From nobody Wed May 20 22:23:51 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gLR0755jvz6fX6J for ; Wed, 20 May 2026 22:23:51 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gLR0732Nvz4MNl; Wed, 20 May 2026 22:23:51 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779315831; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=IoqJktqJhJIQrIp/woa1yvEhumXRT7b1faW4sP4dqf0=; b=vKZNLszUL/2eXfWdNh/M0SecGmY+gYvslvp+pGtqmSSzfKB5fR8OOiFa6KB7SNDeJ3upsm fXARHsFXwGS+t7wpJyVRXFDeFP7PNZaiZW+YXAJ6GPWKe3yOYPxdn+w1/pQlnX4YlcodXO qN0OCgTzq9ZDY0Mljsn2ktY5m28AoNeK3IMCZgzdLfNXMIi2CSAO9laBvZIMXZ8R2D9e9u k8NOMmpvLo/QtIU0ngzAUyCr23mXCGXsmNIN9fkZuYy1hTz5DCpHqPq8pml2Qt5+J0l2oe kBPNuzi432jVwvcIQq5c/nV41Wdopbw3bJk2swuQ3/YPUTX+PWo8RSq+EM2Cuw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1779315831; a=rsa-sha256; cv=none; b=F8WsKblvCyKiStfSJw41CIfQPrYu12fIc64o09k5CgXeMlsl6rZ/bCJ08TnfF+i6cKkLcx ie2WY4Esm5znSMMjo5Iv+EgpEA1+AsgUTwy4ufYuFnOCNkV6dsmuJ87KsM9nrj/gB8OYUl JquLcD9bwg8d5sgzPcctoBS7/VS1bZx1eAzDkYieuMt9ds99VWjdBa8EeT455GxXYwysVR DTUXHpxRguTUlQj+UH6OsczBkrlBLkaVYdF843ie+U/YjczqmzMqxhDLteXM5wUfcLBnT1 Vx75xb/XAF8n3Xa0BD4Su0rpDDpX0HMzk0RNZwNlEGxAZ95OzkpcjSUoA6ULwQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779315831; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=IoqJktqJhJIQrIp/woa1yvEhumXRT7b1faW4sP4dqf0=; b=N1lM26eaY1kmb65aEJXEAeq1+w3cwYzzf842lngyDZ51RQnwF06maXhu1wPdsro+Gfapas lRVgmr9dfsF0LzoCrVXTdNnwN1QjhXiTr6z77oNzaRpHWx4ID1YpOuJCO2k8We/qRSxZP8 7Zey/WlEIbueUpjXOovJLA1T+d7bXSlkp6pCS6q7B1RFqDjMmASHXbE3jeO51d6AlewBWj HyOZgWBUFdEZKM7GoSLf+Uowg63qXq8wRoJLLoSShxD2RC8aoh3Lpw/ALHRNEj801WCtba p2oOAIP0f/iE3GSGSY5DXSPI7OKoRAhTt7GWN1anHXoLCtz6JjQn96QlfN+8cA== Received: by freefall.freebsd.org (Postfix, from userid 945) id 5F9809CCB; Wed, 20 May 2026 22:23:51 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:20.fusefs Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260520222351.5F9809CCB@freefall.freebsd.org> Date: Wed, 20 May 2026 22:23:51 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:20.fusefs Security Advisory The FreeBSD Project Topic: Heap overflow in FUSE_LISTXATTR Category: core Module: fusefs Announced: 2026-05-20 Credits: Joshua Rogers of AISLE Research Team Affects: All supported versions of FreeBSD. Corrected: 2026-05-20 19:36:38 UTC (stable/15, 15.0-STABLE) 2026-05-20 19:39:32 UTC (releng/15.0, 15.0-RELEASE-p9) 2026-05-20 19:37:58 UTC (stable/14, 14.4-STABLE) 2026-05-20 19:39:58 UTC (releng/14.4, 14.4-RELEASE-p5) 2026-05-20 19:40:36 UTC (releng/14.3, 14.3-RELEASE-p14) CVE Name: CVE-2026-45252 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The fusefs file system delegates file system operations to a userspace daemon. This daemon ordinarily requires root privileges to operate. When the "vfs.usermount" sysctl is set to 1 (not the default), unprivileged users are permitted to run such daemons and mount fusefs file systems. II. Problem Description When a fusefs file system implements extended attributes, the kernel may send a FUSE_LISTXATTR message to the userspace daemon to retrieve the list of extended attributes for a given file. The FUSE protocol requires the daemon to return a packed list of NUL-terminated strings. The fusefs kernel module calls strlen() on this daemon-supplied buffer without first verifying that the entire list is NUL-terminated. III. Impact If a malicious daemon sends a non-NUL-terminated list, the fusefs kernel module may read beyond the end of one heap-allocated buffer and potentially write beyond the end of a second buffer. A malicious daemon could disclose up to 253 bytes of kernel heap memory, or it could inject up to 250 attacker-controlled bytes into unallocated kernel heap space. IV. Workaround No workaround is available, but systems that do not load the fusefs kernel module or set vfs.usermount=1 are unaffected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.0] # fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-15.patch # fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-15.patch.asc # gpg --verify fusefs-15.patch.asc [FreeBSD 14.4] # fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-14.4.patch # fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-14.4.patch.asc # gpg --verify fusefs-14.4.patch.asc [FreeBSD 14.3] # fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-14.3.patch # fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-14.3.patch.asc # gpg --verify fusefs-14.3.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ df3f3fa82775 stable/15-n283642 releng/15.0/ 0dd8b983db3c releng/15.0-n281042 stable/14/ 25148c51c8c6 stable/14-n274165 releng/14.4/ 6a299460f159 releng/14.4-n273705 releng/14.3/ 53f3bf4ee1ce releng/14.3-n271505 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKHIbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvobkP/R3O3bwsnJkhG1NQ6pKh UFcwpZ8TSAqtccHZRQz2zoKTqu/EeClT7Bdgw/Qa8gbZ7IfZgS8AJaR7e4fgpE96 AhHU6cbyZrpwvWUatIKgX57032+M1ioMiz9g0KbGg4W4WKe/QHj4yt45F7qRfLNb BD7Qp7E0XtV+UrNXkhOQQmHyVTpB85tK/e5Yc+vcSgAQ3LWrzwO4zED4f78e3faw oiLm1oE/Vx0jfrRKsnCECdJS532xlfH6iJ2/2ZXfUthGQmZQe34wOMwYS0EcaGZV TQoLwsg5qLj4hJOGMCZk4X4TjrkoQquWdsAQetB8tqXIyw7QEgbMIIbhS3mQZ5CW aEq3wbYMowxCMb/6Dd/R56wDqyGI2Z6GHmUT58M0OSIIISfsD+UHOCW2lrQQ5zrI o1O/IFAvqsmCN6JQzFgC3KC8BLLZWzxf5Bun6yOls/YA31zOXAen0isnbOvVnGot 42Dy65fENCUQMt+p3eDDLQzxDhlqGAGbiqysBmxwTA5Wqc4furv7O0wmBPwOOGeH NqlKYsqO9u4kEW2lTCPs7R5+wsc+EACc07kikDQgp1m59JlkMfmXU4Kbcgw9r4GR 9OWtidfTCDGmt9mXzJVKaBurgJ1iqsBfzzLamWo0iDpUMgUP7VA9jVjVbUmtjH1V qAWdXCXwrbOr+eA50IIPxkal =HzW3 -----END PGP SIGNATURE-----