From nobody Thu Jun 18 13:30:23 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gh1nc3r4zz6hDRJ for ; Thu, 18 Jun 2026 13:30:44 +0000 (UTC) (envelope-from droidbittin@gmail.com) Received: from mail-dy1-x1334.google.com (mail-dy1-x1334.google.com [IPv6:2607:f8b0:4864:20::1334]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gh1nc0NZMz3nnw for ; Thu, 18 Jun 2026 13:30:44 +0000 (UTC) (envelope-from droidbittin@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-dy1-x1334.google.com with SMTP id 5a478bee46e88-30bcf74e617so2065231eec.1 for ; Thu, 18 Jun 2026 06:30:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1781789437; cv=none; d=google.com; s=arc-20240605; b=SPZqmoNI1FZQKjGZsSLAnQ2s0nop2Si75etfx3PZcAoNOXXB4NlMh9RTiSIkw/jVwP SqECf0hv6cGTbiGjnvz2j2R0ggJf8KlfTT5OJl8w3b1zKCdQQvaWvJNvGv5S8C2gfyyq lMlAJR14vVMxbQcdHcZBGrpV4WZG6yfYQiWRq3bq/RAwLFBKK0BHt5Mt2kxRBQdD253Z rnvU5+gqhSa0vz4rnY8p6HsZapyD0O80Rsiqt0mQP0i0qUG5UzFduWBJ9js2yzoIXx7R l5Y5oUXsdg2xz7Wr0HHErW4NePuAuce4v2AwrKhE9fSllc67ZNE9skaqmkrXTAj9bHHH O42Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=l/3gkDtrNuSZqn2z359ZfpWCBPDI+NvRe0+zX0mVFjc=; fh=K4pb4EFUR7Z3sCxpWX19U1FjubsjzOpgdiwyH6S/wrc=; b=cPI2nWjb9/7Z8qkLvkcJ0FZ5rY1ux1zRhyDhQ8SN7R7tU2Ccc1mqRroY+Ln3xVnvqh yclnQT9HQ/0m4jn9DEyKH+TqsUFfE5VLfhQZMJJegeKBqkZsfIUah2wErnLxxsSgviyS 642ul3aVToRL0WLbsMHrKAHFA450AxX27NHwizYkIjl5BaR5jrcgcb9qXl+H7OJ9hgdZ 4eiHP0ExlLw5QX6GxUYrlRpBvggcIORmRATFzgUw1wSHUeTErAd423MqHcg+pMxO12Dp Atih+nTktgRTvD25vYq30cRvJwNxuHUvpH5lmlZdolcaLdiwYr0AERC2871GFHf9o7i/ r0+A==; darn=freebsd.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1781789437; x=1782394237; darn=freebsd.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=l/3gkDtrNuSZqn2z359ZfpWCBPDI+NvRe0+zX0mVFjc=; b=DWgtk2LUuZHPCnqQkR6MYr7aCw67RasEHuc4rqBG1WaiBiaThiyN8z2yLtMqrMUkf1 9CStFSVkJj21JUfel25i8GPrbqTj6kOntjS90rBPHb8X7yK36DJrRCOO972EYZm7L9XK cCdHxLicwN/BxjHnImGl1eh1praJ669XgoyG9K3pPYfUenSflF8948ePKPfjOA+LmbIh Gui8o6j/ROwjk88c9TfoQAT5EOasiDdjLntBCXBzhdc1ATsDjRsT54ZBciYB+yV34c9b +iILu6k8of9mKJLswJc0usifYknvgQKXV4pylPdIT7ERWBPP1KjkSVWPV7yACGZxOKWF q1+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781789437; x=1782394237; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=l/3gkDtrNuSZqn2z359ZfpWCBPDI+NvRe0+zX0mVFjc=; b=NpBtXfNDG6hWSEdudZGi4/ruHRdMf+s4a+fIFa5J9PSVyy8iqlXz1S4wR/Od/PwB8t aYs/gha1eiFtrhtgexhSVy9pe8a1mFbIoqiuXD9XVtp1tVhKpRFnVDEFBvrlEij2+pZr f5VxRQlliZ7e0MODvHxyrn2vbZk2e19uR1PXef5/wREa6xdagdZdq+r+7U82MRuidsvC hGvjfkKwyPcI3ucaUDXs9GJbkHYZoRcC+GAEEqpHsXSm+YyzJQTY6ckZ3GGcKlzgf4EG Olv5EJfpDAtekTyaopB5jtit1LnD35jRo3FNLo5wyO/PN3sD6UgNBp12DI8ADdtFGm0u QG6A== X-Gm-Message-State: AOJu0YwosXIk9b7+Q5/7ct1eqfVP/6QugcH/R7U7ZXbmk3SgmmVtjPJZ ob1srHTSJrFqz+8mfNJfAWoc8UuToiKdXTPVk/rHfLy+pY35kZfmsgHsLFdhBU1tWm0rZAt8Lgf KQocFJFaQO4YcQtrJ0b5cYoOfaGxaMbZoIMRLBOpV3Q== X-Gm-Gg: AfdE7ckncL1lvOROthIDjDQlrRwRGoL6tWdnIRA4r20EQ81qCa9gIwQhJLl1gVxIGCB Y4E3zLluQBJwNFNz/iOysNXpZoRBxzWR4tTbW/XhZ5ifi9oAvCESR3BtUKtAJBCHzrJTCp7AnYN cB+JwAOf7NyIDvRRLeFJ2Xv0Ab8SBP4rkBSCkYUZL8b1Z4oKIIKuHtm3ryaBD2bK7PTrBHXzpCC CJGtEUJJUcFfqjsHx8QndcE6WN/lL1Wb+Wtl+oCm5UqPb8JiB8BuDIuVx4mWURPKwvlc8/N9SYl gVuYXDyNk8jXWDu1rIrDy/8mPFRv9rRnjBXzulF1T1zTEYviFJe744r0MdeNpYEoV4KcEu3iEDa Gir2jfXo2E6jfkaNovgblu5TrDF2sKrGkFv5byNK3GWZK9TVY+hWGKjLHnTebZpHf4SBT2yKdo8 mugF0+dne+ X-Received: by 2002:a05:7301:ea7:b0:2d9:6373:ad22 with SMTP id 5a478bee46e88-30bf717370bmr2319367eec.12.1781789436891; Thu, 18 Jun 2026 06:30:36 -0700 (PDT) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 References: <20260617164126.7935B1C98D@freefall.freebsd.org> In-Reply-To: <20260617164126.7935B1C98D@freefall.freebsd.org> From: Luna Jernberg Date: Thu, 18 Jun 2026 15:30:23 +0200 X-Gm-Features: AVVi8CcnglGOCtlqr3Y2vQXdyLVCh6ubK3k09uRZgCPbKdyeDcEDwZjdnv2jvE0 Message-ID: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-26:26.ktls [REVISED] To: freebsd-security@freebsd.org Cc: FreeBSD Security Advisories Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US] X-Rspamd-Queue-Id: 4gh1nc0NZMz3nnw X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated And this got mentioned in the Swedish G=C3=B6teborg IT-Security podcast yesterday: https://sakerhetspodcasten.se/posts/sakerhetspodcasten_305_ostru= kturerat_v_25/#bumsrake-freebsd-ktls-kernel-s%C3%A5rbarhet Den ons 17 juni 2026 kl 18:44 skrev FreeBSD Security Advisories : > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D > FreeBSD-SA-26:26.ktls Security Advi= sory > The FreeBSD Pro= ject > > Topic: Arbitrary file overwrite via the KTLS receive path > > Category: core > Module: ktls > Announced: 2026-06-09 > Credits: Bumsrakete > Affects: All supported versions of FreeBSD > Corrected: 2026-06-09 19:17:28 UTC (stable/15, 15.1-STABLE) > 2026-06-09 19:20:06 UTC (releng/15.1, 15.1-RC3-p1) > 2026-06-09 19:19:43 UTC (releng/15.0, 15.0-RELEASE-p10) > 2026-06-09 19:17:46 UTC (stable/14, 14.4-STABLE) > 2026-06-09 19:19:05 UTC (releng/14.4, 14.4-RELEASE-p6) > 2026-06-09 19:18:35 UTC (releng/14.3, 14.3-RELEASE-p15) > CVE Name: CVE-2026-45257 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . > > 0. Revision History > > v1.0 -- Initial revision > v1.1 -- Update workaround section > > I. Background > > Kernel TLS (KTLS) moves Transport Layer Security (TLS) record processing > into the kernel, allowing applications to encrypt and decrypt socket data > without copying it to and from userspace and to serve TLS data with > sendfile(2). When a connection uses software KTLS on the receive path, > the kernel decrypts each incoming TLS record in place within the socket > buffer. > > II. Problem Description > > The KTLS receive path decrypted each record in place, assuming that the > mbufs holding received data were anonymous and safe to modify. This > assumption does not hold for data placed on a socket by sendfile(2), > which can reference file-backed memory directly through non-anonymous > M_EXTPG pages or EXT_SFBUF mbufs. When the sender transmits such data > over a loopback connection without enabling KTLS on the transmit side, > the file-backed mbufs reach the receiver's decryption path unchanged. > Decrypting a record in place then overwrites the backing file's page > cache instead of a private copy of the data. > > III. Impact > > An unprivileged local user who can read a file can overwrite its > contents with data of their choosing by sending the file over a loopback > connection on which they have enabled KTLS receive. The write modifies > the page cache directly, so it bypasses file flags such as schg and is > written back to disk. By overwriting a setuid binary or other trusted > file, a local user can escalate privileges, potentially gaining full > control of the affected system. > > IV. Workaround > > Set sysctl kern.ipc.tls.enable=3D0 to disable KTLS entirely. > > V. Solution > > Upgrade your vulnerable system to a supported FreeBSD stable or > release / security branch (releng) dated after the correction date, > and reboot the system. > > Perform one of the following: > > 1) To update your vulnerable system installed from base system packages: > > Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 > platforms, which were installed using base system packages, can be update= d > via the pkg(8) utility: > > # pkg upgrade -r FreeBSD-base > # shutdown -r +10min "Rebooting for a security update" > > 2) To update your vulnerable system installed from binary distribution se= ts: > > Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platfo= rms > which were not installed using base system packages can be updated via th= e > freebsd-update(8) utility: > > # freebsd-update fetch > # freebsd-update install > # shutdown -r +10min "Rebooting for a security update" > > 3) To update your vulnerable system via a source code patch: > > The following patches have been verified to apply to the applicable > FreeBSD release branches. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch https://security.FreeBSD.org/patches/SA-26:26/ktls.patch > # fetch https://security.FreeBSD.org/patches/SA-26:26/ktls.patch.asc > # gpg --verify ktls.patch.asc > > b) Apply the patch. Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile your kernel as described in > and reboot the > system. > > VI. Correction details > > This issue is corrected as of the corresponding Git commit hash in the > following stable and release branches: > > Branch/path Hash Revision > - -----------------------------------------------------------------------= -- > stable/15/ a51345704403 stable/15-n283882 > releng/15.1/ 48c1c5e3c348 releng/15.1-n283550 > releng/15.0/ 540a315cdb46 releng/15.0-n281052 > stable/14/ 333bdd7e9427 stable/14-n274311 > releng/14.4/ d43259dd66b3 releng/14.4-n273714 > releng/14.3/ af3398862ac0 releng/14.3-n271514 > - -----------------------------------------------------------------------= -- > > Run the following command to see which files were modified by a > particular commit: > > # git show --stat > > Or visit the following URL, replacing NNNNNN with the hash: > > > > To determine the commit count in a working tree (for comparison against > nNNNNNN in the table above), run: > > # git rev-list --count --first-parent HEAD > > VII. References > > > > The latest revision of this advisory is available at > > -----BEGIN PGP SIGNATURE----- > > iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoyuewbFIAAAAAABAAO > bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvze8P/RRvp3TUprrxMgg4prj6 > Mv7sglMFvwyVPGJstM0zBV2k+seMm8S5QmJtO+m8N5NHAIyJWL6PzvMFE9klI/IC > g8Jov8lcEcAml0G+xJFCPeeG0fYszqtE8/gxGNdatDv01AnMoFnVMUyy4y1QpSyo > kJzymPs49LysxggffSmPgmX446hEo7pZ6iQLBuEc0XKNN/7LYmiYq6kcVLzTpkRa > kfYwsJphWZkfdR2AVzCSxMiMb9D/NQ7WN96B3o+xYX8XoHgrsQmvZ2YrvRf9nyRs > lgAm9QxlkTcWlwPrNoacg2sN/jZFb3k01GRJAFbcKbDP1t3lkFygD+UHNnlStO+s > hb5fKHgQgrUpX7atsD2UQ2W+irca0ejLhflxxvgY7pRTLnnmJ20fXDhDn2sWb7zs > cPxir+4bJk4IZvomK0raFH5eMeJ434/rfkMjfE87WOEryFHabnGsiH9xO2u6+ADT > UhMl4iBY+wOoaHTTqfpOQpAk2/gO7UUvXtbOkEa8SYZjSQAxMAz7nqyL7Lucix9n > 7ES4hLmic87cr7+q+8iwvASvcNjlDxqyGYRoLa2+TECsTmKqVbwEEANcufNKemb+ > aPoRFi5apShhwe1kl7/vVCDGPtCssRRYZ+ejwpQY6m4PpRKY9soNFUt2WjOGVmaB > iQR9r08fcX9SuW2dTuTzXLEi > =3Dwfi1 > -----END PGP SIGNATURE----- >