From nobody Wed Jun 10 03:00:30 2026
X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZrBD0pKzz6gnMd
	for <dev-commits-ports-all@mlmmj.nyi.freebsd.org>; Wed, 10 Jun 2026 03:00:36 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4gZrBD0SB2z3qNC
	for <dev-commits-ports-all@FreeBSD.org>; Wed, 10 Jun 2026 03:00:36 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1781060436;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=vI2Gw4JEEcUf6nx/NteNkonD3Snz+KflGfStUEvHHs8=;
	b=Wcsd8NX1YXbTZ+LJsV654HmgPMt9ETtVs1KG58aXuFCTaJhT3WzTqA+eAaIK1dxRmjAPDX
	2MJNXlkyoRJtDRqEy+koUy7tmfL/xeYSSbyZNvvHLOHlyyu9KZHWNCkx/KrhUH6q0F/ZHi
	xh1geQiizu/jzTZNJ7M2meM6o4UUvjWG1UhAQpvxiSGIWuPdvMapIL06VvyVVJou8iMe2B
	FuqbH3hcpKEIZzDAKAKxIl0EpeW/eoTaMug+KqP8vL2amGAMV1hbtnqKPsZwezNy+XxiaF
	HR3Ui6JzZEG3Hx/q+So3s1cdsJCNHUGceXTSKicLTmNPdnhFsRP3+SH0AcmXoQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781060436; a=rsa-sha256; cv=none;
	b=yXyxqIrelFTGJdPmyWBPQwJfygiIocxQ+RXMlzFV2WwYIUox5dtjtogUKPvdYdRNZSdG3e
	9P2NaG2aAXftM0E84eFr2axH7dwuKwptGYxOLw5JHCDUhgtvdLv05Bqrlju0Jo1qioipbV
	aet6sUBA7V9oyLqanRMAIxXW+sd5zRU15G5dttUHSEoFw5UMFF7GUFwWdJLKnbzOEI+nA1
	i73hM6tIRi3NZ403H6CpMjqiOX3ojPqH/gk1kuyUqjQ4u08G96/CxmPRyimgz7hHOzZpyA
	Alpb4Mkcx2u/jH62tsnoUkYUdNYdE+KQWNkphCK3Owbs4qPRCvgVvfpDhaEJqQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1781060436;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=vI2Gw4JEEcUf6nx/NteNkonD3Snz+KflGfStUEvHHs8=;
	b=ABYFQi/7XCxpENCvogWZQZor9qU65VdJ5soM+0bphoLS/b9j3sBiW/ySevlqMIZL+QkwKk
	gx1FBFigY6dUvluL84uUznwop3coEg7ttZLhuBVk6n3Qq5q9CjaichIDw+IDV28BvO+qmL
	HN1SwQL6MWT/6uQ2EVZlNiXlYqKhftlw9rrOdevg6ZFJBT7vFPUHCm6DUDipgIMtyssO4h
	qRdDrMWcXdzvUXwei5zG2CAt4hTNle6Lz+tRUuxXBH3NponoChl+FPxjvsyk0VozzGVjUS
	roxM2GGpBjX6bxfL6yPOhtscE1bxnnvXDxkRcS46tlLvxlcRROIcmcnLx0zp8g==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gZrBD03HLz12Y0
	for <dev-commits-ports-all@FreeBSD.org>; Wed, 10 Jun 2026 03:00:36 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 21ae2
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Wed, 10 Jun 2026 03:00:30 +0000
To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org
From: Philip Paeps <philip@FreeBSD.org>
Subject: git: f0de041ce22c - main - security/vuxml: add FreeBSD SAs issued on 2026-06-09
List-Id: Commit messages for all branches of the ports repository <dev-commits-ports-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all
List-Help: <mailto:dev-commits-ports-all+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-ports-all@freebsd.org
Sender: owner-dev-commits-ports-all@FreeBSD.org
List-Id: <dev-commits-ports-all.FreeBSD.org>
List-Post: <mailto:dev-commits-ports-all@FreeBSD.org>
List-Help: <mailto:dev-commits-ports-all+help@FreeBSD.org>
List-Subscribe: <mailto:dev-commits-ports-all+subscribe@FreeBSD.org>
List-Unsubscribe: <mailto:dev-commits-ports-all+unsubscribe@FreeBSD.org>
List-Owner: <mailto:postmaster@FreeBSD.org>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: philip
X-Git-Repository: ports
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: f0de041ce22cdbacc7275590294b16c338527edd
Auto-Submitted: auto-generated
Date: Wed, 10 Jun 2026 03:00:30 +0000
Message-Id: <6a28d34e.21ae2.2dbe63f4@gitrepo.freebsd.org>

The branch main has been updated by philip:

URL: https://cgit.FreeBSD.org/ports/commit/?id=f0de041ce22cdbacc7275590294b16c338527edd

commit f0de041ce22cdbacc7275590294b16c338527edd
Author:     Philip Paeps <philip@FreeBSD.org>
AuthorDate: 2026-06-10 02:59:06 +0000
Commit:     Philip Paeps <philip@FreeBSD.org>
CommitDate: 2026-06-10 02:59:06 +0000

    security/vuxml: add FreeBSD SAs issued on 2026-06-09
    
    FreeBSD-SA-26:25.thr affects all supported releases
    FreeBSD-SA-26:26.ktls affects all supported releases
    FreeBSD-SA-26:27.sound affects all supported releases
    FreeBSD-SA-26:28.capsicum affects all supported releases
    FreeBSD-SA-26:29.ip6_multicast affects all supported releases
    FreeBSD-SA-26:30.linux affects all supported releases
    FreeBSD-SA-26:31.arm64 affects all supported releases
    FreeBSD-SA-26:32.elf affects all supported releases
    FreeBSD-SA-26:33.unbound affects all supported releases
    FreeBSD-SA-26:34.vt affects all supported releases
    FreeBSD-SA-26:35.openssl affects all supported releases
    FreeBSD-SA-26:36.ldns affects all supported releases
---
 security/vuxml/vuln/2026.xml | 513 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 513 insertions(+)

diff --git a/security/vuxml/vuln/2026.xml b/security/vuxml/vuln/2026.xml
index 822691c30e76..153c1343a729 100644
--- a/security/vuxml/vuln/2026.xml
+++ b/security/vuxml/vuln/2026.xml
@@ -1,3 +1,516 @@
+  <vuln vid="fc0c7763-6477-11f1-958d-bc241121aa0a">
+    <topic>FreeBSD -- Insufficient response validation in the ldns stub resolver</topic>
+    <affects>
+      <package>
+	<name>FreeBSD</name>
+	<range><ge>15.0</ge><lt>15.0_10</lt></range>
+	<range><ge>14.4</ge><lt>14.4_6</lt></range>
+	<range><ge>14.3</ge><lt>14.3_15</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	  <p>When used as a stub resolver over UDP, ldns failed to verify
+	  that a received response belonged to the outstanding query.  It did
+	  not check that the response source address and port matched the
+	  query destination, that the transaction ID matched, or that the
+	  question section of the response matched that of the query.</p>
+	<h1>Impact:</h1>
+	  <p>Without these checks, an off-path attacker who cannot observe
+	  the query can forge UDP responses that ldns will accept as genuine.
+	  By injecting spoofed replies, the attacker can return arbitrary DNS
+	  data to any program that uses ldns for stub resolving, including
+	  drill(1).</p>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2026-10846</cvename>
+      <freebsdsa>SA-26:36.ldns</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2026-06-09</discovery>
+      <entry>2026-06-10</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="a57fe2c1-6476-11f1-958d-bc241121aa0a">
+    <topic>FreeBSD -- Multiple vulnerabilities in OpenSSL</topic>
+    <affects>
+      <package>
+	<name>FreeBSD</name>
+	<range><ge>15.0</ge><lt>15.0_10</lt></range>
+	<range><ge>14.4</ge><lt>14.4_6</lt></range>
+	<range><ge>14.3</ge><lt>14.3_15</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	  <p>Multiple issues have been reported as part of this advisory
+	  with different issues affecting different OpenSSL versions and
+	  therefore different FreeBSD versions.  Instead of exhaustively
+	  listing detailed writeups for each issue, please see the referenced
+	  advisory from OpenSSL.</p>
+	  <p>Issues affecting FreeBSD 15.x (OpenSSL 3.5):</p>
+	  <ul>
+	    <li>CVE-2026-7383: Possible heap buffer overflow in ASN.1 string conversion</li>
+	    <li>CVE-2026-9076: Out-of-bounds read in CMS password-based decryption</li>
+	    <li>CVE-2026-34180: Heap buffer over-read in ASN.1 content parsing</li>
+	    <li>CVE-2026-34181: PKCS#12 files with PBMAC1 accepted with short HMAC keys</li>
+	    <li>CVE-2026-34182: CMS AuthEnvelopedData may accept forged messages</li>
+	    <li>CVE-2026-34183: Unbounded memory growth in the QUIC PATH_CHALLENGE handler</li>
+	    <li>CVE-2026-42764: NULL dereference in QUIC server initial packet handling</li>
+	    <li>CVE-2026-42766: Possible NULL dereference in password-based CMS decryption</li>
+	    <li>CVE-2026-42767: NULL dereference in CRMF EncryptedValue decryption</li>
+	    <li>CVE-2026-42768: Bleichenbacher oracle in CMS_decrypt() and PKCS7_decrypt()</li>
+	    <li>CVE-2026-42769: Trust-anchor substitution in CMP rootCaKeyUpdate handling</li>
+	    <li>CVE-2026-42770: FFC-DH peer validation uses attacker-supplied q</li>
+	    <li>CVE-2026-45445: AES-OCB IV ignored on the EVP_Cipher() one-shot path</li>
+	    <li>CVE-2026-45446: Empty-message tag bypass in AES-GCM-SIV and AES-SIV modes</li>
+	    <li>CVE-2026-45447: Heap use-after-free in PKCS7_verify()</li>
+	  </ul>
+	  <p>Issues affecting FreeBSD 14.x (OpenSSL 3.0):</p>
+	  <ul>
+	    <li>CVE-2026-7383: Possible heap buffer overflow in ASN.1 string conversion</li>
+	    <li>CVE-2026-9076: Out-of-bounds read in CMS password-based decryption</li>
+	    <li>CVE-2026-34180: Heap buffer over-read in ASN.1 content parsing</li>
+	    <li>CVE-2026-34182: CMS AuthEnvelopedData may accept forged messages</li>
+	    <li>CVE-2026-42766: Possible NULL dereference in password-based CMS decryption</li>
+	    <li>CVE-2026-42770: FFC-DH peer validation uses attacker-supplied q</li>
+	    <li>CVE-2026-45445: AES-OCB IV ignored on the EVP_Cipher() one-shot path</li>
+	    <li>CVE-2026-45446: Empty-message tag bypass in AES-GCM-SIV and AES-SIV modes</li>
+	    <li>CVE-2026-45447: Heap use-after-free in PKCS7_verify()</li>
+	  </ul>
+	<h1>Impact:</h1>
+	  <p>The issues include heap buffer overflows and over-reads, NULL
+	  pointer dereferences, a use-after-free, unbounded memory allocation,
+	  and several cryptographic flaws permitting message forgery, integrity
+	  bypass, or recovery of a private key.</p>
+	  <p>Security impact ranges from a Denial of Service to a potential
+	  remote code execution.  See the OpenSSL advisory for specific
+	  details.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2026-7383</cvename>
+      <cvename>CVE-2026-9076</cvename>
+      <cvename>CVE-2026-34180</cvename>
+      <cvename>CVE-2026-34181</cvename>
+      <cvename>CVE-2026-34182</cvename>
+      <cvename>CVE-2026-34183</cvename>
+      <cvename>CVE-2026-42764</cvename>
+      <cvename>CVE-2026-42766</cvename>
+      <cvename>CVE-2026-42767</cvename>
+      <cvename>CVE-2026-42768</cvename>
+      <cvename>CVE-2026-42769</cvename>
+      <cvename>CVE-2026-42770</cvename>
+      <cvename>CVE-2026-45445</cvename>
+      <cvename>CVE-2026-45446</cvename>
+      <cvename>CVE-2026-45447</cvename>
+      <freebsdsa>SA-26:35.openssl</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2026-06-09</discovery>
+      <entry>2026-06-10</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="71036b90-6476-11f1-958d-bc241121aa0a">
+    <topic>FreeBSD -- Integer overflow in vt(4) CONS_HISTORY ioctl</topic>
+    <affects>
+      <package>
+	<name>FreeBSD-kernel</name>
+	<range><ge>15.0</ge><lt>15.0_10</lt></range>
+	<range><ge>14.4</ge><lt>14.4_6</lt></range>
+	<range><ge>14.3</ge><lt>14.3_15</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	  <p>The CONS_HISTORY ioctl handler did not adequately validate the
+	  requested history size.  A large value caused an integer overflow
+	  in the buffer size calculation, resulting in a heap allocation
+	  smaller than expected.  Subsequent initialization of the buffer
+	  wrote beyond the end of the allocation.</p>
+	<h1>Impact:</h1>
+	  <p>An unprivileged local user with access to a vt(4) device can
+	  trigger an out-of-bounds write in the kernel, potentially escalating
+	  privileges.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2026-49416</cvename>
+      <freebsdsa>SA-26:34.vt</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2026-06-09</discovery>
+      <entry>2026-06-10</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="b604d3e1-6474-11f1-958d-bc241121aa0a">
+    <topic>FreeBSD -- Multiple vulnerabilities in unbound</topic>
+    <affects>
+      <package>
+	<name>FreeBSD</name>
+	<range><ge>15.0</ge><lt>15.0_10</lt></range>
+	<range><ge>14.4</ge><lt>14.4_6</lt></range>
+	<range><ge>14.3</ge><lt>14.3_15</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	  <p>Multiple vulnerabilities have been reported in Unbound.  Instead
+	  of listing detailed writeups for each issue, please see the upstream
+	  advisories referenced below.</p>
+	  <ul>
+	    <li>CVE-2026-32792: Packet of death with DNSCrypt</li>
+	    <li>CVE-2026-33278: Possible remote code execution during DNSSEC validation</li>
+	    <li>CVE-2026-40622: "Ghost domain name" variant</li>
+	    <li>CVE-2026-41292: Parsing a long list of incoming EDNS options degrades performance</li>
+	    <li>CVE-2026-42534: Jostle logic bypass degrades resolution performance</li>
+	    <li>CVE-2026-42923: Degradation of service with unbounded NSEC3 hash calculations</li>
+	    <li>CVE-2026-42944: Heap overflow and crash with multiple nsid, cookie, padding EDNS options</li>
+	    <li>CVE-2026-42959: Crash during DNSSEC validation of malicious content</li>
+	    <li>CVE-2026-42960: Possible cache poisoning while following delegation</li>
+	    <li>CVE-2026-44390: Unbounded name compression causes degradation of service</li>
+	    <li>CVE-2026-44608: Use-after-free and crash in RPZ code</li>
+	  </ul>
+	<h1>Impact:</h1>
+	  <p>The issues range from Denial of Service (DoS) through resource
+	  exhaustion or crashes to possible remote code execution during
+	  DNSSEC validation.  See the upstream Unbound advisories for specific
+	  details.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2026-32792</cvename>
+      <cvename>CVE-2026-33278</cvename>
+      <cvename>CVE-2026-40622</cvename>
+      <cvename>CVE-2026-41292</cvename>
+      <cvename>CVE-2026-42534</cvename>
+      <cvename>CVE-2026-42923</cvename>
+      <cvename>CVE-2026-42944</cvename>
+      <cvename>CVE-2026-42959</cvename>
+      <cvename>CVE-2026-42960</cvename>
+      <cvename>CVE-2026-44390</cvename>
+      <cvename>CVE-2026-44608</cvename>
+      <freebsdsa>SA-26:33.unbound</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2026-06-09</discovery>
+      <entry>2026-06-10</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="7e61007e-6474-11f1-958d-bc241121aa0a">
+    <topic>FreeBSD-kernel -- ASLR bypass for setuid executables via procctl(2)</topic>
+    <affects>
+      <package>
+	<name>FreeBSD-kernel</name>
+	<range><ge>15.0</ge><lt>15.0_10</lt></range>
+	<range><ge>14.4</ge><lt>14.4_6</lt></range>
+	<range><ge>14.3</ge><lt>14.3_15</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	  <p>The ELF image activator cleared per-process ASLR preference
+	  flags for setuid binaries after the code that computes the PIE base
+	  address, rather than before.  As a result, a user-requested ASLR
+	  disable was still in effect at the point where the base address was
+	  chosen.</p>
+	<h1>Impact:</h1>
+	  <p>An unprivileged local user can disable ASLR for a setuid PIE
+	  binary by calling procctl(2) before execve(2).  This makes exploitation
+	  of any separate memory corruption vulnerability in that binary
+	  significantly easier.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2026-49414</cvename>
+      <freebsdsa>SA-26:32.elf</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2026-06-09</discovery>
+      <entry>2026-06-10</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="438b0278-6474-11f1-958d-bc241121aa0a">
+    <topic>FreeBSD -- Arm CPU errata may bypass page table permission changes</topic>
+    <affects>
+      <package>
+	<name>FreeBSD-kernel</name>
+	<range><ge>15.0</ge><lt>15.0_10</lt></range>
+	<range><ge>14.4</ge><lt>14.4_6</lt></range>
+	<range><ge>14.3</ge><lt>14.3_15</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	  <p>Some Arm CPUs have errata where the ordering of stores and the
+	  TLBI+DSB sequence may be incorrect.  If one CPU stores to a virtual
+	  address while another CPU invalidates the translation for that
+	  address, the second CPU's TLBI+DSB may complete before the first
+	  CPU's store has been globally observed.</p>
+	<h1>Impact:</h1>
+	  <p>This erratum may allow software to write to a previously writable
+	  location after the page table is modified to forbid writes to that
+	  location.  Consequently this may allow software to write to memory
+	  owned by a higher exception level, possibly allowing software to
+	  escalate privilege to that higher exception level.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2025-10263</cvename>
+      <freebsdsa>SA-26:31.arm64</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2026-06-09</discovery>
+      <entry>2026-06-10</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="fa5289e4-6473-11f1-958d-bc241121aa0a">
+    <topic>FreeBSD -- Flaw in Linuxulator execution of setugid binaries</topic>
+    <affects>
+      <package>
+	<name>FreeBSD-kernel</name>
+	<range><ge>15.0</ge><lt>15.0_10</lt></range>
+	<range><ge>14.4</ge><lt>14.4_6</lt></range>
+	<range><ge>14.3</ge><lt>14.3_15</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	  <p>The Linuxulator determined whether a binary was set-user-ID or
+	  set-group-ID by checking the P_SUGID process flag.  During execve(2),
+	  this flag is not yet set at the point where the auxiliary vector
+	  is constructed, so AT_SECURE was incorrectly set to zero for
+	  set-user-ID and set-group-ID executables.</p>
+	<h1>Impact:</h1>
+	  <p>An unprivileged local user can inject a shared library via
+	  LD_PRELOAD into a set-user-ID or set-group-ID Linux binary, gaining
+	  the privileges of that binary.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2026-49413</cvename>
+      <freebsdsa>SA-26:30.linux</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2026-06-09</discovery>
+      <entry>2026-06-10</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="c5b7ac13-6473-11f1-958d-bc241121aa0a">
+    <topic>FreeBSD -- Use-after-free bug in the IPV6_MSFILTER socket option handler</topic>
+    <affects>
+      <package>
+	<name>FreeBSD-kernel</name>
+	<range><ge>15.0</ge><lt>15.0_10</lt></range>
+	<range><ge>14.4</ge><lt>14.4_6</lt></range>
+	<range><ge>14.3</ge><lt>14.3_15</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	  <p>The kernel handler for IPV6_MSFILTER dropped a serializing lock
+	  in order to copy the source-filter list from userspace, then
+	  reacquired the lock.  During this window another thread could free
+	  the multicast filter structure, leaving the handler with a stale
+	  pointer to freed memory.</p>
+	<h1>Impact:</h1>
+	  <p>An unprivileged local user can exploit this use-after-free to
+	  escalate privileges.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2026-49412</cvename>
+      <freebsdsa>SA-26:28.ip6_multicast</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2026-06-09</discovery>
+      <entry>2026-06-10</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="94f20492-6473-11f1-958d-bc241121aa0a">
+    <topic>FreeBSD -- sigqueue(2) missing capability mode restriction</topic>
+    <affects>
+      <package>
+	<name>FreeBSD-kernel</name>
+	<range><ge>15.0</ge><lt>15.0_10</lt></range>
+	<range><ge>14.4</ge><lt>14.4_6</lt></range>
+	<range><ge>14.3</ge><lt>14.3_15</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	  <p>sigqueue(2) was marked as permitted in capability mode with the
+	  introduction of Capsicum in 2011, but the implementation of
+	  kern_sigqueue did not include a capability mode check restricting
+	  signal delivery to the calling process's own PID.</p>
+	<h1>Impact:</h1>
+	  <p>A process in capability mode can use sigqueue(2) to send signals
+	  to any process it could signal following standard Unix permissions,
+	  bypassing the Capsicum sandbox restriction.  A compromised sandboxed
+	  process could interfere with other processes, for example by sending
+	  SIGKILL or SIGSTOP.  This could be any process running as the same
+	  user, or any process, for a superuser sandboxed process.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2026-45259</cvename>
+      <freebsdsa>SA-26:28.capsicum</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2026-06-09</discovery>
+      <entry>2026-06-10</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="253188dd-6473-11f1-958d-bc241121aa0a">
+    <topic>FreeBSD -- Multiple vulnerabilities in the sound(4) mmap path</topic>
+    <affects>
+      <package>
+	<name>FreeBSD-kernel</name>
+	<range><ge>15.0</ge><lt>15.0_10</lt></range>
+	<range><ge>14.4</ge><lt>14.4_6</lt></range>
+	<range><ge>14.3</ge><lt>14.3_15</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	  <p>The sound(4) driver contained two memory-safety errors in its
+	  mmap(2) support.</p>
+	  <p>First, dsp_mmap_single() validated the requested mapping by checking
+	  the sum of the user-supplied offset and length against the buffer
+	  size.  This addition could overflow, so that a large offset and
+	  length wrapped around and passed the check.  The offset was then
+	  narrowed from 64 to 32 bits when converted to a buffer address,
+	  yielding a mapping that extended past the audio buffer into unrelated
+	  kernel memory.  (CVE-2026-45258)</p>
+	  <p>Second, the audio buffer backing a mapping could be freed when the
+	  device was closed even though the mapping remained valid.  The freed
+	  memory could then be reused elsewhere while still accessible through
+	  the stale mapping.  (CVE-2026-49417)</p>
+	<h1>Impact:</h1>
+	  <p>The /dev/dsp device nodes are world-accessible by default.  On
+	  a system with an audio device, either issue allows an unprivileged
+	  local user to read and write kernel memory, which can be used to
+	  escalate privileges, potentially gaining full control of the affected
+	  system.  At a minimum, an attacker can crash the kernel, resulting
+	  in a Denial of Service (DoS).</p>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2026-45258</cvename>
+      <cvename>CVE-2026-49417</cvename>
+      <freebsdsa>SA-26:27.sound</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2026-06-09</discovery>
+      <entry>2026-06-10</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="f2c4892a-6472-11f1-958d-bc241121aa0a">
+    <topic>FreeBSD -- Arbitrary file overwrite via the KTLS receive path</topic>
+    <affects>
+      <package>
+	<name>FreeBSD-kernel</name>
+	<range><ge>15.0</ge><lt>15.0_10</lt></range>
+	<range><ge>14.4</ge><lt>14.4_6</lt></range>
+	<range><ge>14.3</ge><lt>14.3_15</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	  <p>The KTLS receive path decrypted each record in place, assuming
+	  that the mbufs holding received data were anonymous and safe to
+	  modify.  This assumption does not hold for data placed on a socket
+	  by sendfile(2), which can reference file-backed memory directly
+	  through non-anonymous M_EXTPG pages or EXT_SFBUF mbufs.  When the
+	  sender transmits such data over a loopback connection without
+	  enabling KTLS on the transmit side, the file-backed mbufs reach the
+	  receiver's decryption path unchanged.  Decrypting a record in place
+	  then overwrites the backing file's page cache instead of a private
+	  copy of the data.</p>
+	<h1>Impact:</h1>
+	  <p>An unprivileged local user who can read a file can overwrite
+	  its contents with data of their choosing by sending the file over
+	  a loopback connection on which they have enabled KTLS receive.  The
+	  write modifies the page cache directly, so it bypasses file flags
+	  such as schg and is written back to disk.  By overwriting a setuid
+	  binary or other trusted file, a local user can escalate privileges,
+	  potentially gaining full control of the affected system.</p>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2026-45257</cvename>
+      <freebsdsa>SA-26:26.ktls</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2026-06-09</discovery>
+      <entry>2026-06-10</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="91163897-6472-11f1-958d-bc241121aa0a">
+    <topic>FreeBSD -- Missing permission check in thr_kill2(2)</topic>
+    <affects>
+      <package>
+	<name>FreeBSD-kernel</name>
+	<range><ge>15.0</ge><lt>15.0_10</lt></range>
+	<range><ge>14.4</ge><lt>14.4_6</lt></range>
+	<range><ge>14.3</ge><lt>14.3_15</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<h1>Problem Description:</h1>
+	  <p>When used to deliver a signal to a specific thread, thr_kill2(2)
+	  called p_cansignal() to determine whether the operation was permitted
+	  but did not check the result before delivering the signal.  The
+	  signal was sent even when the permission check failed.  The system
+	  call returned the resulting error to the caller, but by then the
+	  signal had already been delivered.</p>
+	<h1>Impact:</h1>
+	  <p>The missing check allows an unprivileged local user who knows
+	  or can guess a target's process and thread IDs to send any signal
+	  to a process they would not normally be permitted to signal, including
+	  processes owned by other users or by root.  The same check enforces
+	  jail boundaries, so a jailed process can signal processes on the
+	  host or in other jails.  Thread IDs are allocated globally and
+	  sequentially, and so can be discovered by brute force with no
+	  visibility into the target.</p>
+	  <p>An attacker can stop or terminate arbitrary processes, including
+	  critical system daemons, resulting in a Denial of Service (DoS).</p>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2026-45256</cvename>
+      <freebsdsa>SA-26:25.thr</freebsdsa>
+    </references>
+    <dates>
+      <discovery>2026-06-09</discovery>
+      <entry>2026-06-10</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="45accfb8-56e4-41b7-8463-572ce643fde0">
     <topic>Elixir -- Denial of service via unbounded integer parsing in Version</topic>
     <affects>