From nobody Tue Jun 9 23:13:40 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZl8P2rlxz6gqVs for ; Tue, 09 Jun 2026 23:13:41 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [96.47.72.132]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZl8P05Dwz3PTZ; Tue, 09 Jun 2026 23:13:40 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046821; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=4vPtQJOFqlvPEYNtA2P7eLcsN2Cgf85xqBn3mPKjsIY=; b=Mu6zee8LPo6XgyfCN/NorcCpBg9lO6ZWEslTilu9Soji9te53roAv3tb3s7xmVEMLEDmCp LSotjF9lMZoUWpi1uKiH1PgbJLax/TBoNRaWK/P2t6xitexPCRG+4xLp7iAZU7PiltPuJR YOLCk4egmXbId0xzB5p61nobX5C2X5GgDOPaQVSizSBcio3vuxo4DwVh+GldFe6yoMVmAK d0omw6LZ4sTgVjtjADHGIov8pdqSlT2uyu/hzpqqgXJJhIAgbCZubb/m7OiZ0IzxNBEbkB v4NZSnE9fCpRqFrIdFqMgqs9NC8f3Q0h1AAHBcto7fvaJkhcr+PGLdGAE99dfQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781046821; a=rsa-sha256; cv=none; b=D7ajD7QQl8m02u1uy2cGQoe0EbeBhg8WSJZVp8S9WoxsZWsmB2poUvHJ3r7vyPeioKC5gS UqRsoLdcbUXjpWtWLXK/ZeAk5Yn3rXFjvqeQJ/MS6og/3fdyoorjfJQcuiTcw67wlEU+o1 oRNbl41wn+E8jC9K8siO0bMokOMg0rvQwEmYU9IdUJ935OKjcRf6AI83Sl5Eq6u2xg7HgR 0OSPaYgZm0nllWizNA23H5IT9kl5b4/tZ9ySP5rbCMuPyETzCPpIBrpR2GsJPK410u1h8a 66PCrvNw3RbiktwfSo9JbEWYQQezVK3I++/VYwcF9K2HuN/lkERlsG2ff7zGsA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046821; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=4vPtQJOFqlvPEYNtA2P7eLcsN2Cgf85xqBn3mPKjsIY=; b=TAPixOUJ+IiLEwGRcAL/WprlIFKUbiFU30kjYJUYKVH5uwHj4XgeJSrP4373Tr71iWQLU1 Of4tU+zzZEkCMl0LzXE53a70ebdz81TBIVojoZ+hd1AujLH6WC7/K6MvQ2XLWdP0NYWprv BKqduQJbQ21PF8WtCt3uyNuW3e93aDwC0wHCXjR1cN0Mi7GLgF8GlTahezZc7S9430oGQZ IZAYsukqRN8alqrkptrG0g8CgV1AVMzKzwU8psaXI2SLMYLRcjyxhBKb90Wz0Yvdg2pa0N XGoO3AaZKmEb5utCILuMt6mTDz63AEvaxm5u1lXj6XS4lBWI6EoS8DETCtCBYQ== Received: by freefall.freebsd.org (Postfix, from userid 945) id CE0F11FD25; Tue, 09 Jun 2026 23:13:40 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:30.linux Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260609231340.CE0F11FD25@freefall.freebsd.org> Date: Tue, 09 Jun 2026 23:13:40 +0000 (UTC) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:30.linux Security Advisory The FreeBSD Project Topic: Flaw in Linuxulator execution of setugid binaries Category: core Module: linux Announced: 2026-06-09 Credits: Minseong Kim of NSHC Red Alert Labs Affects: All supported versions of FreeBSD Corrected: 2026-06-09 19:17:33 UTC (stable/15, 15.1-STABLE) 2026-06-09 19:20:11 UTC (releng/15.1, 15.1-RC3-p1) 2026-06-09 19:19:48 UTC (releng/15.0, 15.0-RELEASE-p10) 2026-06-09 19:17:50 UTC (stable/14, 14.4-STABLE) 2026-06-09 19:19:11 UTC (releng/14.4, 14.4-RELEASE-p6) 2026-06-09 19:18:40 UTC (releng/14.3, 14.3-RELEASE-p15) CVE Name: CVE-2026-49413 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD provides a Linux system call emulation layer through a loadable kernel module, referred to as the Linuxulator. This allows users to run unmodified Linux binaries on FreeBSD. When the kernel executes a set-user-ID or set-group-ID Linux binary, it passes the AT_SECURE flag in the ELF auxiliary vector to tell the runtime linker (typically, glibc) to disable dangerous features such as LD_PRELOAD. glibc's runtime linker relies on this setting and in particular does not query the kernel to determine whether it is loading a set-user-ID or set-group-ID executable. II. Problem Description The Linuxulator determined whether a binary was set-user-ID or set-group-ID by checking the P_SUGID process flag. During execve(2), this flag is not yet set at the point where the auxiliary vector is constructed, so AT_SECURE was incorrectly set to zero for set-user-ID and set-group-ID executables. III. Impact An unprivileged local user can inject a shared library via LD_PRELOAD into a set-user-ID or set-group-ID Linux binary, gaining the privileges of that binary. IV. Workaround No workaround is available. Systems that do not have either linux.ko or linux64.ko loaded, or which do not have any Linux executables with the set-uid or set-gid bits set, are not affected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:30/linux.patch # fetch https://security.FreeBSD.org/patches/SA-26:30/linux.patch.asc # gpg --verify linux.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 3ac9726c4269 stable/15-n283886 releng/15.1/ a4d36c975be0 releng/15.1-n283555 releng/15.0/ 0b18ec59972b releng/15.0-n281057 stable/14/ ff411cc40cd4 stable/14-n274315 releng/14.4/ 3fe092282025 releng/14.4-n273719 releng/14.3/ 0dcf9bba4b9f releng/14.3-n271519 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoolxUbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv0MEQAI764nJgo/wT5iqrDJrx F4G4LlMCqgxEB82jU48GEvy2/vbjp+nsB7hpQW/LnANWBmbbZzFUutXEqLcZKZp1 eE8ZoSoqTbCw82t7GJGcNrIt3+woBgW8IGb/onL4VxiVuFPEU/0GnJ8nwwOa9LGL LjdtvRcXaKVnWWqIDUq25cuz6+yBu5UIDWTbSHFeWr8swVhKA5Vjt1wKTXekFJhy qtEVWv8Jm5nb0C17eRYo8AY/nGh1DZv7LdJNc4dAZyy3H+QNDH7P7atYvyU06pvD Q+YNH6HENqqkGvg0YAYqrol+5me82oIK/Sz66b3VBYiBLD4FX8LaJePOfhSoKof4 f9Tk6lvpouJOmOETwZX2sAYrGDh/LMd+l/Np7vDMhQSrow4+0CDNHSI3yur8Kfkf I6pyEC3iCVi6x/xsQ2AjInMCz+Pw+YpKLKGJLyNT9hKqidQq2ebTBe86GMzPZtAM OdJ7rRMIXt2QNJmovverYVMBVBd8rXBVn//gB8Uu5CyjHG3jN/f/Rc1BhADgBS3R H1KOBxIOl3CzXU5GLxSEniI7czyeY2q9paWwddPR0BK0mqF6IP31OEekc0irRmjC damqozUiNlFFP7rC2fj2eVbhrowrtVSpo4D4oEsI6EPkVB3A67+Pq0untDa096gc X86EUvnyRijJsIl5JXb+OJoT =4LUk -----END PGP SIGNATURE-----