From nobody Fri Jun 12 08:34:57 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gcCWj2jW7z6hLD4 for ; Fri, 12 Jun 2026 08:35:29 +0000 (UTC) (envelope-from j@uriah.heep.sax.de) Received: from uriah.heep.sax.de (uriah.heep.sax.de [213.240.137.9]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4gcCWg54Psz3qmt for ; Fri, 12 Jun 2026 08:35:27 +0000 (UTC) (envelope-from j@uriah.heep.sax.de) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=freebsd.org (policy=none); spf=pass (mx1.freebsd.org: domain of j@uriah.heep.sax.de designates 213.240.137.9 as permitted sender) smtp.mailfrom=j@uriah.heep.sax.de Received: by uriah.heep.sax.de (Postfix, from userid 107) id EAFBC80E7; Fri, 12 Jun 2026 10:34:57 +0200 (CEST) Date: Fri, 12 Jun 2026 10:34:57 +0200 From: Joerg Wunsch To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-26:26.ktls Message-ID: References: <20260609231311.7E26A1FD21@freefall.freebsd.org> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20260609231311.7E26A1FD21@freefall.freebsd.org> X-GPG-Fingerprint-1: 5E84 F980 C3CA FD4B B584 1070 F48C A81B 69A8 5873 X-GPG-Fingerprint-2: 5662 8323 218C 669F F578 705C 7E9E ADC3 030D 34EB X-Spamd-Result: default: False [-1.13 / 15.00]; NEURAL_HAM_MEDIUM(-0.99)[-0.995]; NEURAL_HAM_SHORT(-0.97)[-0.968]; NEURAL_SPAM_LONG(0.53)[0.534]; FORGED_SENDER(0.30)[joerg@freebsd.org,j@uriah.heep.sax.de]; R_SPF_ALLOW(-0.20)[+a]; ONCE_RECEIVED(0.20)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_POLICY_SOFTFAIL(0.10)[freebsd.org : SPF not aligned (relaxed), No valid DKIM,none]; RCVD_COUNT_ONE(0.00)[1]; MIME_TRACE(0.00)[0:+]; MISSING_XM_UA(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; FREEFALL_USER(0.00)[j]; ASN(0.00)[asn:8820, ipnet:213.240.128.0/18, country:DE]; TO_DOM_EQ_FROM_DOM(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; FROM_NEQ_ENVFROM(0.00)[joerg@freebsd.org,j@uriah.heep.sax.de]; FROM_HAS_DN(0.00)[]; R_DKIM_NA(0.00)[]; TO_DN_NONE(0.00)[]; RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; ARC_NA(0.00)[] X-Spamd-Bar: - X-Rspamd-Queue-Id: 4gcCWg54Psz3qmt According to their (evil, IMHO) web page, kern.ipc.mb_use_ext_pgs=0 is a viable workaround. As FreeBSD Security Advisories wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > ============================================================================= > FreeBSD-SA-26:26.ktls Security Advisory > The FreeBSD Project > > Topic: Arbitrary file overwrite via the KTLS receive path > > Category: core > Module: ktls > Announced: 2026-06-09 > Credits: Bumsrakete > Affects: All supported versions of FreeBSD > Corrected: 2026-06-09 19:17:28 UTC (stable/15, 15.1-STABLE) > 2026-06-09 19:20:06 UTC (releng/15.1, 15.1-RC3-p1) > 2026-06-09 19:19:43 UTC (releng/15.0, 15.0-RELEASE-p10) > 2026-06-09 19:17:46 UTC (stable/14, 14.4-STABLE) > 2026-06-09 19:19:05 UTC (releng/14.4, 14.4-RELEASE-p6) > 2026-06-09 19:18:35 UTC (releng/14.3, 14.3-RELEASE-p15) > CVE Name: CVE-2026-45257 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . > > I. Background > > Kernel TLS (KTLS) moves Transport Layer Security (TLS) record processing > into the kernel, allowing applications to encrypt and decrypt socket data > without copying it to and from userspace and to serve TLS data with > sendfile(2). When a connection uses software KTLS on the receive path, > the kernel decrypts each incoming TLS record in place within the socket > buffer. > > II. Problem Description > > The KTLS receive path decrypted each record in place, assuming that the > mbufs holding received data were anonymous and safe to modify. This > assumption does not hold for data placed on a socket by sendfile(2), > which can reference file-backed memory directly through non-anonymous > M_EXTPG pages or EXT_SFBUF mbufs. When the sender transmits such data > over a loopback connection without enabling KTLS on the transmit side, > the file-backed mbufs reach the receiver's decryption path unchanged. > Decrypting a record in place then overwrites the backing file's page > cache instead of a private copy of the data. > > III. Impact > > An unprivileged local user who can read a file can overwrite its > contents with data of their choosing by sending the file over a loopback > connection on which they have enabled KTLS receive. The write modifies > the page cache directly, so it bypasses file flags such as schg and is > written back to disk. By overwriting a setuid binary or other trusted > file, a local user can escalate privileges, potentially gaining full > control of the affected system. > > IV. Workaround > > No workaround is available. > > V. Solution > > Upgrade your vulnerable system to a supported FreeBSD stable or > release / security branch (releng) dated after the correction date, > and reboot the system. > > Perform one of the following: > > 1) To update your vulnerable system installed from base system packages: > > Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 > platforms, which were installed using base system packages, can be updated > via the pkg(8) utility: > > # pkg upgrade -r FreeBSD-base > # shutdown -r +10min "Rebooting for a security update" > > 2) To update your vulnerable system installed from binary distribution sets: > > Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms > which were not installed using base system packages can be updated via the > freebsd-update(8) utility: > > # freebsd-update fetch > # freebsd-update install > # shutdown -r +10min "Rebooting for a security update" > > 3) To update your vulnerable system via a source code patch: > > The following patches have been verified to apply to the applicable > FreeBSD release branches. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch https://security.FreeBSD.org/patches/SA-26:26/ktls.patch > # fetch https://security.FreeBSD.org/patches/SA-26:26/ktls.patch.asc > # gpg --verify ktls.patch.asc > > b) Apply the patch. Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile your kernel as described in > and reboot the > system. > > VI. Correction details > > This issue is corrected as of the corresponding Git commit hash in the > following stable and release branches: > > Branch/path Hash Revision > - ------------------------------------------------------------------------- > stable/15/ a51345704403 stable/15-n283882 > releng/15.1/ 48c1c5e3c348 releng/15.1-n283550 > releng/15.0/ 540a315cdb46 releng/15.0-n281052 > stable/14/ 333bdd7e9427 stable/14-n274311 > releng/14.4/ d43259dd66b3 releng/14.4-n273714 > releng/14.3/ af3398862ac0 releng/14.3-n271514 > - ------------------------------------------------------------------------- > > Run the following command to see which files were modified by a > particular commit: > > # git show --stat > > Or visit the following URL, replacing NNNNNN with the hash: > > > > To determine the commit count in a working tree (for comparison against > nNNNNNN in the table above), run: > > # git rev-list --count --first-parent HEAD > > VII. References > > > > The latest revision of this advisory is available at > > -----BEGIN PGP SIGNATURE----- > > iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmooiUwbFIAAAAAABAAO > bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv6hQP/3x8lGHZpLeT8PjB5NMF > xCfwzKQlu5vlkOqSv+9uEGsh3FQa9gHE/68SwZYa01waeFbTSKpBvrf1X4kRKGnE > r3z8DSAPnVqSRzp4k0PNTxPLtF09FfWiMEBA+PIedL91WkG24gQ63k3fORVjkSvs > a/uY1DQnmypV2mdV/S/hWmrtVCmi5itZKsVedZFoZHZ04GKwIObMoqXgtbUxdfhJ > XvjSCqGgvpsUPVpE72nKYAbbL81w344tNOGtjoC07utitkLoHtMlYqMTfXCv0dY7 > Oo3RZ408afAl1CalUdZ64KXJWqjCZt3FWxtn4ugZkewLc3cDyO5Y2ZUDMAb71P/V > Sdq6+GRIC5wMOmd2C2Wb4C72FODhh4o4+n/E7qeIojT5jozWNFAFN0ugzNcqzuM9 > b8ekwLWK9MbtjZWF1A0OhsLqQoYuBcwX4RymVJCfpEnlPEDwaf0fv/Sx/OyU9MBx > zbT/Thqa9cB++4U6Obodcj55mXM9p23b9OpEnSD5FKlhxXPxCYW5gc2mK4k+yoKd > 5ZCzzcdzbMoNgqyHnvrBgFGMsPggXJxaidsRFtVSb9E1GWQUweyN9hR10Gr8wX5j > QL18EHe3Lcgg2Z+mi8NQ8lrqPoGpTIjZ8enEYHLrILe/p8JMjNU5fe+YqQTE0tyD > pWQqqx8AYbHJsnCDELTeqt96 > =lD4w > -----END PGP SIGNATURE----- > -- cheers, Joerg .-.-. --... ...-- -.. . DL8DTL http://www.sax.de/~joerg/ Never trust an operating system you don't have sources for. ;-)