Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 18 Jun 2026 15:30:23 +0200
From:      Luna Jernberg <droidbittin@gmail.com>
To:        freebsd-security@freebsd.org
Cc:        FreeBSD Security Advisories <security-advisories@freebsd.org>
Subject:   Re: FreeBSD Security Advisory FreeBSD-SA-26:26.ktls [REVISED]
Message-ID:  <CADo9pHjVihxMf7KgLhJ1pN2JXAGVYY4wGOUtJO99=%2BEJUVq8YA@mail.gmail.com>
In-Reply-To: <20260617164126.7935B1C98D@freefall.freebsd.org>

index | next in thread | previous in thread | raw e-mail

And this got mentioned in the Swedish Göteborg IT-Security podcast
yesterday: https://sakerhetspodcasten.se/posts/sakerhetspodcasten_305_ostrukturerat_v_25/#bumsrake-freebsd-ktls-kernel-s%C3%A5rbarhet

Den ons 17 juni 2026 kl 18:44 skrev FreeBSD Security Advisories
<security-advisories@freebsd.org>:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> =============================================================================
> FreeBSD-SA-26:26.ktls                                       Security Advisory
>                                                           The FreeBSD Project
>
> Topic:          Arbitrary file overwrite via the KTLS receive path
>
> Category:       core
> Module:         ktls
> Announced:      2026-06-09
> Credits:        Bumsrakete
> Affects:        All supported versions of FreeBSD
> Corrected:      2026-06-09 19:17:28 UTC (stable/15, 15.1-STABLE)
>                 2026-06-09 19:20:06 UTC (releng/15.1, 15.1-RC3-p1)
>                 2026-06-09 19:19:43 UTC (releng/15.0, 15.0-RELEASE-p10)
>                 2026-06-09 19:17:46 UTC (stable/14, 14.4-STABLE)
>                 2026-06-09 19:19:05 UTC (releng/14.4, 14.4-RELEASE-p6)
>                 2026-06-09 19:18:35 UTC (releng/14.3, 14.3-RELEASE-p15)
> CVE Name:       CVE-2026-45257
>
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the
> following sections, please visit <URL:https://security.FreeBSD.org/>.
>
> 0. Revision History
>
> v1.0 -- Initial revision
> v1.1 -- Update workaround section
>
> I.   Background
>
> Kernel TLS (KTLS) moves Transport Layer Security (TLS) record processing
> into the kernel, allowing applications to encrypt and decrypt socket data
> without copying it to and from userspace and to serve TLS data with
> sendfile(2).  When a connection uses software KTLS on the receive path,
> the kernel decrypts each incoming TLS record in place within the socket
> buffer.
>
> II.  Problem Description
>
> The KTLS receive path decrypted each record in place, assuming that the
> mbufs holding received data were anonymous and safe to modify.  This
> assumption does not hold for data placed on a socket by sendfile(2),
> which can reference file-backed memory directly through non-anonymous
> M_EXTPG pages or EXT_SFBUF mbufs.  When the sender transmits such data
> over a loopback connection without enabling KTLS on the transmit side,
> the file-backed mbufs reach the receiver's decryption path unchanged.
> Decrypting a record in place then overwrites the backing file's page
> cache instead of a private copy of the data.
>
> III. Impact
>
> An unprivileged local user who can read a file can overwrite its
> contents with data of their choosing by sending the file over a loopback
> connection on which they have enabled KTLS receive.  The write modifies
> the page cache directly, so it bypasses file flags such as schg and is
> written back to disk.  By overwriting a setuid binary or other trusted
> file, a local user can escalate privileges, potentially gaining full
> control of the affected system.
>
> IV.  Workaround
>
> Set sysctl kern.ipc.tls.enable=0 to disable KTLS entirely.
>
> V.   Solution
>
> Upgrade your vulnerable system to a supported FreeBSD stable or
> release / security branch (releng) dated after the correction date,
> and reboot the system.
>
> Perform one of the following:
>
> 1) To update your vulnerable system installed from base system packages:
>
> Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64
> platforms, which were installed using base system packages, can be updated
> via the pkg(8) utility:
>
> # pkg upgrade -r FreeBSD-base
> # shutdown -r +10min "Rebooting for a security update"
>
> 2) To update your vulnerable system installed from binary distribution sets:
>
> Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms
> which were not installed using base system packages can be updated via the
> freebsd-update(8) utility:
>
> # freebsd-update fetch
> # freebsd-update install
> # shutdown -r +10min "Rebooting for a security update"
>
> 3) To update your vulnerable system via a source code patch:
>
> The following patches have been verified to apply to the applicable
> FreeBSD release branches.
>
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
>
> # fetch https://security.FreeBSD.org/patches/SA-26:26/ktls.patch
> # fetch https://security.FreeBSD.org/patches/SA-26:26/ktls.patch.asc
> # gpg --verify ktls.patch.asc
>
> b) Apply the patch.  Execute the following commands as root:
>
> # cd /usr/src
> # patch < /path/to/patch
>
> c) Recompile your kernel as described in
> <URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the
> system.
>
> VI.  Correction details
>
> This issue is corrected as of the corresponding Git commit hash in the
> following stable and release branches:
>
> Branch/path                             Hash                     Revision
> - -------------------------------------------------------------------------
> stable/15/                              a51345704403    stable/15-n283882
> releng/15.1/                            48c1c5e3c348  releng/15.1-n283550
> releng/15.0/                            540a315cdb46  releng/15.0-n281052
> stable/14/                              333bdd7e9427    stable/14-n274311
> releng/14.4/                            d43259dd66b3  releng/14.4-n273714
> releng/14.3/                            af3398862ac0  releng/14.3-n271514
> - -------------------------------------------------------------------------
>
> Run the following command to see which files were modified by a
> particular commit:
>
> # git show --stat <commit hash>
>
> Or visit the following URL, replacing NNNNNN with the hash:
>
> <URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>;
>
> To determine the commit count in a working tree (for comparison against
> nNNNNNN in the table above), run:
>
> # git rev-list --count --first-parent HEAD
>
> VII. References
>
> <URL:https://www.cve.org/CVERecord?id=CVE-2026-45257>;
>
> The latest revision of this advisory is available at
> <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:26.ktls.asc>;
> -----BEGIN PGP SIGNATURE-----
>
> iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoyuewbFIAAAAAABAAO
> bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvze8P/RRvp3TUprrxMgg4prj6
> Mv7sglMFvwyVPGJstM0zBV2k+seMm8S5QmJtO+m8N5NHAIyJWL6PzvMFE9klI/IC
> g8Jov8lcEcAml0G+xJFCPeeG0fYszqtE8/gxGNdatDv01AnMoFnVMUyy4y1QpSyo
> kJzymPs49LysxggffSmPgmX446hEo7pZ6iQLBuEc0XKNN/7LYmiYq6kcVLzTpkRa
> kfYwsJphWZkfdR2AVzCSxMiMb9D/NQ7WN96B3o+xYX8XoHgrsQmvZ2YrvRf9nyRs
> lgAm9QxlkTcWlwPrNoacg2sN/jZFb3k01GRJAFbcKbDP1t3lkFygD+UHNnlStO+s
> hb5fKHgQgrUpX7atsD2UQ2W+irca0ejLhflxxvgY7pRTLnnmJ20fXDhDn2sWb7zs
> cPxir+4bJk4IZvomK0raFH5eMeJ434/rfkMjfE87WOEryFHabnGsiH9xO2u6+ADT
> UhMl4iBY+wOoaHTTqfpOQpAk2/gO7UUvXtbOkEa8SYZjSQAxMAz7nqyL7Lucix9n
> 7ES4hLmic87cr7+q+8iwvASvcNjlDxqyGYRoLa2+TECsTmKqVbwEEANcufNKemb+
> aPoRFi5apShhwe1kl7/vVCDGPtCssRRYZ+ejwpQY6m4PpRKY9soNFUt2WjOGVmaB
> iQR9r08fcX9SuW2dTuTzXLEi
> =wfi1
> -----END PGP SIGNATURE-----
>


home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADo9pHjVihxMf7KgLhJ1pN2JXAGVYY4wGOUtJO99=%2BEJUVq8YA>