From nobody Tue Jun 9 23:14:01 2026 X-Original-To: freebsd-security-notifications@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZl8n5DGHz6gqgP for ; Tue, 09 Jun 2026 23:14:01 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZl8n1X4qz3QHD; Tue, 09 Jun 2026 23:14:01 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046841; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=Vm+SqV7N3mqFN2q6T8hiC3FY/oljTsgurocxAreXDOo=; b=w9GGgfPxxq4CP7MqJzRIiQSAjU1rfdg/D8MigtQWZ/B1VMkuo8g7KdQiV9rDckIZEEnlKc 56CroQfglLDYZ3sU6+K+hK2x70wso5Bp4zGDD2dPIX1RwjvxMIWqohU8oeJUDO4HVl5z4T 7kwBLjuCoTgeX8bncAoN8zA7UMlg0p9eF3qoFvuRUJbpy88LtS01DesPYr8knxeTd0zXCL 9Ui72C+eDPM8POocS7TbyzdNNGvCbyFNlpadzCUMiGDg4en3E8G8a6XVhpVVruOWVluwL5 bjfMnRHuGX/6VmgGq7mR0TIzJYak2XXXBVUNWlKdwSbmMaleQsaKgHj3S+Gq7g== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781046841; a=rsa-sha256; cv=none; b=nhQkoDTzdW365Ll1oEg/wW4ucsR4fUX9IPpy+5kRelNH1ekwaKVp1pjJb8QMoeXlSH+KaD e2mJEeHVYopOv8NnRabEIzxVugrSUFa4KGSDt20ojGBtKvI8cAiP7rDlTGWiiScsTvQ/0u jrwfyDD477fpF4gO4pXw6Lx0slluWpfmD5Jr2B2qU2i8vRE9w34qdXx0Gdm8vfu3HGLJmk hC28QSL1yQVCBe1YH8+GAKwLNaoKF0D37vWWLTX46mQ0RsWUN476ByrvuMFQo0/dEqmbgz 9S+lNaCPHtId9UXscoWKTFcqdhKjJUIAsj8uG8q5xt1Os1ny/jQAATkC/CAQ9g== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781046841; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=Vm+SqV7N3mqFN2q6T8hiC3FY/oljTsgurocxAreXDOo=; b=A4yaaLCB+v7wnAmBARxJQEWsxjibUNGGYmaDOIZQ7LhTlWiCo8OHcb2StXhn1AKL6Lye4h 0qYCHuZMSsq5ZIoEN8sBEoGNes/+8jZkG0i1kcgKbsU10fXHimG49qe5eyebyJ85BDixIB 9/6dZSkZAOIsMVRmGgsLOMXJ3N4TTlpjMvqkE2k5oAyf6MJwdiP+rt55qC49iHhtxhJq0l nA2Crh1nq4/LdAvc2IoIKVGGACAVtHRVkv9MyG2lRi35zGeYkVY2Wbp68RtBG9bD7z/1kq NS9Ikryol07hQvjlJmrhn7+iVnzYIdRLDHAKqefktRj90GfBMTS8/6Ox1wf5JA== Received: by freefall.freebsd.org (Postfix, from userid 945) id 28A7D1FC63; Tue, 09 Jun 2026 23:14:01 +0000 (UTC) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-26:34.vt Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20260609231401.28A7D1FC63@freefall.freebsd.org> Date: Tue, 09 Jun 2026 23:14:01 +0000 (UTC) List-Id: Moderated Security Notifications [moderated, low volume] List-Archive: https://lists.freebsd.org/archives/freebsd-security-notifications List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security-notifications@freebsd.org Sender: owner-freebsd-security-notifications@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:34.vt Security Advisory The FreeBSD Project Topic: Integer overflow in vt(4) CONS_HISTORY ioctl Category: core Module: vt Announced: 2026-06-09 Credits: Ed Maste Affects: All supported versions of FreeBSD Corrected: 2026-06-07 17:10:53 UTC (stable/15, 15.1-STABLE) 2026-06-09 19:20:14 UTC (releng/15.1, 15.1-RC3-p1) 2026-06-09 19:19:53 UTC (releng/15.0, 15.0-RELEASE-p10) 2026-06-07 17:12:28 UTC (stable/14, 14.4-STABLE) 2026-06-09 19:19:15 UTC (releng/14.4, 14.4-RELEASE-p6) 2026-06-09 19:18:45 UTC (releng/14.3, 14.3-RELEASE-p15) CVE Name: CVE-2026-49416 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background vt(4) is FreeBSD's default system console driver. It provides virtual terminals on the physical console, including a scrollback history buffer. The CONS_HISTORY ioctl(2) allows a user to resize the scrollback history of a virtual terminal. II. Problem Description The CONS_HISTORY ioctl handler did not adequately validate the requested history size. A large value caused an integer overflow in the buffer size calculation, resulting in a heap allocation smaller than expected. Subsequent initialization of the buffer wrote beyond the end of the allocation. III. Impact An unprivileged local user with access to a vt(4) device can trigger an out-of-bounds write in the kernel, potentially escalating privileges. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:34/vt.patch # fetch https://security.FreeBSD.org/patches/SA-26:34/vt.patch.asc # gpg --verify vt.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ deaaddf1d3c4 stable/15-n283854 releng/15.1/ 8ed11b21e544 releng/15.1-n283558 releng/15.0/ f4cf977dfe92 releng/15.0-n281061 stable/14/ b5a4f4bfbc95 stable/14-n274300 releng/14.4/ 799e830134d5 releng/14.4-n273723 releng/14.3/ 9cba21c2de16 releng/14.3-n271523 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmooiW4bFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvpd8P/0WOqL3COrZKAvzgZO+u tOfo4MhWYDw+jMAHtFLU5qH6GNfgUA8j5OaLaN1Rf+Z0+UNyy6CC5wehumdzRHm8 dPdfW9mKA932rsrOMM5/RtgLmBjVok4VjzC+KZbpO2b2cEJN5Tq1ZIYqZyvhbUV5 ZXjgdTZ1w2osE7IzPK2v0OOCRh+uiVLjpBiE4M18K0bmsnEytHm3xOpUUIkSNGWe gwunylrC0FstCKI778agymVHf4LX/xzEm7E62B4Ydk21GbB5QEx8ZnOOWWY8OehJ O48CBQILxnsIYSySx258nO9K8SwrZ45IonJmxb+N1OTTl+qDeSQo9Wfw2zTR4YZl qBBXpl9Ra/dL4zOGM0HOBEwlOXruCC4vm84vipZowJwO5e97/XZVdhNhkU8HHNWO 256nEIRwAFx/KqJ63AseOsq6REIP6hhCLo8NyWqLYpdp0MGClZ7UBQ5ay6TvwVHD Qf+KyZrfGh6q7pU2ADmLdzf0H6FiUASsbPiRjcd5o/T4qPY9vJKJGOfd8EVHqzsH Rh2yhdtbsbCqTvfOjnUIuj5vJnk3sr/HG9wJXNqEgLcBz33/jmNaNhHXcyc2Yw9N 7lBHW20nj3jDFhK8MdKSvBUZ4WSmr8yBYb85v4L6kb9EKDiUQMa7eJ6cCaHYYRff NH418v0qjh1t7fJRdmx1HtvQ =ZGXy -----END PGP SIGNATURE-----