patches/EN-26:13/freebsd-update.patch.asc +# gpg --verify freebsd-update.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/15/ b97f143b6ca9 stable/15-n283610 +releng/15.0/ 2709755d39f5 releng/15.0-n281037 +stable/14/ 7d9c1d3895b3 stable/14-n274144 +releng/14.4/ 081a9e933033 releng/14.4-n273701 +releng/14.3/ a1b3818746e3 releng/14.3-n271501 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>; + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-26:13.freebsd-update.asc>; +-----BEGIN PGP SIGNATURE----- + +iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKGEbFIAAAAAABAAO +bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvgJQP/RY20Qr2cM3gsEsVSt5+ +xXS/yCXu+IZq/ALOzw4RvqzdqvVzlA3U2VgSXpucnkrV0rABc7yxLbmvTVj6GOG7 +yvKXSmV58akQoUbnOtwHZF4x+4A9+Y3BzGIWUrzh014ll4MyhGw/4ekFiu36J0Mg +QBDPkAy+3jrCTE3i2aAF1w1gLYdyIfDwGYQHqpPCsMmGhHuleogGqmhc5pH2J30g +fPRLe8a4njizX5aT15TZvo6U5sQC6tll4DBUqTWh6k49XxSELKQwYgXhqhespI++ +yZ327VPwkVgaYI0C96LCV5SVB811BvFAKXKzjItKOWpJyg6HpB8hiSEubqlWW7zX +vltqLyf8qe15wZPvrs1kgX2kH9ZJXYwJ9W5z5kY8sk/DCYos+bxtEQ47CU5u6/nF +h01i3mAwOdh0/br7Y7hRS4eekNg9XUpu9dakJdhpJjbRylS6I6wK/C/f89L+qmgP +4jq20TCFHQ2riVHxhOG3nSGkP+5CsIUnjg94x/EKK9xA9DZb0D5/Vy+hQYhJ5qza +q5TKkv72vb32LKFKvzXXJbCrRlJr6bmCOMXYRGZwDzKzfd5jrVwzlIfooiaQ28bj +g2egNBCe69H0SboydGi6J4yciBn3TeBHilfPuDLxs2eRZmYFd4wVD4wnigsysL2J +JETeDqmCxDDqbzhIYf3XL7Pt +=zyAg +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-26:18.setcred.asc b/website/static/security/advisories/FreeBSD-SA-26:18.setcred.asc new file mode 100644 index 0000000000..2b0e4d6640 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-26:18.setcred.asc @@ -0,0 +1,170 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-26:18.setcred Security Advisory + The FreeBSD Project + +Topic: Stack buffer overflow via setcred(2) + +Category: core +Module: setcred +Announced: 2026-05-20 +Credits: Ryan of Calif.io +Credits: Przemyslaw Frasunek +Affects: All supported versions of FreeBSD. +Corrected: 2026-01-06 13:34:30 UTC (stable/15, 15.0-STABLE) + 2026-05-20 19:39:28 UTC (releng/15.0, 15.0-RELEASE-p9) + 2026-05-20 19:37:54 UTC (stable/14, 14.4-STABLE) + 2026-05-20 19:39:54 UTC (releng/14.4, 14.4-RELEASE-p5) + 2026-05-20 19:40:32 UTC (releng/14.3, 14.3-RELEASE-p14) +CVE Name: CVE-2026-45250 + +This vulnerability was independently reported by multiple parties prior to +publication. + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +System calls are the programmatic interface through which user-space +processes request services from the operating system kernel, providing a +controlled boundary between unprivileged application code and privileged +kernel operations. + +setcred(2) is a system call which enables a privileged process to atomically +set its full credential set, including the real, effective, and saved user +and group identifiers, as well as the list of supplementary groups. It is +intended for use by programs such as login(1) and PAM(3)-aware authentication +frameworks that must transition a process into a target user context in a +single, race-free operation, replacing the need for multiple discrete calls +to setuid(2), setgid(2), and setgroups(2). + +II. Problem Description + +The setcred(2) system call is only available to privileged users. However, +before the privilege level of the caller is checked, the user-supplied list +of supplementary groups is copied into a fixed-size kernel stack buffer +without first validating its length. If the supplied list exceeds the +capacity of that buffer, a stack buffer overflow occurs. + +III. Impact + +Because the bounds check on the supplementary groups list occurs after the +kernel stack buffer has already been written, an unprivileged local user may +trigger the overflow without holding any special privilege. Successful +exploitation may allow an attacker to execute arbitrary code in the context +of the kernel, allowing an unprivileged local user to gain elevated +privileges on the affected system. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, +and reboot the system. + +Perform one of the following: + +1) To update your vulnerable system installed from base system packages: + +Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 +platforms, which were installed using base system packages, can be updated +via the pkg(8) utility: + +# pkg upgrade -r FreeBSD-base +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system installed from binary distribution sets: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms +which were not installed using base system packages can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 15.x] +# fetch https://security.FreeBSD.org/patches/SA-26:18/setcred-15.patch +# fetch https://security.FreeBSD.org/patches/SA-26:18/setcred-15.patch.asc +# gpg --verify setcred-15.patch.asc + +[FreeBSD 14.x] +# fetch https://security.FreeBSD.org/patches/SA-26:18/setcred-14.patch +# fetch https://security.FreeBSD.org/patches/SA-26:18/setcred-14.patch.asc +# gpg --verify setcred-14.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/15/ b6cba9028457 stable/15-n281743 +releng/15.0/ d98c0a494a42 releng/15.0-n281038 +stable/14/ 8eb0bbbd2e46 stable/14-n274162 +releng/14.4/ 34da5845b8d4 releng/14.4-n273702 +releng/14.3/ bfff5c180193 releng/14.3-n271502 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>; + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://www.cve.org/CVERecord?id=CVE-2026-45250>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:18.setcred.asc>; +-----BEGIN PGP SIGNATURE----- + +iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKGobFIAAAAAABAAO +bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvSpsP/38o7yHdNEMNMPPOBtKZ +2dn/vmcOo1srkhUx0kl2EVBzirSDsTVkWfUq1Txg5JA7/pG3On/YiaAmUMi9jHqy +q0tgkyO/scKGWNDYmFIA9QAXAwwSUZnT+eEwt3IawOzquezD/qr++CCimntSUzsu +IP3oMFYaw9JvMF6Z6tTfcYYA02CF7nRrtIJtrxfWkgyDoMoikHsNW4o2LXJTz4bV +2uk7BuQKbDc3gxoEBYd0bulXBa9DHsrfS59eEnbb8txrBjt21aQGjBY8SJSoFyYh +yZixmadpZ9J4oTBc03hOO2Z2BN5f/QficGIU4t0wj0A8EcsrspFMDRj2xd/5zi86 +VLqiQf6WJbgVyytUe5aYbBPC6eH2TRnMWaOERbocNS6xQKcYpZYqwnVZ77n6tPb4 +wKQd+qKYM74lf0BPCBc60h7yo9e6Qd8puGolyL05qdZVB+c3m0qB000gsyNFytFs +kQSovaXFf4r0DCEuBixE/Ic5ADwl7A4pCIxqwWwJlnrj77XCobNEQJtajkrapXsU +MSLQ20RuRiVNesgyjP9dZCk8enuOl96TwrvdkyqvSJgb0Gw3XEeyCWT4dAE+Fh3A +n8RhQeY6YWWk+DOiuw5Q5v2PyoBNoV8jV2AjeXzhIOQsyWGeSYQ2GeFu6PW3UyzQ +olNjUPjprNwteRkUuGHmE3zQ +=6aG+ +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-26:19.file.asc b/website/static/security/advisories/FreeBSD-SA-26:19.file.asc new file mode 100644 index 0000000000..ccac947f7d --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-26:19.file.asc @@ -0,0 +1,173 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-26:19.file Security Advisory + The FreeBSD Project + +Topic: Kernel use-after-free via file descriptor syscalls + +Category: core +Module: file +Announced: 2026-05-20 +Credits: 75Acol, Lexpl0it, fcgboy, and robinzeng2015 +Credits: Ryan at Calif.io +Affects: All supported versions of FreeBSD. +Corrected: 2026-05-20 19:36:37 UTC (stable/15, 15.0-STABLE) + 2026-05-20 19:39:31 UTC (releng/15.0, 15.0-RELEASE-p9) + 2026-05-20 19:37:57 UTC (stable/14, 14.4-STABLE) + 2026-05-20 19:39:57 UTC (releng/14.4, 14.4-RELEASE-p5) + 2026-05-20 19:40:34 UTC (releng/14.3, 14.3-RELEASE-p14) +CVE Name: CVE-2026-45251 + +This vulnerability was independently reported by multiple parties prior to +publication. The reporters' findings prompted a broader review by the +FreeBSD Security Team, which identified additional occurrences of the same +issue in related code. All known exploitable instances are corrected by this +update. + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +FreeBSD implements a number of file descriptor types. Traditionally file +descriptors are used to perform file or network I/O, but other variants +exist such as process descriptors, which enable operations on a particular +process. + +The select(2) and poll(2) system calls allow applications to wait for events +related to the object to which a file descriptor refers. These system calls +are implemented for many different file descriptor types. For instance, a +process descriptor may be used with either system call to wait for the target +process to exit. + +II. Problem Description + +A file descriptor can be closed while a thread is blocked in a poll(2) or +select(2) call waiting for that descriptor. Because the blocked thread does +not hold a reference to the underlying object, this closure may result in the +object being freed while the thread remains blocked. In this situation, the +kernel must remove the blocked thread from the per-object wait queue prior to +freeing the object. + +In the case of some file descriptor types, the kernel failed to unlink +blocked threads from the object before freeing it. When the blocked thread +is subsequently woken, it accesses memory that has already been freed +resulting in a use-after-free vulnerability. + +III. Impact + +The use-after-free vulnerability may be triggered by an unprivileged local +user and can be exploited to obtain superuser privileges. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, and +reboot the system. + +Perform one of the following: + +1) To update your vulnerable system installed from base system packages: + +Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 +platforms, which were installed using base system packages, can be updated +via the pkg(8) utility: + +# pkg upgrade -r FreeBSD-base +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system installed from binary distribution sets: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms +which were not installed using base system packages can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 15.x] +# fetch https://security.FreeBSD.org/patches/SA-26:19/file-15.patch +# fetch https://security.FreeBSD.org/patches/SA-26:19/file-15.patch.asc +# gpg --verify file-15.patch.asc + +[FreeBSD 14.x] +# fetch https://security.FreeBSD.org/patches/SA-26:19/file-14.patch +# fetch https://security.FreeBSD.org/patches/SA-26:19/file-14.patch.asc +# gpg --verify file-14.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/15/ 53a78e582a6f stable/15-n283641 +releng/15.0/ af79f4148450 releng/15.0-n281041 +stable/14/ b90b25c3779e stable/14-n274164 +releng/14.4/ 8d8694c224e2 releng/14.4-n273704 +releng/14.3/ 659818009d15 releng/14.3-n271504 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>; + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://www.cve.org/CVERecord?id=CVE-2026-45251>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:19.file.asc>; +-----BEGIN PGP SIGNATURE----- + +iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKG4bFIAAAAAABAAO +bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvA78P/iRlQXxVUpth5tRn2FiC +lseIWOmh3DVI1OjwFQ30VydwnA5rlOqPPTpF2hsT0ee3ExS6pUKITi3735BmkPvT +KvnOKkY9A2DdzXJQ9eZvrVJRN1/VlKx8Us1VmWWRxPHghmcqqTY0wN2lFcsyqcpN +6Wdi51z+X5sLWZZsLsvqAskWiCNqUzBSSWqCTLEW0tBD9AoW2BPQcpAeEmx4MDch +Hk2/pecoUL2T/hu3bjo60CTp3R7E4gPt9wM5Ejf32vwsW0sTNkTmy7HbZCNmYHZw +R764O4i4poDzccTiXxuhXdrIDXmRQwTyB9d6S12OmP8ec8dAQzm9p5xl4HoHhOho +9zTMCiLoU+ApN1H+bXqN9JvmZ9hfxGqdPaJgZRkQ11xRHg8tz48SigON/vxlbYff +ln9EJ+NGEcskrbUAG8cUCJ3/a8A7xLQo07TpvyddeUc6ufk+nFEBzNS3rpaFNy5y +GqFIOzqISRSsE1tf6rrItULQEKWtOMUYvAbrcLRwPAQ1cav+sOv9YlfpW36s1+mc +CyuXDh3pbN5biajjImGO1CYN92mq/Jfz/cRnvQub+78T+4w6yAxj53fBNg97tIOI +b7EISAnbgGj5akQRGJXJ84iuYij9xTPEOCSbfgAqsWXKz6l/bgSoVUhq/e0/dXKA +sr+3pjhi5P7N66SvO+7iEpYI +=iM1b +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-26:20.fusefs.asc b/website/static/security/advisories/FreeBSD-SA-26:20.fusefs.asc new file mode 100644 index 0000000000..d6516c54e6 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-26:20.fusefs.asc @@ -0,0 +1,164 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-26:20.fusefs Security Advisory + The FreeBSD Project + +Topic: Heap overflow in FUSE_LISTXATTR + +Category: core +Module: fusefs +Announced: 2026-05-20 +Credits: Joshua Rogers of AISLE Research Team +Affects: All supported versions of FreeBSD. +Corrected: 2026-05-20 19:36:38 UTC (stable/15, 15.0-STABLE) + 2026-05-20 19:39:32 UTC (releng/15.0, 15.0-RELEASE-p9) + 2026-05-20 19:37:58 UTC (stable/14, 14.4-STABLE) + 2026-05-20 19:39:58 UTC (releng/14.4, 14.4-RELEASE-p5) + 2026-05-20 19:40:36 UTC (releng/14.3, 14.3-RELEASE-p14) +CVE Name: CVE-2026-45252 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The fusefs file system delegates file system operations to a userspace +daemon. This daemon ordinarily requires root privileges to operate. When +the "vfs.usermount" sysctl is set to 1 (not the default), unprivileged users +are permitted to run such daemons and mount fusefs file systems. + +II. Problem Description + +When a fusefs file system implements extended attributes, the kernel may send +a FUSE_LISTXATTR message to the userspace daemon to retrieve the list of extended +attributes for a given file. The FUSE protocol requires the daemon to return +a packed list of NUL-terminated strings. The fusefs kernel module calls +strlen() on this daemon-supplied buffer without first verifying that the +entire list is NUL-terminated. + +III. Impact + +If a malicious daemon sends a non-NUL-terminated list, the fusefs kernel +module may read beyond the end of one heap-allocated buffer and potentially +write beyond the end of a second buffer. A malicious daemon could disclose +up to 253 bytes of kernel heap memory, or it could inject up to 250 +attacker-controlled bytes into unallocated kernel heap space. + +IV. Workaround + +No workaround is available, but systems that do not load the fusefs kernel +module or set vfs.usermount=1 are unaffected. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, and +reboot the system. + +Perform one of the following: + +1) To update your vulnerable system installed from base system packages: + +Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 +platforms, which were installed using base system packages, can be updated +via the pkg(8) utility: + +# pkg upgrade -r FreeBSD-base +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system installed from binary distribution sets: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms +which were not installed using base system packages can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 15.0] +# fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-15.patch +# fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-15.patch.asc +# gpg --verify fusefs-15.patch.asc + +[FreeBSD 14.4] +# fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-14.4.patch +# fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-14.4.patch.asc +# gpg --verify fusefs-14.4.patch.asc + +[FreeBSD 14.3] +# fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-14.3.patch +# fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-14.3.patch.asc +# gpg --verify fusefs-14.3.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/15/ df3f3fa82775 stable/15-n283642 +releng/15.0/ 0dd8b983db3c releng/15.0-n281042 +stable/14/ 25148c51c8c6 stable/14-n274165 +releng/14.4/ 6a299460f159 releng/14.4-n273705 +releng/14.3/ 53f3bf4ee1ce releng/14.3-n271505 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>; + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://www.cve.org/CVERecord?id=CVE-2026-45252>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:20.fusefs.asc>; +-----BEGIN PGP SIGNATURE----- + +iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKHIbFIAAAAAABAAO +bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvobkP/R3O3bwsnJkhG1NQ6pKh +UFcwpZ8TSAqtccHZRQz2zoKTqu/EeClT7Bdgw/Qa8gbZ7IfZgS8AJaR7e4fgpE96 +AhHU6cbyZrpwvWUatIKgX57032+M1ioMiz9g0KbGg4W4WKe/QHj4yt45F7qRfLNb +BD7Qp7E0XtV+UrNXkhOQQmHyVTpB85tK/e5Yc+vcSgAQ3LWrzwO4zED4f78e3faw +oiLm1oE/Vx0jfrRKsnCECdJS532xlfH6iJ2/2ZXfUthGQmZQe34wOMwYS0EcaGZV +TQoLwsg5qLj4hJOGMCZk4X4TjrkoQquWdsAQetB8tqXIyw7QEgbMIIbhS3mQZ5CW +aEq3wbYMowxCMb/6Dd/R56wDqyGI2Z6GHmUT58M0OSIIISfsD+UHOCW2lrQQ5zrI +o1O/IFAvqsmCN6JQzFgC3KC8BLLZWzxf5Bun6yOls/YA31zOXAen0isnbOvVnGot +42Dy65fENCUQMt+p3eDDLQzxDhlqGAGbiqysBmxwTA5Wqc4furv7O0wmBPwOOGeH +NqlKYsqO9u4kEW2lTCPs7R5+wsc+EACc07kikDQgp1m59JlkMfmXU4Kbcgw9r4GR +9OWtidfTCDGmt9mXzJVKaBurgJ1iqsBfzzLamWo0iDpUMgUP7VA9jVjVbUmtjH1V +qAWdXCXwrbOr+eA50IIPxkal +=HzW3 +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-26:21.ptrace.asc b/website/static/security/advisories/FreeBSD-SA-26:21.ptrace.asc new file mode 100644 index 0000000000..187aabe5cb --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-26:21.ptrace.asc @@ -0,0 +1,163 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-26:21.ptrace Security Advisory + The FreeBSD Project + +Topic: Missing validation in ptrace(PT_SC_REMOTE) + +Category: core +Module: ptrace +Announced: 2026-05-20 +Credits: Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, + and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai +Credits: Ryan at Calif.io +Affects: All supported versions of FreeBSD. +Corrected: 2026-05-20 19:36:40 UTC (stable/15, 15.0-STABLE) + 2026-05-20 19:39:34 UTC (releng/15.0, 15.0-RELEASE-p9) + 2026-05-20 19:37:59 UTC (stable/14, 14.4-STABLE) + 2026-05-20 19:39:59 UTC (releng/14.4, 14.4-RELEASE-p5) + 2026-05-20 19:40:37 UTC (releng/14.3, 14.3-RELEASE-p14) +CVE Name: CVE-2026-45253 + +This vulnerability was independently reported by multiple parties prior to +publication. + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The ptrace(2) system call provides facilities for a debugger to control the +execution of a target process and to obtain status information about it. +Among other capabilities, it permits a debugger to execute arbitrary system +calls in the target process via the PT_SC_REMOTE operation. + +II. Problem Description + +ptrace(PT_SC_REMOTE) failed to properly validate parameters for the syscall(2) +and __syscall(2) meta-system calls. As a result, a user with the ability to +debug a process may trigger arbitrary code execution in the kernel, even if +the target process has no special privileges. + +III. Impact + +The missing validation allows an unprivileged local user to escalate +privileges, potentially gaining full control of the affected system. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date, and +reboot the system. + +Perform one of the following: + +1) To update your vulnerable system installed from base system packages: + +Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 +platforms, which were installed using base system packages, can be updated +via the pkg(8) utility: + +# pkg upgrade -r FreeBSD-base +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system installed from binary distribution sets: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms +which were not installed using base system packages can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 15.0] +# fetch https://security.FreeBSD.org/patches/SA-26:21/ptrace-15.patch +# fetch https://security.FreeBSD.org/patches/SA-26:21/ptrace-15.patch.asc +# gpg --verify ptrace-15.patch.asc + +[FreeBSD 14.4] +# fetch https://security.FreeBSD.org/patches/SA-26:21/ptrace-14.4.patch +# fetch https://security.FreeBSD.org/patches/SA-26:21/ptrace-14.4.patch.asc +# gpg --verify ptrace-14.4.patch.asc + +[FreeBSD 14.3] +# fetch https://security.FreeBSD.org/patches/SA-26:21/ptrace-14.3.patch +# fetch https://security.FreeBSD.org/patches/SA-26:21/ptrace-14.3.patch.asc +# gpg --verify ptrace-14.3.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/15/ 3b4afab9add2 stable/15-n283643 +releng/15.0/ fd24dd0b38a8 releng/15.0-n281043 +stable/14/ fac902a3e039 stable/14-n274166 +releng/14.4/ c21d23f0f8be releng/14.4-n273706 +releng/14.3/ 45bd421661c4 releng/14.3-n271506 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>; + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://www.cve.org/CVERecord?id=CVE-2026-45253>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:21.ptrace.asc>; +-----BEGIN PGP SIGNATURE----- + +iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKHcbFIAAAAAABAAO +bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvLd0QAOQGyaTmlTQJTS+EIPMU ++poVU59Fe4L+/+H8LSibnCPBbycH1bv6m9e906s/za0IBLGVq7PhY0U1YtPO5++J +A86nLzgqk4hEU5RWmA3+dnLYrIxOf3fVvSev/XAZe/1eWwcljYRCtqLV+IBmyxeZ +amfYoXliUTuZHO+r+88HVAgDy6efZ3IlnHF9iMlpsF0IFezpgFh4E6tiJk9/pMlz +wuXpHCm34rEjy6bvQaDP9G1zXGszrEatT25d9rKZnHscZCQuRgtpLaOVCuH8oDca ++1PFTfTNJnepH9Ir1nSaYLViZdHfuDK40CafZm54q4669AramrySoxNJlnNHOiMK +DN4aqxMfW5xCEEK+fIJYqTyW2L3WzRJ8tm3bF/zzsMYTsNmclcklzmuMNqsGQls1 +TGIhb+J+e0vkdZOpuJaT65pmGaF2dJeBvwNsIMJgtY3yotUPbDFD1ALNVUwIkKYh +m68XK0Ykw93ySLjbORUVFLP5nv5PvYtubAy37q5tskN6hXLlyX5a0QxIL5T5u0jx +hwDnyl4UAHGmkBM8U0CnaQbixP/yV0p5q+3NtpBurHB74tov593/U1eroydDywRl +Mw2R3k7AFIC5CszwMA6J0l3W2tLq/j7tcTQ/8CNgPpP/TPVntQxQShxB93F+/MdX +n9D4phEb7cKk4Y9QIBKkdbYZ +=egz5 +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-26:22.libcasper.asc b/website/static/security/advisories/FreeBSD-SA-26:22.libcasper.asc new file mode 100644 index 0000000000..996f09c663 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-26:22.libcasper.asc @@ -0,0 +1,155 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + *** 3906 LINES SKIPPED ***home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6a0e2950.447f9.1a3463a8>