From nobody Tue Jun 9 23:13:40 2026 X-Original-To: freebsd-announce@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZl8P6QRjz6gqJ1 for ; Tue, 09 Jun 2026 23:13:41 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZl8N62t1z3PWk; Tue, 09 Jun 2026 23:13:40 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046820; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=4vPtQJOFqlvPEYNtA2P7eLcsN2Cgf85xqBn3mPKjsIY=; b=au+pzSete49CGaOmHl/5UpGtnIS0ZFQ0Tssp8wvEJWyHfkcj/3acFOFPR/zloNvilx0056 RLB3DGyIvIC9xhHb02qvH8oehMJ79fWmDmWHev0FjG0gVLPcDkxhk3E6+1KnwiydRWb4f1 xC9Ah0fL7WjM+bhkF7z8MnWZRLr2Cv9BFzXzzPVWUtQJ8XzlBASzUeeol+v3dZ+dl84DcS geXcjIgsym4vcfm5yyToah7i240bQZZ9NK86jnxzqirQvmHbnxVATYRKaCb/S9NEIluAk6 L2Hi1GDdlbd6gFEIWwN2mFSLg0/RGhECqjdRngcBbXAjoPRB46QgO/1mVLSECg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781046820; a=rsa-sha256; cv=none; b=lyqEBOE+4sq3f7bzYv9+sSbZx3vOC0zm7yxsOUkyeb+smUwz7OSNi/FTyh5rAWpq4nWX0z AaX1Tnwq2Mg/7WhBrKBJchSFEKg7FE1tzWPeSf2Jbemd30yWK2ZwUCysueoX4Vuk5hlqJ9 uKJ0+L7PvWlwCix7lSFOQJlm327DJVULGpt5pDByi1SzdrBhJ+uOXFVqrF5lRdgtqfdiF+ lxluuEKrbuJhMCfDQY9f9xW/Sx+ChTIAs6GfO6Txa6w+ac14voTBKhnLGLY/UGOCWyJ8NZ JG/v84x51AKcQe/LbomgUWaaT2BgP3P7FN+0A3O/j5ytOSFfjOlMBy8xEJtbPg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046820; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=4vPtQJOFqlvPEYNtA2P7eLcsN2Cgf85xqBn3mPKjsIY=; b=NbhjDnX7xBd7AvtRQjx9eKOaIDJEWUTzGI7Cgw0+EEEmRucgPeZQFl7yU8K1ODbj2iN9cw 76VxgF33+LL6S1WCyr5yQAVI5hA38CWHYapSKyoqnrgVKM3hbJNvCxkK+YbSsGJdCYSnGi upBr56uVk/Z9WzsCvLtNS/kOeUoTvyOyCs5iHOOd2GJX8hpURpl5If6nPzgxCu4K8IpN6N Jft/YJs0aIW4THwyw1NRzfXWYZ8IRHyclzp19LWknrRVwx0ouQV+0nqvRK5xguD/IlRMyf Aw+U/UHNkR16+ymvNOHlbf0suM9Qj1/fqp1yTOjlhF+cAuaeJ0Ftyvwtv3l08w== Received: by freefall.freebsd.org (Postfix, from userid 945) id C89561FCC0; Tue, 09 Jun 2026 23:13:40 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:30.linux Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260609231340.C89561FCC0@freefall.freebsd.org> Date: Tue, 09 Jun 2026 23:13:40 +0000 (UTC) List-Id: Project Announcements [moderated] List-Archive: https://lists.freebsd.org/archives/freebsd-announce List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-announce@freebsd.org Sender: owner-freebsd-announce@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:30.linux Security Advisory The FreeBSD Project Topic: Flaw in Linuxulator execution of setugid binaries Category: core Module: linux Announced: 2026-06-09 Credits: Minseong Kim of NSHC Red Alert Labs Affects: All supported versions of FreeBSD Corrected: 2026-06-09 19:17:33 UTC (stable/15, 15.1-STABLE) 2026-06-09 19:20:11 UTC (releng/15.1, 15.1-RC3-p1) 2026-06-09 19:19:48 UTC (releng/15.0, 15.0-RELEASE-p10) 2026-06-09 19:17:50 UTC (stable/14, 14.4-STABLE) 2026-06-09 19:19:11 UTC (releng/14.4, 14.4-RELEASE-p6) 2026-06-09 19:18:40 UTC (releng/14.3, 14.3-RELEASE-p15) CVE Name: CVE-2026-49413 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD provides a Linux system call emulation layer through a loadable kernel module, referred to as the Linuxulator. This allows users to run unmodified Linux binaries on FreeBSD. When the kernel executes a set-user-ID or set-group-ID Linux binary, it passes the AT_SECURE flag in the ELF auxiliary vector to tell the runtime linker (typically, glibc) to disable dangerous features such as LD_PRELOAD. glibc's runtime linker relies on this setting and in particular does not query the kernel to determine whether it is loading a set-user-ID or set-group-ID executable. II. Problem Description The Linuxulator determined whether a binary was set-user-ID or set-group-ID by checking the P_SUGID process flag. During execve(2), this flag is not yet set at the point where the auxiliary vector is constructed, so AT_SECURE was incorrectly set to zero for set-user-ID and set-group-ID executables. III. Impact An unprivileged local user can inject a shared library via LD_PRELOAD into a set-user-ID or set-group-ID Linux binary, gaining the privileges of that binary. IV. Workaround No workaround is available. Systems that do not have either linux.ko or linux64.ko loaded, or which do not have any Linux executables with the set-uid or set-gid bits set, are not affected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:30/linux.patch # fetch https://security.FreeBSD.org/patches/SA-26:30/linux.patch.asc # gpg --verify linux.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 3ac9726c4269 stable/15-n283886 releng/15.1/ a4d36c975be0 releng/15.1-n283555 releng/15.0/ 0b18ec59972b releng/15.0-n281057 stable/14/ ff411cc40cd4 stable/14-n274315 releng/14.4/ 3fe092282025 releng/14.4-n273719 releng/14.3/ 0dcf9bba4b9f releng/14.3-n271519 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoolxUbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv0MEQAI764nJgo/wT5iqrDJrx F4G4LlMCqgxEB82jU48GEvy2/vbjp+nsB7hpQW/LnANWBmbbZzFUutXEqLcZKZp1 eE8ZoSoqTbCw82t7GJGcNrIt3+woBgW8IGb/onL4VxiVuFPEU/0GnJ8nwwOa9LGL LjdtvRcXaKVnWWqIDUq25cuz6+yBu5UIDWTbSHFeWr8swVhKA5Vjt1wKTXekFJhy qtEVWv8Jm5nb0C17eRYo8AY/nGh1DZv7LdJNc4dAZyy3H+QNDH7P7atYvyU06pvD Q+YNH6HENqqkGvg0YAYqrol+5me82oIK/Sz66b3VBYiBLD4FX8LaJePOfhSoKof4 f9Tk6lvpouJOmOETwZX2sAYrGDh/LMd+l/Np7vDMhQSrow4+0CDNHSI3yur8Kfkf I6pyEC3iCVi6x/xsQ2AjInMCz+Pw+YpKLKGJLyNT9hKqidQq2ebTBe86GMzPZtAM OdJ7rRMIXt2QNJmovverYVMBVBd8rXBVn//gB8Uu5CyjHG3jN/f/Rc1BhADgBS3R H1KOBxIOl3CzXU5GLxSEniI7czyeY2q9paWwddPR0BK0mqF6IP31OEekc0irRmjC damqozUiNlFFP7rC2fj2eVbhrowrtVSpo4D4oEsI6EPkVB3A67+Pq0untDa096gc X86EUvnyRijJsIl5JXb+OJoT =4LUk -----END PGP SIGNATURE-----