Date: Thu, 26 Mar 2026 03:29:34 +0000 From: Gordon Tetlow <gordon@FreeBSD.org> To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org Subject: git: 10ecd5607a - main - Add SA-26:06 through SA-26:09. Message-ID: <69c4a81e.278a6.fbe00d7@gitrepo.freebsd.org>
index | next in thread | raw e-mail
The branch main has been updated by gordon: URL: https://cgit.FreeBSD.org/doc/commit/?id=10ecd5607a7486b278f321eb173a160cc2c79f3a commit 10ecd5607a7486b278f321eb173a160cc2c79f3a Author: Gordon Tetlow <gordon@FreeBSD.org> AuthorDate: 2026-03-26 03:29:07 +0000 Commit: Gordon Tetlow <gordon@FreeBSD.org> CommitDate: 2026-03-26 03:29:07 +0000 Add SA-26:06 through SA-26:09. Approved by: so --- website/data/security/advisories.toml | 16 ++ .../security/advisories/FreeBSD-SA-26:06.tcp.asc | 180 +++++++++++++++++ .../security/advisories/FreeBSD-SA-26:07.nvmf.asc | 140 +++++++++++++ .../advisories/FreeBSD-SA-26:08.rpcsec_gss.asc | 163 +++++++++++++++ .../security/advisories/FreeBSD-SA-26:09.pf.asc | 168 ++++++++++++++++ website/static/security/patches/SA-26:06/tcp.patch | 11 + .../static/security/patches/SA-26:06/tcp.patch.asc | 16 ++ .../static/security/patches/SA-26:07/nvmf.patch | 12 ++ .../security/patches/SA-26:07/nvmf.patch.asc | 16 ++ .../security/patches/SA-26:08/rpcsec_gss.patch | 51 +++++ .../security/patches/SA-26:08/rpcsec_gss.patch.asc | 16 ++ .../static/security/patches/SA-26:09/pf-14.patch | 212 +++++++++++++++++++ .../security/patches/SA-26:09/pf-14.patch.asc | 16 ++ .../static/security/patches/SA-26:09/pf-15.patch | 224 +++++++++++++++++++++ .../security/patches/SA-26:09/pf-15.patch.asc | 16 ++ 15 files changed, 1257 insertions(+) diff --git a/website/data/security/advisories.toml b/website/data/security/advisories.toml index 18fcab9bf1..45d0ba9cb2 100644 --- a/website/data/security/advisories.toml +++ b/website/data/security/advisories.toml @@ -1,6 +1,22 @@ # Sort advisories by year, month and day # $FreeBSD$ +[[advisories]] +name = "FreeBSD-SA-26:09.pf" +date = "2026-03-26" + +[[advisories]] +name = "FreeBSD-SA-26:08.rpcsec_gss" +date = "2026-03-26" + +[[advisories]] +name = "FreeBSD-SA-26:07.nvmf" +date = "2026-03-26" + +[[advisories]] +name = "FreeBSD-SA-26:06.tcp" +date = "2026-03-26" + [[advisories]] name = "FreeBSD-SA-26:05.route" date = "2026-02-24" diff --git a/website/static/security/advisories/FreeBSD-SA-26:06.tcp.asc b/website/static/security/advisories/FreeBSD-SA-26:06.tcp.asc new file mode 100644 index 0000000000..ae57cc80a2 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-26:06.tcp.asc @@ -0,0 +1,180 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-26:06.tcp Security Advisory + The FreeBSD Project + +Topic: TCP: remotely exploitable DoS vector (mbuf leak) + +Category: core +Module: tcp +Announced: 2026-03-26 +Credits: Michael Tuexen (Netflix) +Affects: FreeBSD 14.x and FreeBSD 15.0 +Corrected: 2026-03-26 01:25:22 UTC (stable/15, 15.0-STABLE) + 2026-03-26 01:11:18 UTC (releng/15.0, 15.0-RELEASE-p5) + 2026-03-26 01:28:46 UTC (stable/14, 14.4-STABLE) + 2026-03-26 01:14:54 UTC (releng/14.4, 14.4-RELEASE-p1) + 2026-03-26 01:16:00 UTC (releng/14.3, 14.3-RELEASE-p10) +CVE Name: CVE-2026-4247 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The Transmission Control Protocol (TCP) is a connection oriented transport +protocol, which can be used as an upper layer of IP. + +When unexpected TCP segments are received for an established TCP connection, +so called "challenge ACK" segments may be sent back in response if certain +criteria are met. + +Challenge ACKs are rate limited to ensure the remote peer does not waste too +many CPU cycles or outbound bandwidth on the local peer if large numbers of +unexpected TCP segments are received. + +The rate limiting is controlled by the net.inet.tcp.ack_war_timewindow and +net.inet.tcp.ack_war_cnt sysctls which default to 1000 (milliseconds) and 5 +respectively i.e. challenge ACKs will be sent for the first 5 qualifying TCP +segments received within a 1s time period and the rest will be ignored. + +The handling of challenge ACKs is common code in tcp_subr.c shared among the +different TCP stacks available in the system. This includes the FreeBSD +default, RACK and BBR stacks. There are differences in the behaviour of the +different stacks; e.g. the base FreeBSD stack sends challenge ACKs to a larger +set of unexpected packets. + +II. Problem Description + +When a challenge ACK is to be sent tcp_respond() constructs and sends the +challenge ACK and consumes the mbuf that is passed in. When no challenge ACK +should be sent the function returns and leaks the mbuf. + +III. Impact + +If an attacker is either on path with an established TCP connection, or can +themselves establish a TCP connection, to an affected FreeBSD machine, they +can easily craft and send packets which meet the challenge ACK criteria and +cause the FreeBSD host to leak an mbuf for each crafted packet in excess of +the configured rate limit settings i.e. with default settings, crafted packets +in excess of the first 5 sent within a 1s period will leak an mbuf. + +Technically, off-path attackers can also exploit this problem by guessing the +IP addresses, TCP port numbers and in some cases the sequence numbers of +established connections and spoofing packets towards a FreeBSD machine, but +this is harder to do effectively. + +IV. Workaround + +The mbuf leak can be mitigated by not rate limiting the sending of challenge +ACKs. This can be achieved with immediate effect by setting the +net.inet.tcp.ack_war_timewindow sysctl to 0: + +sysctl net.inet.tcp.ack_war_timewindow=0 + +This mitigation does trade off the leaking of mbufs against additional +CPU/resource cost associated with responding to all challenge ACK eligible +packets received for established TCP connections. + +To make this change persistent across reboots, add it to /etc/sysctl.conf. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or release / +security branch (releng) dated after the correction date and reboot. + +Perform one of the following: + +1) To update your vulnerable system installed from base system packages: + +Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 +platforms, which were installed using base system packages, can be updated +via the pkg(8) utility: + +# pkg upgrade -r FreeBSD-base +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system installed from binary distribution sets: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +which were not installed using base system packages, can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-26:06/tcp.patch +# fetch https://security.FreeBSD.org/patches/SA-26:06/tcp.patch.asc +# gpg --verify tcp.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/15/ 1fddb5435315 stable/15-n282699 +releng/15.0/ de9e5d82581e releng/15.0-n281011 +stable/14/ b45e7530ffb9 stable/14-n273839 +releng/14.4/ 44dd8b58394b releng/14.4-n273676 +releng/14.3/ a9cba5321021 releng/14.3-n271476 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>; + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://www.cve.org/CVERecord?id=CVE-2026-4247>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:06.tcp.asc>; +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmnEkVIACgkQbljekB8A +Gu/sWRAAtGouQg2M2RuF4+EFK1fpDKyDgBpbx88kH/y2ToHQ/voEwpeC3OOulfQ0 +kM7vluUY2yf/yITXJnX/czqxX4flpC9fsAIZtSjXwI27V+xrvWwz/LTgmBumJjgC +VI0i66c6ajie8JC6h4Q2yYpF7M2ymYo/rLXXFM+nq/UpOWLEXbEzzDv6hwvwYqJd +h7pvoNUDWRjbxHykilUQ+KrnEDRz4cdmulil+1aAS1af2WHdROHfOSsVmSY/hQJh +MPA9dJxESzHAjYhjQrLFoWiuSt1JFOt5k/Y6FI4ix1UElJVEvwF7NEj6VxTW9/UX +0sWGmKt23ckfBG6fwBjW2e9NVnqIU4NNMbR0vJghtVsi0K4uw4b5/9n2WbfYYHQZ +eoZ8BiFRdrbRwFgk7NK9UG5r1B0l7O9rJWob0ZUt2/tGYpC7sLz9kOWAptD7JPpE +XkrK354K0KIBPdoVj7QDsK7njYkvnjxlHwWX148gQ1maEX/zWHD6x5RXS+QShzjL +kmp/h5Eiz977qHzotXkK7Le/4EnHQlLYO7n8NafoRrCRszPPlLv1/gaEHYYlTU+S +GMJpvsV9ENd15BhcZRCoLRxwa94D9beDhw89RTgPZ8ItpRO7z1cCfZrNC4aE0x3P +Q+BVMF18lrU/UB4jDW2/BmoGdZSjJMqxHaDGiHZZewQX/dVP2BU= +=a5LJ +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-26:07.nvmf.asc b/website/static/security/advisories/FreeBSD-SA-26:07.nvmf.asc new file mode 100644 index 0000000000..af5c8618bb --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-26:07.nvmf.asc @@ -0,0 +1,140 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-26:07.nvmf Security Advisory + The FreeBSD Project + +Topic: Remote denial of service via null pointer dereference + +Category: core +Module: nvmf +Announced: 2026-03-26 +Credits: Nikolay Denev <ndenev@gmail.com> +Affects: FreeBSD 15.0 +Corrected: 2026-03-25 01:29:47 UTC (stable/15, 15.0-STABLE) + 2026-03-26 01:11:19 UTC (releng/15.0, 15.0-RELEASE-p5) +CVE Name: CVE-2026-4652 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +The nvmf driver implements the kernel component of an NVMe over Fabrics +host. + +The CONNECT command is used to create connections (queue pairs) that +carry NVMe read/write commands over the network. For I/O queues, this +is commonly referred to as an I/O CONNECT. + +II. Problem Description + +On a system exposing an NVMe/TCP target, a remote client can trigger +a kernel panic by sending a CONNECT command for an I/O queue with a +bogus or stale CNTLID. + +III. Impact + +An attacker with network access to the NVMe/TCP target can trigger +an unauthenticated Denial of Service condition on the affected machine. + +IV. Workaround + +No workaround is available. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or release / +security branch (releng) dated after the correction date and reboot. + +Perform one of the following: + +1) To update your vulnerable system installed from base system packages: + +Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 +platforms, which were installed using base system packages, can be updated +via the pkg(8) utility: + +# pkg upgrade -r FreeBSD-base +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system installed from binary distribution sets: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +which were not installed using base system packages, can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-26:07/nvmf.patch +# fetch https://security.FreeBSD.org/patches/SA-26:07/nvmf.patch.asc +# gpg --verify nvmf.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/15/ b1d32521747f stable/15-n282694 +releng/15.0/ 48766013063a releng/15.0-n281012 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>; + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://www.cve.org/CVERecord?id=CVE-2026-4652>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:07.nvmf.asc>; +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmnEkV4ACgkQbljekB8A +Gu/KVBAA0QPwISRLuInGilUGPkO0fjXD5teeufdqHOABQJB+YgvelArfgd0odN4S +b7OXiDIdUsJsJF5CDFm5FVkAuQe0PnhakuXnxEMrDxpNu+H9zFBWrmCVtflWRay3 +APB3EGqxghhez/pNx+8M/Tf//QZjOmZSsu2C3om7mfv5jGetjRY/3jLkWiMx7ASu +lVFYue+PRSKf0jl0fjsxjvJMosTtgmM6xkB2cpDF+z6HKK6rtt0YUhw+/v0plLxa +jBQNIT3MCJ8OJU75LB5K/84iF3c/PTFupZQIMenejPt1FfC55CDKmta88LGUPxRn +u67tyidS+C7BLMnOn3mlgx3Vst1NxLc5to7KVYr1S3V17na5jglnnE3Av2lE/CMJ +v9UT7IsLG5AsHusY1iYvkiReLfJgeouOlSJkQoiVfJYuT5G0ERdC+Sp3G9X0q8sp +2Q/YA0+qt0Fqdc8hn25Qus1pvWSvg+RBUuDDLsWsC9FbUbyjBNB2Og34dmW46t38 +EWoCFHZ0u/PRPZ7YnwpIE6xx6mDOc7XcVtK9fFc6VKjtiP7sDk42W5O2wyAKBcRl +oTZl56h/g+Kutmnvj1vHAcntX4IbTfXw7S5SVnzPBVD2W6yOKas5R1GBK9O2S4IE +CU69VbcPD51vJY/mY8w6oefZXLoxHE2WH0eAwz3/NJaFRwtqT1k= +=l61h +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-26:08.rpcsec_gss.asc b/website/static/security/advisories/FreeBSD-SA-26:08.rpcsec_gss.asc new file mode 100644 index 0000000000..d312246c4e --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-26:08.rpcsec_gss.asc @@ -0,0 +1,163 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-26:08.rpcsec_gss Security Advisory + The FreeBSD Project + +Topic: Remote code execution via RPCSEC_GSS packet validation + +Category: core +Module: rpcsec_gss +Announced: 2026-03-26 +Credits: Nicholas Carlini using Claude, Anthropic +Affects: All supported versions of FreeBSD. +Corrected: 2026-03-26 01:25:23 UTC (stable/15, 15.0-STABLE) + 2026-03-26 01:11:20 UTC (releng/15.0, 15.0-RELEASE-p5) + 2026-03-26 01:28:47 UTC (stable/14, 14.4-STABLE) + 2026-03-26 01:14:55 UTC (releng/14.4, 14.4-RELEASE-p1) + 2026-03-26 01:16:01 UTC (releng/14.3, 14.3-RELEASE-p10) + 2026-03-26 01:30:12 UTC (stable/13, 13.5-STABLE) + 2026-03-26 01:34:10 UTC (releng/13.5, 13.5-RELEASE-p11) +CVE Name: CVE-2026-4747 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +Generic Security Services (GSS) is an API which lets applications establish a +private, authenticated communication channel with a server, such as an NFC +server. + +RPCSEC_GSS is a module which enables the use of GSS with Sun RPC (rpc(3)) +servers. It is implemented in the kernel by the kgssapi.ko kernel module, and +used by the NFS server to enable Kerberos-based authentication and encryption +of traffic between the server and clients. In userspace it is implemented by +the librpcsec_gss library. + +II. Problem Description + +Each RPCSEC_GSS data packet is validated by a routine which checks a signature +in the packet. This routine copies a portion of the packet into a stack buffer, +but fails to ensure that the buffer is sufficiently large, and a malicious +client can trigger a stack overflow. Notably, this does not require the client +to authenticate itself first. + +III. Impact + +As kgssapi.ko's RPCSEC_GSS implementation is vulnerable, remote code execution +in the kernel is possible by an authenticated user that is able to send packets +to the kernel's NFS server while kgssapi.ko is loaded into the kernel. + +In userspace, applications which have librpcgss_sec loaded and run an RPC server +are vulnerable to remote code execution from any client able to send it packets. +We are not aware of any such applications in the FreeBSD base system. + +IV. Workaround + +No workaround is available. Kernels that do not have kgssapi.ko loaded are not +vulnerable. In userspace, any daemon linked with librpcgss_sec and running an +RPC server is vulnerable. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +Perform one of the following: + +1) To update your vulnerable system installed from base system packages: + +Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 +platforms, which were installed using base system packages, can be updated +via the pkg(8) utility: + +# pkg upgrade -r FreeBSD-base +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system installed from binary distribution sets: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, which were not installed using base +system packages, can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/SA-26:08/rpcsec_gss.patch +# fetch https://security.FreeBSD.org/patches/SA-26:08/rpcsec_gss.patch.asc +# gpg --verify rpcsec_gss.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel and the operating system as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and +<URL:https://www.FreeBSD.org/handbook/makeworld.html>; and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/15/ 1b00fdc1f3cd stable/15-n282700 +releng/15.0/ 4ec1b6213463 releng/15.0-n281013 +stable/14/ e5ed09ffd592 stable/14-n273840 +releng/14.4/ 7ea03a4238e8 releng/14.4-n273677 +releng/14.3/ b6ce88ab9a5f releng/14.3-n271477 +stable/13/ 99ec7f9b9e48 stable/13-n259823 +releng/13.5/ c4f53a1adbd4 releng/13.5-n259207 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>; + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://www.cve.org/CVERecord?id=CVE-2026-4747>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:08.rpcsec_gss.asc>; +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmnEkWEACgkQbljekB8A +Gu/LsA/9EC3I0xFSAJpbHLVpV4dmCpzhMUn5CU3iJhXOsV4hWip6fJvjHmiRcVDC +luJ/udrLS6izmx4dmZBcEQMSOt2hXK/P/5JgVQCM0f3hXfkLFWGPnA1/wG4hSqjd +nsbHfExgqs4ToWhgfQDaEwgc5d9FQfnQUTk3noXal1FA6o10+9PAA5nmj74ZGtYC +6umspzzJNR8+6EaTftY8nb40DMAAyNMTBu3S2KikiuiqLSuMETyGEHS0ceMZzX0C +D8rWRlaXpNOyVrRPhEuVurF9SB9EghEB1K587Xm0cqpCLT8GsW5FeSkp4VD2Ir0v +7Ghu693vLbmVwm5pQUNr8cf7uO/kLg6Gce3FWlqYteRN+PeuOkx2DRAChm4QMEK2 +8Xjix/bS3HT6GkRmHCtwS7IU8L1vw/kAt4uvSV5uyEzRbpGKEbrdZOXFUSjPrY3R +xHAKGosZaZKYJ4rveQOhsS1OoevN7ghhEJJ6PJf1wdYOSwNl41zq8R9LVqos4A+w +fJmIQwoSMPhT7E+XCjrsOrt5TuBHrv5O7871IFxk00rsgJN3W2vTw4epEwRiWpJm +mqv40zoarV4L4Gq3P4PAT8VaiWXTo44qyvu9LV+fnEArtlyfYPNLglC7NJKaeI1D +Ou89dG/+L1GeJlkIVbRj4DUfcpLO0yV1LG/KYvQqr4TCILaddzk= +=K+Bc +-----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-26:09.pf.asc b/website/static/security/advisories/FreeBSD-SA-26:09.pf.asc new file mode 100644 index 0000000000..13cdb6bd52 --- /dev/null +++ b/website/static/security/advisories/FreeBSD-SA-26:09.pf.asc @@ -0,0 +1,168 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-26:09.pf Security Advisory + The FreeBSD Project + +Topic: pf silently ignores certain rules + +Category: core +Module: pf +Announced: 2026-03-25 +Credits: Michael Gmelin +Affects: FreeBSD 14.x and FreeBSD 15.0 +Corrected: 2026-03-25 07:11:58 UTC (stable/15, 15.0-STABLE) + 2026-03-26 01:11:25 UTC (releng/15.0, 15.0-RELEASE-p5) + 2026-03-25 09:58:28 UTC (stable/14, 14.4-STABLE) + 2026-03-26 01:15:00 UTC (releng/14.4, 14.4-RELEASE-p1) + 2026-03-26 01:16:06 UTC (releng/14.3, 14.3-RELEASE-p10) +CVE Name: CVE-2026-4748 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:https://security.FreeBSD.org/>. + +I. Background + +pf is an Internet Protocol packet filter originally written for OpenBSD. +While loading its configuration, pf hashes rules and silently drops +duplicates as an optimisation. Only the first rule with the same hash is +considered. + +II. Problem Description + +A regression in the way hashes were calculated caused rules containing the +address range syntax (x.x.x.x - y.y.y.y) that only differ in the address +range(s) involved to be silently dropped as duplicates. Only the first of +such rules is actually loaded into pf. Ranges expressed using the +address[/mask-bits] syntax were not affected. + +Some keywords representing actions taken on a packet-matching rule, such as +'log', 'return tll', or 'dnpipe', may suffer from the same issue. It is +unlikely that users have such configurations, as these rules would always be +redundant. The verification described in "IV. Workaround" below will find +these as well. + +III. Impact + +Affected rules are silently ignored, which can lead to unexpected behaviour +including over- and underblocking. + +IV. Workaround + +Only systems using the pf firewall are affected. + +The operator can determine if a specific system is affected by reloading the +configuration verbosely: + +# pfctl -vf /etc/pf.conf | grep already + +As a workaround, affected rules can be rewritten, e.g., by +using tables or multiple rules instead of address ranges. +Another option is to add labels to rules to make them unique. + +V. Solution + +Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date +and reboot. + +Perform one of the following: + +1) To update your vulnerable system installed from base system packages: + +Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 +platforms, which were installed using base system packages, can be updated +via the pkg(8) utility: + +# pkg upgrade -r FreeBSD-base +# shutdown -r +10min "Rebooting for a security update" + +2) To update your vulnerable system installed from binary distribution sets: + +Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, +or the i386 platform on FreeBSD 13, which were not installed using base +system packages, can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install +# shutdown -r +10min "Rebooting for a security update" + +3) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +[FreeBSD 15.0] +# fetch https://security.FreeBSD.org/patches/SA-26:09/pf-15.patch +# fetch https://security.FreeBSD.org/patches/SA-26:09/pf-15.patch.asc +# gpg --verify pf-15.patch.asc + +[FreeBSD 14.x] +# fetch https://security.FreeBSD.org/patches/SA-26:09/pf-14.patch +# fetch https://security.FreeBSD.org/patches/SA-26:09/pf-14.patch.asc +# gpg --verify pf-14.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:https://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +VI. Correction details + +This issue is corrected as of the corresponding Git commit hash in the +following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/15/ 4311217a039c stable/15-n282698 +releng/15.0/ d91cf52e31ac releng/15.0-n281017 +stable/14/ e3b801edded9 stable/14-n273835 +releng/14.4/ b6865bca4ba5 releng/14.4-n273681 +releng/14.3/ c03577d99d2d releng/14.3-n271481 +- ------------------------------------------------------------------------- + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>; + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +VII. References + +<URL:https://www.cve.org/CVERecord?id=CVE-2026-4748>; + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:09.pf.asc>; +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmnEp+AACgkQbljekB8A +Gu84/Q//cIBdAEmzD04kjglaG1X75rULWJ0fsD26RW89Y3IEvLnUa5yoWV0dKUeW +wRta0n7cvpkLiuDVqSfasVrkVM0EZ70toWcd0JXTRwaJ+i7IhHMByXjvSwTzhS/d +OL2uDzjJ1nUyUqangNM+99Mpr3UQOEIMY9Scq5E0NNr/x6NdWXN4psiB/RCSFU64 +abRos56CPkWbfVQLVZ3i2FihGhYQ2JLnqvP9DgCT6xy6MU5uTDWF57sxe4ciYWGw +4ZRydr/oyTkpthetm9xPFoFkaBiOiGfdTnsOi58f7mcWln+AgiKLzT0KdOd6XkEy +RH22v4254P4nquDXfBTIJUVyDFd8SVIk7Ol78BzRNdEYOEog6KEI3fTjArFMIiy6 +CLPS92ph3xq4aBWMdxnZ4cvfW7Ktm8Zp9xrXCvdRaUGfl+wawzjfjgw62eXaec4x +pFxip2jLziZUDAvpzg1ywK0ajJE+RYh7HlT7CG2pTEcCaaIC0rJ7B2eEIaoO48Ho +Uez92JN54P7xBRLy/rLVfUHz7Td11toAg6wwBTEAQPKssDHh1DQZMLSDKZcGanlt +waUCybHeaWkMZvoHtLlEJjZ8hL/67Ivz2Huv5KCZ5CtpoEqe5ZHmGGS3iOCiuLvQ +9k2F3fkJN4w1zpGHE48JJ03FYQA7cTHwEro7TCRzeM6+KnqgAzE= +=cGmd +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/SA-26:06/tcp.patch b/website/static/security/patches/SA-26:06/tcp.patch new file mode 100644 index 0000000000..d7be7a9ac7 --- /dev/null +++ b/website/static/security/patches/SA-26:06/tcp.patch @@ -0,0 +1,11 @@ +--- sys/netinet/tcp_subr.c.orig ++++ sys/netinet/tcp_subr.c +@@ -2216,6 +2216,8 @@ + tcp_respond(tp, mtod(m, void *), th, m, tp->rcv_nxt, + tp->snd_nxt, TH_ACK); + tp->last_ack_sent = tp->rcv_nxt; ++ } else { ++ m_freem(m); + } + } + diff --git a/website/static/security/patches/SA-26:06/tcp.patch.asc b/website/static/security/patches/SA-26:06/tcp.patch.asc new file mode 100644 index 0000000000..939ecee86f --- /dev/null +++ b/website/static/security/patches/SA-26:06/tcp.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmnEkV0ACgkQbljekB8A +Gu9xUg//YDZkTuRSscYc6YtrYfnQWBU3clCebVSu3J5gqLhS1xFgW5pDrallSAMY +0aG2sOPLQdmVjy8fs//AfBqRW/eFPlC0okSVNWSS3Ufv27iZB+didjA+B0//1W3G +oOHIzKCZhG7UsGjx2pDcebI9TOAlYGy3yslkOuRwMHzOyOyAsX+WHPHzxicxbSZ5 +FCWbhnxnRDaNDeJ2wlKnrm0tZQvpfPhYTc8e311v1vJSfeIzukocMcg9ffddEuYr +d+kzcv6HuSwz6n7+ZvUSM+wWNnGXWaDCyjLs+fL2H4VZJ5G6+q7ydEe/VwzZHP2b +E2lVTy4AYRewI9dMbOVcs0as8/ZauYaS8dPEuHsuVJSIqseVHEPuSK9aJ1us/XBv +ExRm1mb2lUKkSMWClSA55wiEfAzpgQi/EKMYaF6UFni8PRDQnhfB1zcJouctLLaw +OAgnDgpoNe9IyMrfL+4SdYWSquniGa3GGb4c7mpWZe2CegF1D3RSkv5hbGjstglm +CgTigeXlpMCBKpoz/fpZdBvIUDoj6PSuyVB5wyTQJkcQW7dkX9ziWb5WHq5s7Wz+ +wOMJQwTiuZLidlsN0BvE2PVj8EY2aa8q9CXpZ4cF9djjMakm+WnaaD69RhV54eFc +026hUX0wm//aHzqE6BaaiAac5AciDiibczZ3ombhEhlrEMqXHlQ= +=m/gK +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/SA-26:07/nvmf.patch b/website/static/security/patches/SA-26:07/nvmf.patch new file mode 100644 index 0000000000..44eaab112a --- /dev/null +++ b/website/static/security/patches/SA-26:07/nvmf.patch @@ -0,0 +1,12 @@ +--- sys/dev/nvmf/controller/nvmft_controller.c ++++ sys/dev/nvmf/controller/nvmft_controller.c +@@ -227,7 +227,7 @@ + if (ctrlr == NULL) { + mtx_unlock(&np->lock); + printf("NVMFT: Nonexistent controller %u for I/O queue %u from %.*s\n", +- ctrlr->cntlid, qid, (int)sizeof(data->hostnqn), ++ cntlid, qid, (int)sizeof(data->hostnqn), + data->hostnqn); + nvmft_connect_invalid_parameters(qp, cmd, true, + offsetof(struct nvmf_fabric_connect_data, cntlid)); + diff --git a/website/static/security/patches/SA-26:07/nvmf.patch.asc b/website/static/security/patches/SA-26:07/nvmf.patch.asc new file mode 100644 index 0000000000..103fbf5f74 --- /dev/null +++ b/website/static/security/patches/SA-26:07/nvmf.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmnEkV8ACgkQbljekB8A +Gu+Yng/8DOZPbBhwa1imzjIUyXE6l26nF6/yOqK3P1HaQ8h6XNTCDaqmmoRfMhlX +EPrMNyST0eN7XEoD6DdEinQyt69h9QphbF3F85yxIzepm6b2C+vKgRCJ3WCH2tRT +twm3KMmLiNw6n22nIv8cJSRvzfF6pYOnTUeu89SD1pONhb+AaWDYAe31xfHdFymd +1rCr7fLOMlkHuhMkGGrQFdWCtuAeFUXfkGYmuyb523WdIQKzSNWO6FWZ3F7uAXbq +dYXG95+Xd88L1C9G1uDE3jfnv4oB9wbf2I+raNQPbGH23TSyuvEJnLcsXLR+3uL+ +tT3RWfNJz+dOWkj0gqF9xK3DKlJxIzgPopzYG7ILqrfJ0syjwot6huDmDSe2az4K +EyFmnHa1qmfAOC15bzsKZVMsxRFcv1U2s7gtQ+vzIZyfU1hZnaNkuwTOgSfkHgIm +4592ctZbKxGIfH/ezm55HyfexB+2KsuDOm6TWj+EIEDRiPhuxWdPCpop4jN2gUnM +EujBoDaw1Z9NPobT65A6WDR3g33wb9HpYJLkG3+scujeY5eOM7dGeP5mHNLNiubZ +lDDCEZJ9Rt7rG+bVSxXObIJx2+GTHaWC9VPa7TgidlzQDF/+HbK9m8Bl66sewe7B +MuFzLe6c8JrjTyZoCNG9+5K3ScsCQO+YBaT6G+Bb6wwOCtFMorU= +=VSzB +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/SA-26:08/rpcsec_gss.patch b/website/static/security/patches/SA-26:08/rpcsec_gss.patch new file mode 100644 index 0000000000..82896df793 --- /dev/null +++ b/website/static/security/patches/SA-26:08/rpcsec_gss.patch @@ -0,0 +1,51 @@ +--- lib/librpcsec_gss/svc_rpcsec_gss.c.orig ++++ lib/librpcsec_gss/svc_rpcsec_gss.c +@@ -758,6 +758,14 @@ + + memset(rpchdr, 0, sizeof(rpchdr)); + ++ oa = &msg->rm_call.cb_cred; ++ ++ if (oa->oa_length > sizeof(rpchdr) - 8 * BYTES_PER_XDR_UNIT) { ++ log_debug("auth length %d exceeds maximum", oa->oa_length); ++ client->cl_state = CLIENT_STALE; ++ return (FALSE); ++ } ++ + /* Reconstruct RPC header for signing (from xdr_callmsg). */ + buf = rpchdr; + IXDR_PUT_LONG(buf, msg->rm_xid); +@@ -766,7 +774,6 @@ + IXDR_PUT_LONG(buf, msg->rm_call.cb_prog); + IXDR_PUT_LONG(buf, msg->rm_call.cb_vers); + IXDR_PUT_LONG(buf, msg->rm_call.cb_proc); +- oa = &msg->rm_call.cb_cred; + IXDR_PUT_ENUM(buf, oa->oa_flavor); + IXDR_PUT_LONG(buf, oa->oa_length); + if (oa->oa_length) { +--- sys/rpc/rpcsec_gss/svc_rpcsec_gss.c.orig ++++ sys/rpc/rpcsec_gss/svc_rpcsec_gss.c +@@ -1170,6 +1170,15 @@ + + memset(rpchdr, 0, sizeof(rpchdr)); + ++ oa = &msg->rm_call.cb_cred; ++ ++ if (oa->oa_length > sizeof(rpchdr) - 8 * BYTES_PER_XDR_UNIT) { ++ rpc_gss_log_debug("auth length %d exceeds maximum", ++ oa->oa_length); ++ client->cl_state = CLIENT_STALE; ++ return (FALSE); ++ } ++ + /* Reconstruct RPC header for signing (from xdr_callmsg). */ + buf = rpchdr; + IXDR_PUT_LONG(buf, msg->rm_xid); +@@ -1178,7 +1187,6 @@ + IXDR_PUT_LONG(buf, msg->rm_call.cb_prog); + IXDR_PUT_LONG(buf, msg->rm_call.cb_vers); + IXDR_PUT_LONG(buf, msg->rm_call.cb_proc); +- oa = &msg->rm_call.cb_cred; + IXDR_PUT_ENUM(buf, oa->oa_flavor); + IXDR_PUT_LONG(buf, oa->oa_length); + if (oa->oa_length) { diff --git a/website/static/security/patches/SA-26:08/rpcsec_gss.patch.asc b/website/static/security/patches/SA-26:08/rpcsec_gss.patch.asc new file mode 100644 index 0000000000..b88ebb8529 --- /dev/null +++ b/website/static/security/patches/SA-26:08/rpcsec_gss.patch.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmnEkWIACgkQbljekB8A +Gu/muQ/+IwXcDjdBY49Xf396/tRJeRNsAiAnCZMOJuUxLfRiZM78Z46LkM6FsHoI +D8BuUJK72nJAX/Cy6vzsr88IZhRZwob/McsN15+37akVZdq2u6mZOHWBiVORBVIS +LTaklgxBjleR2JRYdK8Wz11TLBWIFtDgY+Po/9xWFr4pOF1brWDaIRMJVeP3nf4i +MvAewSBxQGyT9fkWEgU6WXQQpsO7Nahv9R4NG/YnFhElsB2NsgVdYoweOkQxJNPY +1N2mMsKadlnfQvSpgdGhmXSBB6pNpK6XXCbYYU2DvjVxKGjHbVJEyRnSZZo7uZ8A +/ZW7u5SMwW1cPIcqgHfkzLxyIFCTKoH2fuiFoo8Gc7f7gDhCyUJ1xZ7ytFm4bLvV +pwLLOleeg3a5LDouA1PbBxN9Y4P/ud0xaQfmfcQsKGzzETiYyHMPM9GvDVx0cTDE ++jvngAhiHn4pcsKOBHPNkxwfkLovFTNAlOqpm+Wa5A9eUZxFO8KYUnnAsEHGIAue +Lvd35kAPgcF5tt0jhAAJr3BQXtHiTue6QqpP9tKPjyYf3o0M/LZMzEqJk4YlJKz/ +rmlTaaDNQjzx8geV5pPCZcOC5CvjdOILXrv343qozJTRksWp3NuuyLYMBUWcXire +nMbH+q85rGlAah9KHmJhQcpka4vaRRlOkHAkV2IUEN0Qoy1inUg= +=R9iR +-----END PGP SIGNATURE----- diff --git a/website/static/security/patches/SA-26:09/pf-14.patch b/website/static/security/patches/SA-26:09/pf-14.patch new file mode 100644 index 0000000000..477dde061e --- /dev/null +++ b/website/static/security/patches/SA-26:09/pf-14.patch @@ -0,0 +1,212 @@ +--- sbin/pfctl/pfctl.c.orig ++++ sbin/pfctl/pfctl.c +@@ -2043,13 +2043,13 @@ + } + } + +- if (pf->opts & PF_OPT_VERBOSE) { ++ if (pf->opts & PF_OPT_VERBOSE || was_present) { + INDENT(depth, !(pf->opts & PF_OPT_VERBOSE2)); + print_rule(r, name, + pf->opts & PF_OPT_VERBOSE2, + pf->opts & PF_OPT_NUMERIC); + if (was_present) +- printf(" -- rule was already present"); ++ printf(" -- rule was already present\n"); + } + path[len] = '\0'; + pfctl_clear_pool(&r->rpool); +--- sys/netpfil/pf/pf_ioctl.c.orig ++++ sys/netpfil/pf/pf_ioctl.c +@@ -1264,10 +1264,17 @@ + PF_MD5_UPD(pfr, addr.v.tblname); + break; + case PF_ADDR_ADDRMASK: ++ case PF_ADDR_RANGE: + /* XXX ignore af? */ + PF_MD5_UPD(pfr, addr.v.a.addr.addr32); + PF_MD5_UPD(pfr, addr.v.a.mask.addr32); + break; ++ case PF_ADDR_NOROUTE: ++ case PF_ADDR_URPFFAILED: ++ /* These do not use any address data. */ ++ break; ++ default: ++ panic("Unknown address type %d", pfr->addr.type); + } + + PF_MD5_UPD(pfr, port[0]); +@@ -1276,6 +1283,28 @@ + PF_MD5_UPD(pfr, port_op); + } + ++static void ++pf_hash_pool(MD5_CTX *ctx, struct pf_kpool *pool) ++{ ++ uint16_t x; ++ int y; ++ ++ if (pool->cur) { ++ PF_MD5_UPD(pool, cur->addr); ++ PF_MD5_UPD_STR(pool, cur->ifname); ++ } ++ PF_MD5_UPD(pool, key); ++ PF_MD5_UPD(pool, counter); ++ ++ PF_MD5_UPD(pool, mape.offset); ++ PF_MD5_UPD(pool, mape.psidlen); ++ PF_MD5_UPD_HTONS(pool, mape.psid, x); ++ PF_MD5_UPD_HTONL(pool, tblidx, y); ++ PF_MD5_UPD_HTONS(pool, proxy_port[0], x); ++ PF_MD5_UPD_HTONS(pool, proxy_port[1], x); ++ PF_MD5_UPD(pool, opts); ++} ++ + static void + pf_hash_rule_rolling(MD5_CTX *ctx, struct pf_krule *rule) + { +@@ -1286,37 +1315,84 @@ + pf_hash_rule_addr(ctx, &rule->dst); + for (int i = 0; i < PF_RULE_MAX_LABEL_COUNT; i++) + PF_MD5_UPD_STR(rule, label[i]); ++ PF_MD5_UPD_HTONL(rule, ridentifier, y); + PF_MD5_UPD_STR(rule, ifname); ++ PF_MD5_UPD_STR(rule, qname); ++ PF_MD5_UPD_STR(rule, pqname); ++ PF_MD5_UPD_STR(rule, tagname); + PF_MD5_UPD_STR(rule, match_tagname); +- PF_MD5_UPD_HTONS(rule, match_tag, x); /* dup? */ ++ ++ PF_MD5_UPD_STR(rule, overload_tblname); ++ ++ pf_hash_pool(ctx, &rule->rpool); ++ + PF_MD5_UPD_HTONL(rule, os_fingerprint, y); ++ ++ PF_MD5_UPD_HTONL(rule, rtableid, y); ++ for (int i = 0; i < PFTM_MAX; i++) ++ PF_MD5_UPD_HTONL(rule, timeout[i], y); ++ PF_MD5_UPD_HTONL(rule, max_states, y); ++ PF_MD5_UPD_HTONL(rule, max_src_nodes, y); *** 396 LINES SKIPPED ***home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?69c4a81e.278a6.fbe00d7>