Date: Thu, 18 Jun 2026 15:30:23 +0200 From: Luna Jernberg <droidbittin@gmail.com> To: freebsd-security@freebsd.org Cc: FreeBSD Security Advisories <security-advisories@freebsd.org> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-26:26.ktls [REVISED] Message-ID: <CADo9pHjVihxMf7KgLhJ1pN2JXAGVYY4wGOUtJO99=%2BEJUVq8YA@mail.gmail.com> In-Reply-To: <20260617164126.7935B1C98D@freefall.freebsd.org>
index | next in thread | previous in thread | raw e-mail
And this got mentioned in the Swedish Göteborg IT-Security podcast yesterday: https://sakerhetspodcasten.se/posts/sakerhetspodcasten_305_ostrukturerat_v_25/#bumsrake-freebsd-ktls-kernel-s%C3%A5rbarhet Den ons 17 juni 2026 kl 18:44 skrev FreeBSD Security Advisories <security-advisories@freebsd.org>: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > ============================================================================= > FreeBSD-SA-26:26.ktls Security Advisory > The FreeBSD Project > > Topic: Arbitrary file overwrite via the KTLS receive path > > Category: core > Module: ktls > Announced: 2026-06-09 > Credits: Bumsrakete > Affects: All supported versions of FreeBSD > Corrected: 2026-06-09 19:17:28 UTC (stable/15, 15.1-STABLE) > 2026-06-09 19:20:06 UTC (releng/15.1, 15.1-RC3-p1) > 2026-06-09 19:19:43 UTC (releng/15.0, 15.0-RELEASE-p10) > 2026-06-09 19:17:46 UTC (stable/14, 14.4-STABLE) > 2026-06-09 19:19:05 UTC (releng/14.4, 14.4-RELEASE-p6) > 2026-06-09 19:18:35 UTC (releng/14.3, 14.3-RELEASE-p15) > CVE Name: CVE-2026-45257 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit <URL:https://security.FreeBSD.org/>. > > 0. Revision History > > v1.0 -- Initial revision > v1.1 -- Update workaround section > > I. Background > > Kernel TLS (KTLS) moves Transport Layer Security (TLS) record processing > into the kernel, allowing applications to encrypt and decrypt socket data > without copying it to and from userspace and to serve TLS data with > sendfile(2). When a connection uses software KTLS on the receive path, > the kernel decrypts each incoming TLS record in place within the socket > buffer. > > II. Problem Description > > The KTLS receive path decrypted each record in place, assuming that the > mbufs holding received data were anonymous and safe to modify. This > assumption does not hold for data placed on a socket by sendfile(2), > which can reference file-backed memory directly through non-anonymous > M_EXTPG pages or EXT_SFBUF mbufs. When the sender transmits such data > over a loopback connection without enabling KTLS on the transmit side, > the file-backed mbufs reach the receiver's decryption path unchanged. > Decrypting a record in place then overwrites the backing file's page > cache instead of a private copy of the data. > > III. Impact > > An unprivileged local user who can read a file can overwrite its > contents with data of their choosing by sending the file over a loopback > connection on which they have enabled KTLS receive. The write modifies > the page cache directly, so it bypasses file flags such as schg and is > written back to disk. By overwriting a setuid binary or other trusted > file, a local user can escalate privileges, potentially gaining full > control of the affected system. > > IV. Workaround > > Set sysctl kern.ipc.tls.enable=0 to disable KTLS entirely. > > V. Solution > > Upgrade your vulnerable system to a supported FreeBSD stable or > release / security branch (releng) dated after the correction date, > and reboot the system. > > Perform one of the following: > > 1) To update your vulnerable system installed from base system packages: > > Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 > platforms, which were installed using base system packages, can be updated > via the pkg(8) utility: > > # pkg upgrade -r FreeBSD-base > # shutdown -r +10min "Rebooting for a security update" > > 2) To update your vulnerable system installed from binary distribution sets: > > Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms > which were not installed using base system packages can be updated via the > freebsd-update(8) utility: > > # freebsd-update fetch > # freebsd-update install > # shutdown -r +10min "Rebooting for a security update" > > 3) To update your vulnerable system via a source code patch: > > The following patches have been verified to apply to the applicable > FreeBSD release branches. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch https://security.FreeBSD.org/patches/SA-26:26/ktls.patch > # fetch https://security.FreeBSD.org/patches/SA-26:26/ktls.patch.asc > # gpg --verify ktls.patch.asc > > b) Apply the patch. Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile your kernel as described in > <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the > system. > > VI. Correction details > > This issue is corrected as of the corresponding Git commit hash in the > following stable and release branches: > > Branch/path Hash Revision > - ------------------------------------------------------------------------- > stable/15/ a51345704403 stable/15-n283882 > releng/15.1/ 48c1c5e3c348 releng/15.1-n283550 > releng/15.0/ 540a315cdb46 releng/15.0-n281052 > stable/14/ 333bdd7e9427 stable/14-n274311 > releng/14.4/ d43259dd66b3 releng/14.4-n273714 > releng/14.3/ af3398862ac0 releng/14.3-n271514 > - ------------------------------------------------------------------------- > > Run the following command to see which files were modified by a > particular commit: > > # git show --stat <commit hash> > > Or visit the following URL, replacing NNNNNN with the hash: > > <URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> > > To determine the commit count in a working tree (for comparison against > nNNNNNN in the table above), run: > > # git rev-list --count --first-parent HEAD > > VII. References > > <URL:https://www.cve.org/CVERecord?id=CVE-2026-45257> > > The latest revision of this advisory is available at > <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:26.ktls.asc> > -----BEGIN PGP SIGNATURE----- > > iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoyuewbFIAAAAAABAAO > bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvze8P/RRvp3TUprrxMgg4prj6 > Mv7sglMFvwyVPGJstM0zBV2k+seMm8S5QmJtO+m8N5NHAIyJWL6PzvMFE9klI/IC > g8Jov8lcEcAml0G+xJFCPeeG0fYszqtE8/gxGNdatDv01AnMoFnVMUyy4y1QpSyo > kJzymPs49LysxggffSmPgmX446hEo7pZ6iQLBuEc0XKNN/7LYmiYq6kcVLzTpkRa > kfYwsJphWZkfdR2AVzCSxMiMb9D/NQ7WN96B3o+xYX8XoHgrsQmvZ2YrvRf9nyRs > lgAm9QxlkTcWlwPrNoacg2sN/jZFb3k01GRJAFbcKbDP1t3lkFygD+UHNnlStO+s > hb5fKHgQgrUpX7atsD2UQ2W+irca0ejLhflxxvgY7pRTLnnmJ20fXDhDn2sWb7zs > cPxir+4bJk4IZvomK0raFH5eMeJ434/rfkMjfE87WOEryFHabnGsiH9xO2u6+ADT > UhMl4iBY+wOoaHTTqfpOQpAk2/gO7UUvXtbOkEa8SYZjSQAxMAz7nqyL7Lucix9n > 7ES4hLmic87cr7+q+8iwvASvcNjlDxqyGYRoLa2+TECsTmKqVbwEEANcufNKemb+ > aPoRFi5apShhwe1kl7/vVCDGPtCssRRYZ+ejwpQY6m4PpRKY9soNFUt2WjOGVmaB > iQR9r08fcX9SuW2dTuTzXLEi > =wfi1 > -----END PGP SIGNATURE----- >home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADo9pHjVihxMf7KgLhJ1pN2JXAGVYY4wGOUtJO99=%2BEJUVq8YA>
