diff --git a/website/static/security/advisories/FreeBSD-EN-26:15.openssl.asc b/website/static/security/advisories/FreeBSD-EN-26:15.openssl.asc
index f3bb91d1b7..5ab0b57512 100644
--- a/website/static/security/advisories/FreeBSD-EN-26:15.openssl.asc
+++ b/website/static/security/advisories/FreeBSD-EN-26:15.openssl.asc
@@ -1,188 +1,187 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-26:15.openssl Errata Notice
The FreeBSD Project
Topic: Update OpenSSL to 3.0.20 and 3.5.6
Category: contrib
Module: openssl
Announced: 2026-06-09
Affects: All supported versions of FreeBSD.
Corrected: 2026-04-12 02:15:10 UTC (stable/15, 15.0-STABLE)
2026-06-09 19:19:33 UTC (releng/15.0, 15.0-RELEASE-p10)
2026-04-13 00:12:11 UTC (stable/14, 14.4-STABLE)
2026-06-09 19:18:58 UTC (releng/14.4, 14.4-RELEASE-p6)
2026-06-09 19:18:25 UTC (releng/14.3, 14.3-RELEASE-p15)
CVE Name: CVE-2026-2673, CVE-2026-28387, CVE-2026-28388,
CVE-2026-28389, CVE-2026-31789, CVE-2026-31790
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
.
I. Background
FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a
collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit for the Transport Layer Security (TLS) protocol. It is
also a general-purpose cryptography library.
II. Problem Description
The OpenSSL releases included with the affected FreeBSD versions predate
OpenSSL 3.0.20 (FreeBSD 14) and 3.5.6 (FreeBSD 15). This update imports the
current upstream point release on each branch. The import resolves several
issues affecting different OpenSSL versions, and therefore different FreeBSD
versions. Instead of listing detailed writeups for each issue, please see
the referenced advisory from OpenSSL.
Issues affecting FreeBSD 15 (OpenSSL 3.5):
CVE-2026-2673 - DEFAULT keyword corrupts the key-agreement group list
CVE-2026-28387 - Possible use-after-free in DANE client code
CVE-2026-28388 - NULL dereference when processing a delta CRL
CVE-2026-28389 - NULL dereference processing CMS KeyAgreeRecipientInfo
CVE-2026-31789 - Heap buffer overflow in hexadecimal conversion
CVE-2026-31790 - NULL dereference processing CMS KeyTransRecipientInfo
Issues affecting FreeBSD 14 (OpenSSL 3.0):
CVE-2026-28387 - Possible use-after-free in DANE client code
CVE-2026-28388 - NULL dereference when processing a delta CRL
CVE-2026-28389 - NULL dereference processing CMS KeyAgreeRecipientInfo
CVE-2026-31789 - Heap buffer overflow in hexadecimal conversion
CVE-2026-31790 - NULL dereference processing CMS KeyTransRecipientInfo
III. Impact
The issues include missing input validation, NULL pointer dereferences, a
use-after-free, and a heap buffer overflow. Impact is generally limited
to a crash and a Denial of Service. See the OpenSSL advisory for specific
details.
IV. Workaround
No workaround is available.
V. Solution
Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date. A reboot is required
following the upgrade to ensure that all applications and kernel code are
rebuilt with the updated OpenSSL-provided code.
Perform one of the following:
1) To update your system installed from base system packages:
Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64
platforms, which were installed using base system packages, can be updated
via the pkg(8) utility:
# pkg upgrade -r FreeBSD-base
# shutdown -r +10min "Rebooting for an erratum fix"
2) To update your system installed from binary distribution sets:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms
which were not installed using base system packages can be updated via the
freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for an erratum fix"
3) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 15.0]
# fetch https://security.FreeBSD.org/patches/EN-26:15/openssl-15.0.patch
# fetch https://security.FreeBSD.org/patches/EN-26:15/openssl-15.0.patch.asc
# gpg --verify openssl-15.0.patch.asc
[FreeBSD 14.4]
# fetch https://security.FreeBSD.org/patches/EN-26:15/openssl-14.4.patch
# fetch https://security.FreeBSD.org/patches/EN-26:15/openssl-14.4.patch.asc
# gpg --verify openssl-14.4.patch.asc
[FreeBSD 14.3]
# fetch https://security.FreeBSD.org/patches/EN-26:15/openssl-14.3.patch
# fetch https://security.FreeBSD.org/patches/EN-26:15/openssl-14.3.patch.asc
# gpg --verify openssl-14.3.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in .
Restart all daemons that use the library, or reboot the system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ 51a80be04fe6 stable/15-n282933
releng/15.0/ 0f6e90c4cc4f releng/15.0-n281050
stable/14/ 27ac9d336f71 stable/14-n273945
releng/14.4/ 1bfe60bae8b8 releng/14.4-n273712
releng/14.3/ d95a8c20f3bc releng/14.3-n271512
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat
Or visit the following URL, replacing NNNNNN with the hash:
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
-
The latest revision of this advisory is available at
-----BEGIN PGP SIGNATURE-----
-iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmooiTUbFIAAAAAABAAO
-bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv7GgP/Rlmd7bwJWjqt05Rdw+u
-QEJnicVJ4PaoXKlDOxyZ5e8N24tV2MImhgxb1lIS0EluYSVYw8dN0jMymgAK0qxJ
-W0UfgE05tOvEncUmAM62Rm+aQCljP9xu65CNcYkP4JJ3Rx+ebPugi6hbXwH4jlgG
-PIL1E0WJrOQhC/ZhJ79kU4yRTy5Lo1CRNQ54z+84nV81xWiKDrHoGlFzcr491xZv
-E+MysddGPq8o/YhuAR0aG/dokUbNsdBpak0zzXTAPQxCHO/MmnTRg3I+iWIhyTkp
-y+vq10xqZaZVOmumlsn6hbyDTcCyWP6uFwvk2KS0xLW1JU+PjYPmo9yJF64HD0ic
-IWEW2GQ1wCk0N/JKoUZIkW+Xnz2dOZtpYm05hgJyqaNcyUqZ1rHUpE2nTkgUlGMk
-NX+kroBqwqEy/+UZUa6b2B5sWDw/sOe7q08moso8ayXgM3/cvVpxh7x0o2SUC0jq
-IZd7y5HvvNqVnhAapSFFiQQ2LZNohcR5z8QSLf+ksr20nh+4841dSEry6s9iZxMD
-EMtx2JmFfLhsEOAyG4EoKHJnSIIcpDScqhT1xBpZLzceiOhKRWR34/TBcnkku+aR
-/zehcFDZjHFkmh1ZSrzzFSLB6Ph1VUjT32jhetfcjCeYgY8J0AmCJb6HZVVNLTRl
-Av4Oox3d6umxDz3LWggvJqNU
-=jdTF
+iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoolw4bFIAAAAAABAAO
+bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv5ewP/3XwoJ809Y0eVU/MrvNM
+VujyPzQFeMYHg9Od8AYqCfL9AsJaPPnI9sDLHLTIlwfC34ahC8xksEhfpKAoVn/9
+kSgKG8Evmb2xOxxz9mnH3cj/4IuyfvDoA7bWLI1yjdjXdm7rP9dE+nI0xktm1aeX
+TkMHrpTzeR0F/M1fehjuUuYKdHzINvorKFA49fZm3GvDWogLPWGzU2fLhpHwGa8Z
+D7Maxi9U+cuv5zlw6GxKHvPTJTwzLy7F9GejFEq+25YFdhvyKe7ZB8J33ttz1nlc
+Ee8z/QkJM/O8/YrvX2i4ZqFmSjgOPbOrbSOiLo13Yusj1TQn/wmsuymP4Vjxf7xM
+7ERML9TW1yti0ZCxriwcWUNSt7agPqP18Gjo2las1v8EVuGZ3PB/EhMmP+s0RPtd
+ZhVSK7UVJiX0zrIhE5bse+2A67l71rDNLKh7pt7P2FFID2yKLDBgUjMoUbNODsvO
+rOeZ09ndMQT24yrkjYM7uKHqmicQs/uBJzXItEr8NU5psKe4gIAfzrWDSl6Lg53y
+yJPtEitkcGPHRwDV4fdCcauri2fiw1S8yWH6DXl/CLviAApE9w7NRpD181g0eo5E
+QkRHy/rge2A9vK00KGpZsm7HPeIggdob3iK9TkYg3N+tZhBRfh7WtnQR7ZN7iMpv
+J6mK8Rm9NoDASI4IXgdRR5gs
+=Ocgt
-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-26:28.capsicum.asc b/website/static/security/advisories/FreeBSD-SA-26:28.capsicum.asc
index 6c374b1c3b..5479bdfadb 100644
--- a/website/static/security/advisories/FreeBSD-SA-26:28.capsicum.asc
+++ b/website/static/security/advisories/FreeBSD-SA-26:28.capsicum.asc
@@ -1,193 +1,170 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-26:28.capsicum Security Advisory
The FreeBSD Project
Topic: sigqueue(2) missing capability mode restriction
Category: core
Module: capsicum
Announced: 2026-06-09
Credits: Ed Maste
Affects: All supported versions of FreeBSD.
Corrected: 2026-05-29 19:11:40 UTC (stable/15, 15.1-STABLE)
2026-06-09 19:20:09 UTC (releng/15.1, 15.1-RC3-p1)
2026-06-09 19:19:46 UTC (releng/15.0, 15.0-RELEASE-p10)
2026-05-29 19:12:58 UTC (stable/14, 14.4-STABLE)
2026-06-09 19:19:08 UTC (releng/14.4, 14.4-RELEASE-p6)
2026-06-09 19:18:38 UTC (releng/14.3, 14.3-RELEASE-p15)
CVE Name: CVE-2026-45259
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
Capsicum is a lightweight OS capability and sandbox framework. It provides
two kernel primitives: capability mode, and capabilities. Capability mode
restricts the ability of a sandboxed process to interact with the global
namespace, including the ability to send signals to other processes, other
than via capability-based interfaces.
In capability mode, kill(2) restricts signal delivery to the calling process
only, preventing a sandboxed process from signalling other processes.
sigqueue(2) provides similar signal delivery functionality, and is similarly
permitted in capability mode.
II. Problem Description
sigqueue(2) was marked as permitted in capability mode with the introduction
of Capsicum in 2011, but the implementation of kern_sigqueue did not include
a capability mode check restricting signal delivery to the calling process's
own PID.
III. Impact
A process in capability mode can use sigqueue(2) to send signals to any
process it could signal following standard Unix permissions, bypassing the
Capsicum sandbox restriction. A compromised sandboxed process could
interfere with other processes, for example by sending SIGKILL or SIGSTOP.
This could be any process running as the same user, or any process, for a
superuser sandboxed process.
IV. Workaround
No workaround is available.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date, and
reboot.
Perform one of the following:
1) To update your vulnerable system installed from base system packages:
Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64
platforms, which were installed using base system packages, can be updated
via the pkg(8) utility:
# pkg upgrade -r FreeBSD-base
-# shutdown -r +10min "Rebooting for a security update"
+# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system installed from binary distribution sets:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms
which were not installed using base system packages can be updated via the
freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
-# shutdown -r +10min "Rebooting for a security update"
+# shutdown -r +10min "Rebooting for a security update"
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 15.1]
# fetch https://security.FreeBSD.org/patches/SA-26:28/capsicum-15.1.patch
# fetch https://security.FreeBSD.org/patches/SA-26:28/capsicum-15.1.patch.asc
# gpg --verify capsicum-15.1.patch.asc
[FreeBSD 15.0]
# fetch https://security.FreeBSD.org/patches/SA-26:28/capsicum-15.0.patch
# fetch https://security.FreeBSD.org/patches/SA-26:28/capsicum-15.0.patch.asc
# gpg --verify capsicum-15.0.patch.asc
[FreeBSD 14.x]
# fetch https://security.FreeBSD.org/patches/SA-26:28/capsicum-14.patch
# fetch https://security.FreeBSD.org/patches/SA-26:28/capsicum-14.patch.asc
# gpg --verify capsicum-14.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
-
-
-c) Recompile the operating system using buildworld and installworld as
-described in .
-
-
-
-c) Recompile the operating system using buildworld and installworld as
-described in .
-
-Restart the applicable daemons, or reboot the system.
-
-
-
-c) Recompile the operating system using buildworld and installworld as
-described in .
-
-Restart all daemons that use the library, or reboot the system.
-
-
-
c) Recompile your kernel as described in
and reboot the
system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ defd9b86ef99 stable/15-n283744
releng/15.1/ 871d33e8a66a releng/15.1-n283553
releng/15.0/ 77ee83d12625 releng/15.0-n281055
stable/14/ d11ff01b3aec stable/14-n274231
releng/14.4/ eab757f954ed releng/14.4-n273717
releng/14.3/ f56e8cb94df6 releng/14.3-n271517
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat
Or visit the following URL, replacing NNNNNN with the hash:
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
-
-
The latest revision of this advisory is available at
-----BEGIN PGP SIGNATURE-----
-iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmooiVUbFIAAAAAABAAO
-bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv4bQP/RpYAfFW142SRvxSSRWP
-505S6F5yIGc3T2xsH1Y6x7wunEjN0FaNGw5WVi/ehyP74+G7d818tuDfs+qCS3Mc
-jtS/OpyZuZ2ZhqoP5iEPBH1JfiQdEDKClg9voMd7JOoorXM6blQmb1sLUdG8hM1+
-x8oedLmEnXn+8iej2qLF5i89qu2k9L3Aoh6gMCPjslDnfj8NvomMXfOO1eET9V06
-VswHU/psB7PVz3SKmfvtPIUaLHo7SnnISnoOIwEElwObTsbPokjOk+TORLBFVEB/
-EiBcaapsgcO4lsXk3nq+jwa9nMj+lUk09Ec454/m/98W2OlJCKf4nf1JzUQFnT53
-ONMhejUntzI2XQ61+h/z7nMIHhFbEdiCEuLzaoM7vPJwbne3/hNFaEtJ5LLtd76u
-cZI8SnMFQzRj5ltjbyh0ITb0jkEdXe6QXOlhtY05lm42KjkI1aoTcSOyr6weSYNs
-CtVLbIVPKEX2PAufbUGZ6sxmv0/Vyg+JSsaChLld47l8En2v+tFqKRw8gFvTzN3J
-sO21ZSEgTTNBe2Qn0nx63ttvz/8F++mrPtRcY2idkgiSVJVb6zh//g8kpTT8OPgP
-z8lPuaF6kcQG+mL8lHYv0kTY5WQ8mc4oDHfVSj107d2aa7fO0vCRKiqv08+AWw5m
-7sLyEwRuA8hJEX3rl3Z38Z/z
-=gZCX
+iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoolxAbFIAAAAAABAAO
+bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv9xQQALSpP1xklc9UjGzlSpTo
+2owWykX02TVDqd7a57jEFpak6F9sJ1B83jrkEQVIGjBGQpTIWYt/C34QEzeo502F
++dqfqXr32MyudPDq+lsWB7HhafG/gktTDpibJrQkqPDdTc+TwzzhoHxGAdckAMsr
+vCqnUF6UmtmTzQEyoQBqPGPWbVnyVboOQ0ZvKouMZdMBVlC7IvWPDlbpMEOLePTE
+NPHeuxFYbFHMUkOLq97Dhg4XTqdIG0t3n/0jA1kjCDvJWDbXpR1bPy1USTNxHO35
+xjeZshL2IWXDJSxLFBNE+cNFwg4dyp5vXcQXh3HtyMC9PMPMyIbJT7zQluV3CVI7
+9gC6MMH7QiLssj5hJqMSXccrNzkag6Alu9ET5A/NtoGjyogbXmIPsQ9hLAqf/c9v
+5m4O86dlHBL/JsGcPqsGw3+gucqgso2gy4yQ8h1GqGwNGv440TMAHRz5eAu+qOZq
+tDxo3OqK3HIEoChiQaRZp5bc/p0L1Rfka10J0HmIxB2KkdHEjdMn5SBsEYRsIv5v
+Sp34rl0cLm0oHraIQ0jNVTwZetrxl4CMIAexHYO1hJ+jZDRdBQ5CC7S83+t2Tbnu
+JgRsm6A+1TZfWsaflIx9ga42DEndXgqpmdrtjIFoO1zNQjrvcd3sqJH6GTMNdywg
+2woyv6Bb/bwINWDE7EhicoJl
+=WJPW
-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-26:29.ip6_multicast.asc b/website/static/security/advisories/FreeBSD-SA-26:29.ip6_multicast.asc
index 0b94ee40e8..35cfb1e197 100644
--- a/website/static/security/advisories/FreeBSD-SA-26:29.ip6_multicast.asc
+++ b/website/static/security/advisories/FreeBSD-SA-26:29.ip6_multicast.asc
@@ -1,166 +1,164 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-26:29.ip6_multicast Security Advisory
The FreeBSD Project
Topic: Use-after-free bug in the IPV6_MSFILTER socket option handler
Category: core
Module: ip6_multicast
Announced: 2026-06-09
Credits: Andrew Griffiths at Calif.io
Credits: Maik Münch
Affects: All supported versions of FreeBSD
Corrected: 2026-06-09 19:17:32 UTC (stable/15, 15.1-STABLE)
2026-06-09 19:20:10 UTC (releng/15.1, 15.1-RC3-p1)
2026-06-09 19:19:47 UTC (releng/15.0, 15.0-RELEASE-p10)
2026-06-09 19:17:49 UTC (stable/14, 14.4-STABLE)
2026-06-09 19:19:09 UTC (releng/14.4, 14.4-RELEASE-p6)
2026-06-09 19:18:39 UTC (releng/14.3, 14.3-RELEASE-p15)
CVE Name: CVE-2026-49412
This vulnerability was independently reported by multiple parties prior to
publication.
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
FreeBSD's IPv6 multicast subsystem supports source-specific multicast
filtering via the IPV6_MSFILTER socket option. This option, set with
setsockopt(2), allows applications to specify which remote hosts are
permitted to send to a joined multicast group.
II. Problem Description
The kernel handler for IPV6_MSFILTER dropped a serializing lock in order
to copy the source-filter list from userspace, then reacquired the lock.
During this window another thread could free the multicast filter
structure, leaving the handler with a stale pointer to freed memory.
III. Impact
An unprivileged local user can exploit this use-after-free to escalate
privileges.
IV. Workaround
No workaround is available.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date, and
reboot the system.
Perform one of the following:
1) To update your vulnerable system installed from base system packages:
Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64
platforms, which were installed using base system packages, can be updated
via the pkg(8) utility:
# pkg upgrade -r FreeBSD-base
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system installed from binary distribution sets:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms
which were not installed using base system packages can be updated via the
freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 15.1]
# fetch https://security.FreeBSD.org/patches/SA-26:29/ip6_multicast-15.1.patch
# fetch https://security.FreeBSD.org/patches/SA-26:29/ip6_multicast-15.1.patch.asc
# gpg --verify ip6_multicast-15.1.patch.asc
[FreeBSD 15.0]
# fetch https://security.FreeBSD.org/patches/SA-26:29/ip6_multicast-15.0.patch
# fetch https://security.FreeBSD.org/patches/SA-26:29/ip6_multicast-15.0.patch.asc
# gpg --verify ip6_multicast-15.0.patch.asc
[FreeBSD 14.x]
# fetch https://security.FreeBSD.org/patches/SA-26:29/ip6_multicast-14.patch
# fetch https://security.FreeBSD.org/patches/SA-26:29/ip6_multicast-14.patch.asc
# gpg --verify ip6_multicast-14.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
and reboot the
system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ ce2b95932ec2 stable/15-n283885
releng/15.1/ 3d80e4aec3c1 releng/15.1-n283554
releng/15.0/ ed4692b8226e releng/15.0-n281056
stable/14/ 522182827ea1 stable/14-n274314
releng/14.4/ a7062a6de005 releng/14.4-n273718
releng/14.3/ e6859453de61 releng/14.3-n271518
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat
Or visit the following URL, replacing NNNNNN with the hash:
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
-
-
The latest revision of this advisory is available at
-----BEGIN PGP SIGNATURE-----
-iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmooiVobFIAAAAAABAAO
-bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvzggP/ipDAfSQ5xRpZGeiUPi1
-9/cC+tIvnbGLcq+KY99kB6bRKw4QZoWuvHs1Eiq5cQ5ayTDYdTOGjkH8VsOIVdTH
-yiahtW+zpd4VRIDZqF4aZu0mH3U+FZ0bOwcooCwLVQ8Z4vn8De4hc002Vub52O0B
-xiFNuNdjV5G6exX1M5z/pPpJ8CCuE3iHh3B4fVg3/dnamwrL8BrCkJJ6FU7bx0r3
-nygPWTDXeY8bNSip+BGA8r4k+L5wYD/1kRoE02bmcwEBsvLxVJ4mPZ90IFhqjLji
-cZJbNPSepOSp/vsR+HZIXCXT4Qp3znLUzrN6CppqLMFPWWFHKd70mjaogOT0mIAo
-j3tIw3pltpIzXdBLJhBRNCB68FG5SeKRDUUn043z9GSuRZ33H3ubEuHKB8YHHxZw
-9tLhDAvXx0zPeXoa9RlC3xhllI6leI5THI+cTzULd3WUIHJDasc6gEZ+u7qGjEqB
-oWlfq+xYNg88mSk+cEys8Fmgv3NNnWgKgWtV2omAW4sxxJQWobo5ZORPq4TZhKIE
-MqLOLmYcE9N0YLEEdutSDnlJl6qLHIO6kCzqa1YbiKMUf05MnKCrC/YRGmid1wPW
-yqrY++maJo0CyseKqKVM+uJmft07CLhIyJeqL4I9vLLun1+JpzphjFkuHs9TNYNc
-aCF6nBYuVBRDwUawohxo8EDb
-=BPGK
+iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoolxMbFIAAAAAABAAO
+bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv7wUP/30Oo0Z61lnOg4P7VBtk
+K6bljtcQ0SoiW++eWtX2TFHqCrcNS0qPSxQFVKDkkUf2Wx9M/zfkhUWnTpAwbQdB
+m+8bUN8CGEjhvAihfKgCAQZGSqcVq8A2km+JgFpc9ehZ3RjnjFQ0DYZTOh1goZiQ
+TPsWf8NwKQfed1LhQcDLp0hw7R4//wBICfluzFvLDqPG7TtcAvcJN04jrmd6XCaY
+zddGXzWvrPGuRPY7/xgiwg26B4yK/OwzOJ0uBzBGLGzkuUKJjZgzot3kVy7WmTVw
+iWKRChKQiakM+hkf/xi3CZiyUVGdlxd5GDWxJ8HvaNkYtk/iRzvalVMkSrZNdnaJ
+rVMCmt0d+PxD6+2xORikqn+FiYNc+5gUB64O9t74+L1/XMtM0IWz/g2Zs66qding
+0gABccQX5217YvZK8fubpihEPF7NCNblfikIZbdWYwmMk7azQ93tTO0ySCpuzIVX
++OJWR2QRrz004ohwgl9peBfcDEvbxN5KEovVDt/QTZ1JGKQ8AeiJCd7JZsNP1zMw
+SAOof6EyOEzuilT8JDmOXhnXptOVwCG470bD9rYL3O6apFfcWqFVh+5njEaGMrBf
+8W381AnPDmkEROxj3fzJkM7Xik64aJrHgLGFuHZAQ1Yjpr+SrJRKcdHx295qFp4a
+m+8DOaIYeHuOhRTGRLMubJIj
+=uFAo
-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-26:30.linux.asc b/website/static/security/advisories/FreeBSD-SA-26:30.linux.asc
index daf88f29c3..6249b33b3a 100644
--- a/website/static/security/advisories/FreeBSD-SA-26:30.linux.asc
+++ b/website/static/security/advisories/FreeBSD-SA-26:30.linux.asc
@@ -1,161 +1,159 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-26:30.linux Security Advisory
The FreeBSD Project
Topic: Flaw in Linuxulator execution of setugid binaries
Category: core
Module: linux
Announced: 2026-06-09
Credits: Minseong Kim of NSHC Red Alert Labs
Affects: All supported versions of FreeBSD
Corrected: 2026-06-09 19:17:33 UTC (stable/15, 15.1-STABLE)
2026-06-09 19:20:11 UTC (releng/15.1, 15.1-RC3-p1)
2026-06-09 19:19:48 UTC (releng/15.0, 15.0-RELEASE-p10)
2026-06-09 19:17:50 UTC (stable/14, 14.4-STABLE)
2026-06-09 19:19:11 UTC (releng/14.4, 14.4-RELEASE-p6)
2026-06-09 19:18:40 UTC (releng/14.3, 14.3-RELEASE-p15)
CVE Name: CVE-2026-49413
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
FreeBSD provides a Linux system call emulation layer through a loadable
kernel module, referred to as the Linuxulator. This allows users to run
unmodified Linux binaries on FreeBSD.
When the kernel executes a set-user-ID or set-group-ID Linux binary, it
passes the AT_SECURE flag in the ELF auxiliary vector to tell the runtime
linker (typically, glibc) to disable dangerous features such as
LD_PRELOAD. glibc's runtime linker relies on this setting and in
particular does not query the kernel to determine whether it is loading a
set-user-ID or set-group-ID executable.
II. Problem Description
The Linuxulator determined whether a binary was set-user-ID or
set-group-ID by checking the P_SUGID process flag. During execve(2), this
flag is not yet set at the point where the auxiliary vector is
constructed, so AT_SECURE was incorrectly set to zero for set-user-ID and
set-group-ID executables.
III. Impact
An unprivileged local user can inject a shared library via LD_PRELOAD into
a set-user-ID or set-group-ID Linux binary, gaining the privileges of that
binary.
IV. Workaround
No workaround is available. Systems that do not have either linux.ko or
linux64.ko loaded, or which do not have any Linux executables with the
set-uid or set-gid bits set, are not affected.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot the system.
Perform one of the following:
1) To update your vulnerable system installed from base system packages:
Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64
platforms, which were installed using base system packages, can be updated
via the pkg(8) utility:
# pkg upgrade -r FreeBSD-base
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system installed from binary distribution sets:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms
which were not installed using base system packages can be updated via the
freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-26:30/linux.patch
# fetch https://security.FreeBSD.org/patches/SA-26:30/linux.patch.asc
# gpg --verify linux.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
and reboot the
system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ 3ac9726c4269 stable/15-n283886
releng/15.1/ a4d36c975be0 releng/15.1-n283555
releng/15.0/ 0b18ec59972b releng/15.0-n281057
stable/14/ ff411cc40cd4 stable/14-n274315
releng/14.4/ 3fe092282025 releng/14.4-n273719
releng/14.3/ 0dcf9bba4b9f releng/14.3-n271519
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat
Or visit the following URL, replacing NNNNNN with the hash:
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
-
-
The latest revision of this advisory is available at
-----BEGIN PGP SIGNATURE-----
-iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmooiV8bFIAAAAAABAAO
-bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv0FIP/02OEBY45obFssFGRdG6
-60cczCoWvrZpV+bbWLDk3LGN69HMUfE2bGAaWDfPvjDU+oOGmmp1bqhG3oQ/ZJ51
-aJ1GrXCna2t+b5R2Eo8/BsP1SeKgRYgClY8Q4yaasiBnor0XILLHSYEjqidEy9ks
-nYm4LFFjpsiV/Q/DeNNrWyApL2w/egmSyKaLQGlkJY5iLEBY8BNBbvLhqr1YeZ6X
-L1YgYgJ9lenfrid5jOWxdjZsAfujYLZC2/dlHYWgDt9sPny2b8X7gzKZ0XIfXRS1
-r2PvmX/V1oIwP/3bIBK3YiuJJTlIqhE6xiLhCpEvgTQbVi7Zb3PTMrjA1f8y0zx1
-yYVjFbiodubLknsyp/IfT8U7J/dfNR0JJkLxDLhfHBCxOSEpOSBR1PEvXGZLK44G
-uXbaeZU2eR4VnQa+4nSwx00+OKoHbabvCr/c12Mxf8OFx3+uX5S+cl8N0GRYc9GY
-w/ZK1mOucoj0zvtD+UAmvvT+QYemAg6WVUuCekj6uRjXuO4YX/x5BkbFqn6AebVN
-wd3VDsxuoWsoxqFdOywQLcDVkgldAlAqAxrdkVJziEsZctvuW/jwZViqcggwqct0
-UG7Zc/dYf1uKMgAhMjXJM2zsrEG4UKMEJM1ztIt9aOpxNKEsULeldN1tfMagVf/u
-3qjP0UV0iTl+KjCvpuDbxL5q
-=prFi
+iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoolxUbFIAAAAAABAAO
+bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv0MEQAI764nJgo/wT5iqrDJrx
+F4G4LlMCqgxEB82jU48GEvy2/vbjp+nsB7hpQW/LnANWBmbbZzFUutXEqLcZKZp1
+eE8ZoSoqTbCw82t7GJGcNrIt3+woBgW8IGb/onL4VxiVuFPEU/0GnJ8nwwOa9LGL
+LjdtvRcXaKVnWWqIDUq25cuz6+yBu5UIDWTbSHFeWr8swVhKA5Vjt1wKTXekFJhy
+qtEVWv8Jm5nb0C17eRYo8AY/nGh1DZv7LdJNc4dAZyy3H+QNDH7P7atYvyU06pvD
+Q+YNH6HENqqkGvg0YAYqrol+5me82oIK/Sz66b3VBYiBLD4FX8LaJePOfhSoKof4
+f9Tk6lvpouJOmOETwZX2sAYrGDh/LMd+l/Np7vDMhQSrow4+0CDNHSI3yur8Kfkf
+I6pyEC3iCVi6x/xsQ2AjInMCz+Pw+YpKLKGJLyNT9hKqidQq2ebTBe86GMzPZtAM
+OdJ7rRMIXt2QNJmovverYVMBVBd8rXBVn//gB8Uu5CyjHG3jN/f/Rc1BhADgBS3R
+H1KOBxIOl3CzXU5GLxSEniI7czyeY2q9paWwddPR0BK0mqF6IP31OEekc0irRmjC
+damqozUiNlFFP7rC2fj2eVbhrowrtVSpo4D4oEsI6EPkVB3A67+Pq0untDa096gc
+X86EUvnyRijJsIl5JXb+OJoT
+=4LUk
-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-26:32.elf.asc b/website/static/security/advisories/FreeBSD-SA-26:32.elf.asc
index 3f6624e5b6..61d27529b4 100644
--- a/website/static/security/advisories/FreeBSD-SA-26:32.elf.asc
+++ b/website/static/security/advisories/FreeBSD-SA-26:32.elf.asc
@@ -1,169 +1,167 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-26:32.elf Security Advisory
The FreeBSD Project
Topic: ASLR bypass for setuid executables via procctl(2)
Category: core
Module: kernel
Announced: 2026-06-09
Credits: Synacktiv
Affects: All supported versions of FreeBSD
Corrected: 2026-06-09 19:17:35 UTC (stable/15, 15.1-STABLE)
2026-06-09 19:20:13 UTC (releng/15.1, 15.1-RC3-p1)
2026-06-09 19:19:51 UTC (releng/15.0, 15.0-RELEASE-p10)
2026-06-09 19:17:53 UTC (stable/14, 14.4-STABLE)
2026-06-09 19:19:13 UTC (releng/14.4, 14.4-RELEASE-p6)
2026-06-09 19:18:43 UTC (releng/14.3, 14.3-RELEASE-p15)
CVE Name: CVE-2026-49414
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
Address Space Layout Randomization (ASLR) randomizes the base addresses
of executable images and shared libraries in a process's address space.
FreeBSD enables ASLR by default for Position-Independent Executables
(PIEs).
The procctl(2) system call allows a process to set per-process ASLR
preferences, including force-disabling randomization. When a setuid or
setgid binary is executed, the kernel is expected to ignore any such
user-set preferences if they come from an unprivileged user.
II. Problem Description
The ELF image activator cleared per-process ASLR preference flags for
setuid binaries after the code that computes the PIE base address,
rather than before. As a result, a user-requested ASLR disable was
still in effect at the point where the base address was chosen.
III. Impact
An unprivileged local user can disable ASLR for a setuid PIE binary by
calling procctl(2) before execve(2). This makes exploitation of any
separate memory corruption vulnerability in that binary significantly
easier.
IV. Workaround
No workaround is available.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot the system.
Perform one of the following:
1) To update your vulnerable system installed from base system packages:
Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64
platforms, which were installed using base system packages, can be updated
via the pkg(8) utility:
# pkg upgrade -r FreeBSD-base
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system installed from binary distribution sets:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms
which were not installed using base system packages can be updated via the
freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 15.x]
# fetch https://security.FreeBSD.org/patches/SA-26:32/elf-15.patch
# fetch https://security.FreeBSD.org/patches/SA-26:32/elf-15.patch.asc
# gpg --verify elf-15.patch.asc
[FreeBSD 14.4]
# fetch https://security.FreeBSD.org/patches/SA-26:32/elf-14.4.patch
# fetch https://security.FreeBSD.org/patches/SA-26:32/elf-14.4.patch.asc
# gpg --verify elf-14.4.patch.asc
[FreeBSD 14.3]
# fetch https://security.FreeBSD.org/patches/SA-26:32/elf-14.3.patch
# fetch https://security.FreeBSD.org/patches/SA-26:32/elf-14.3.patch.asc
# gpg --verify elf-14.3.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
and reboot the
system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ e1cdc49846c1 stable/15-n283888
releng/15.1/ 796579bcfbc4 releng/15.1-n283557
releng/15.0/ 6e51dfc401e7 releng/15.0-n281059
stable/14/ e417948e6139 stable/14-n274317
releng/14.4/ 547fc2a98a24 releng/14.4-n273721
releng/14.3/ 744f62ccbf82 releng/14.3-n271521
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat
Or visit the following URL, replacing NNNNNN with the hash:
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
-
-
The latest revision of this advisory is available at
-----BEGIN PGP SIGNATURE-----
-iQJOBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmooiWcbFIAAAAAABAAO
-bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvtGUP+Jh8FMrCt+it7CdyH8cc
-dcSCDxVeRn66y86KrEekoSN4qUKimJaI+WjPm75XnIIdKvNPro3zQYSjboS6cvVF
-byRJFUK+MPqpQYoW2zrSdZ8c7ar/GPqbxUkbzsB9DlMrCwjMSybPudFyHgyc5gxs
-KRidP1k8PHMegOt4/x3iQVtm0UpyWJGOrvVwmyKXRVdvvd9c2oRWYXiR78x1vCT3
-mrh202B/bTwBoXQaMiVlVSnMFyeU1KTLvr3lSxeT/nSKuiPJoVngx6pv6PE8/+dd
-MFFyY8AN7n8O4b3zy6/6E0KjNMtyvx64RqxImlifYxudnUbdIAbQlmtgh08zWD/g
-78lN1tsnnXgTPOoLkXFdAAa4tUCrdi4eZOMOoy30BUYsritGav7QzcMAcAHFzxSs
-ySv4MzSn7A27QI2Dq2dM5qLCtIdbWKQsa9mC1sOUFjPbR70EvhJGbAb5WUw7gzdm
-+DQnDkmfEm2HwnzbzRZxDdnLB8Crb+0tv0SvTyJbywJ+KuomOzvTAfHNM2Q36+VO
-j8p/9FgbC9gw7UMScsoF3VWT2/tTh8ElYQ9I+cnKpbpD+VCG9JPwrND5IvC0b3pt
-uJLh3xXgggXFCDbeBfJ2WBeczmhtwtviz7sa226jlpWEMnM0IZyJOiGLQwzSv7HG
-UqyCxvNWaTDy973R+pj6i68=
-=FYrH
+iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoolxcbFIAAAAAABAAO
+bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvzjAP/izsPLlrhPmUVbO6pLVA
+22HiuxV4URIIzMe4SbVa8ALyWM85TNAKjRUyr7VwAslFvfzRCtL0o/w0Fypsvoss
+a4jpiC8QHjeUFlRz6fmYq4sgHZdi/sz0zOmGKHVYiCA1Jdrp1tM4NxkKeDquc61d
+iD1yulnjkr8axb4gv4Y/C1McT7fvECbiaK9ni/vgwwluy0cqRIz7rPe8NrAD6pYn
+1WPgkHmGeNwpIhPHbBd9WCoQNiU+BLyNyuFASWjZWiIMiMwCKQdvm0qVJ1fPWxeP
+2GxxpWfoftwDkRy1/tURs0dVuI+Ko40sTFKiUVUMyOu0ndnyuR8VGICWlwA903yY
+N05s8R65FpXJbERu3Bc4HO+fKzQxCqWocgcUHBI9VO9QGIcNRR1S1PgkltNUI0wI
+KTJith+ru6XFRK5ts74cBR7i2p2r+cVFs/FyzXXP1v4A1U+Fe6PwwdhWdwJy9r4s
+aOJPh5b5Go2BvRayptPt+18vdXm8N4L1xk94lk/h9X6lrMe9+WhWnH1BUnMD3dVm
+m8mSczWkkveFNiEfj3WGdbTlpVvXUqHdwIx+v2obj0fBUDkg9r1M2ZZjaW3DEPM9
+aLOrjdK9t+ntJyNBQCnNCRZFaiFGHK9bdEjm9WhyfMAnxoKg1hNhzhq+jyxrPDZY
+OY6FBpNTQ9NhGUkgpkgArAEj
+=unW5
-----END PGP SIGNATURE-----
diff --git a/website/static/security/advisories/FreeBSD-SA-26:35.openssl.asc b/website/static/security/advisories/FreeBSD-SA-26:35.openssl.asc
index c5fbcc1945..888a4e24b1 100644
--- a/website/static/security/advisories/FreeBSD-SA-26:35.openssl.asc
+++ b/website/static/security/advisories/FreeBSD-SA-26:35.openssl.asc
@@ -1,208 +1,208 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-26:35.openssl Security Advisory
The FreeBSD Project
Topic: Multiple vulnerabilities in OpenSSL
Category: contrib
Module: openssl
Announced: 2026-06-09
-Credits: XX
+Credits: See linked vendor advisory in References section
Affects: All supported versions of FreeBSD.
Corrected: 2026-06-09 19:17:36 UTC (stable/15, 15.1-STABLE)
2026-06-09 19:20:15 UTC (releng/15.1, 15.1-RC3-p1)
2026-06-09 19:19:54 UTC (releng/15.0, 15.0-RELEASE-p10)
2026-06-09 19:17:54 UTC (stable/14, 14.4-STABLE)
2026-06-09 19:19:16 UTC (releng/14.4, 14.4-RELEASE-p6)
2026-06-09 19:18:46 UTC (releng/14.3, 14.3-RELEASE-p15)
CVE Name: CVE-2026-7383, CVE-2026-9076, CVE-2026-34180,
CVE-2026-34181, CVE-2026-34182, CVE-2026-34183,
CVE-2026-42764, CVE-2026-42766, CVE-2026-42767,
CVE-2026-42768, CVE-2026-42769, CVE-2026-42770,
CVE-2026-45445, CVE-2026-45446, CVE-2026-45447
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a
collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit for the Transport Layer Security (TLS) protocol. It is
also a general-purpose cryptography library.
II. Problem Description
Multiple issues have been reported as part of this advisory with different
issues affecting different OpenSSL versions and therefore different FreeBSD
versions. Instead of exhaustively listing detailed writeups for each issue,
please see the referenced advisory from OpenSSL.
Issues affecting FreeBSD 15.x (OpenSSL 3.5):
CVE-2026-7383 - Possible heap buffer overflow in ASN.1 string conversion
CVE-2026-9076 - Out-of-bounds read in CMS password-based decryption
CVE-2026-34180 - Heap buffer over-read in ASN.1 content parsing
CVE-2026-34181 - PKCS#12 files with PBMAC1 accepted with short HMAC keys
CVE-2026-34182 - CMS AuthEnvelopedData may accept forged messages
CVE-2026-34183 - Unbounded memory growth in the QUIC PATH_CHALLENGE handler
CVE-2026-42764 - NULL dereference in QUIC server initial packet handling
CVE-2026-42766 - Possible NULL dereference in password-based CMS decryption
CVE-2026-42767 - NULL dereference in CRMF EncryptedValue decryption
CVE-2026-42768 - Bleichenbacher oracle in CMS_decrypt() and PKCS7_decrypt()
CVE-2026-42769 - Trust-anchor substitution in CMP rootCaKeyUpdate handling
CVE-2026-42770 - FFC-DH peer validation uses attacker-supplied q
CVE-2026-45445 - AES-OCB IV ignored on the EVP_Cipher() one-shot path
CVE-2026-45446 - Empty-message tag bypass in AES-GCM-SIV and AES-SIV modes
CVE-2026-45447 - Heap use-after-free in PKCS7_verify()
Issues affecting FreeBSD 14.x (OpenSSL 3.0):
CVE-2026-7383 - Possible heap buffer overflow in ASN.1 string conversion
CVE-2026-9076 - Out-of-bounds read in CMS password-based decryption
CVE-2026-34180 - Heap buffer over-read in ASN.1 content parsing
CVE-2026-34182 - CMS AuthEnvelopedData may accept forged messages
CVE-2026-42766 - Possible NULL dereference in password-based CMS decryption
CVE-2026-42770 - FFC-DH peer validation uses attacker-supplied q
CVE-2026-45445 - AES-OCB IV ignored on the EVP_Cipher() one-shot path
CVE-2026-45446 - Empty-message tag bypass in AES-GCM-SIV and AES-SIV modes
CVE-2026-45447 - Heap use-after-free in PKCS7_verify()
III. Impact
The issues include heap buffer overflows and over-reads, NULL pointer
dereferences, a use-after-free, unbounded memory allocation, and several
cryptographic flaws permitting message forgery, integrity bypass, or
recovery of a private key.
Security impact ranges from a Denial of Service to a potential remote code
execution. See the OpenSSL advisory for specific details.
IV. Workaround
No workaround is available.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Perform one of the following:
1) To update your vulnerable system installed from base system packages:
Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64
platforms, which were installed using base system packages, can be updated
via the pkg(8) utility:
# pkg upgrade -r FreeBSD-base
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system installed from binary distribution sets:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms
which were not installed using base system packages can be updated via the
freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 15.x]
# fetch https://security.FreeBSD.org/patches/SA-26:35/openssl-15.patch
# fetch https://security.FreeBSD.org/patches/SA-26:35/openssl-15.patch.asc
# gpg --verify openssl-15.patch.asc
[FreeBSD 14.x]
# fetch https://security.FreeBSD.org/patches/SA-26:35/openssl-14.patch
# fetch https://security.FreeBSD.org/patches/SA-26:35/openssl-14.patch.asc
# gpg --verify openssl-14.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in .
Restart all daemons that use the library, or reboot the system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ 865c8ff56693 stable/15-n283889
releng/15.1/ 083bb80a125a releng/15.1-n283559
releng/15.0/ 0d6ccbb7524f releng/15.0-n281062
stable/14/ ec6bfa889b83 stable/14-n274318
releng/14.4/ 1929d9e173e5 releng/14.4-n273724
releng/14.3/ dd3096b4efe6 releng/14.3-n271524
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat
Or visit the following URL, replacing NNNNNN with the hash:
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
The latest revision of this advisory is available at
-----BEGIN PGP SIGNATURE-----
-iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmooiXEbFIAAAAAABAAO
-bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv4HoP/iVj8j9S8nEcYqlZ1Sl4
-OWduy3w8BZXfeRdmJHT9cuAMDxpbkFENbeNobnlCa/VeJ96csXb3fL61ZhxkfDZo
-VlQGaD7STKgezHzCfFD//jWLNiwditqfvWyZP7vu9oLzhz2oMIAn2fJ4uiQ1R11T
-f1iWR0KXIaLQOpa4aLg7taZxpgHvNiwYNRLjuixlKfid+mLUuZEDhZCLD0Q/P66F
-+kXo46aVtcSC6ZaBfMQ7G0lWP/UB0lpVAWEjZSgOMfSkBdecJF87qhTuzabYU0aA
-mlZfxH2M+NScr95GX6T3XzXdki6NVHT6eM8YKckIrEARzO+yoYGFO3Oz9rRua8k1
-lhEyqqTyIkGEGzvOm0pwb8drP3PMDkFNCeGhm372N5fDY9a31cxBpRaT1E5nFze1
-MdTHDXi5qnjwuc1EHvACOg7fxHDhmZkn04HXW0wS4fHMGfvs3GNmNiFZh7u2Fm9I
-WKimI+3fP6bL32P1J8ThRdwLnm8UQwHGj5yQ+8Gsa3gHEcnPpW6sAXppMQuZhRHJ
-E1WYeejCdL0YjsTf/h9LfZL/kFsu0ZOPzBGFucmRNFtt/tG8D3U8qdeKDNibwPM1
-pZp2wEoW0Hzf4UAC+vP9pFiiEJmcjg4KkLGDbwJb5bKrMVrbD9mtzyxkTi3/9h78
-B7dWV8uVqkUR4ef8FdJZFE3u
-=X4Lu
+iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoolxkbFIAAAAAABAAO
+bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvIjEQALlvtT/r8WJ72cw03AZP
+1qPNWibqFxrMccV/fEtVq2csUzMkSq6PvgK3ZZoKgh8e2whpJkEULxRJ5Th8IEoD
+McbPdU4+zgqcehfmH6mvuv/yshDJLe0U2iLFSTbzgbx8xe0XRyWJlutlNXSZmLvo
+N87HGEtO/gXCXJxZuWFDE4JfO/bECn8wgZ468AD+OMwKRnx13hszmqKnp4cn/bZ8
+764BqDsyweCBSVbW7AC0A5/BP7e+S+eOGHDSDqm48Jxk8eVsEVvw5wEo7DMLQgQw
+/kHc9BSiQ6HPgMvjDryUzX/FhF3El3sKQxkUXNFGcYk8yChTEVtD1C+zf3FACQJA
+ZTeDNgJelmeJdK7uzrJtX/8Laozma0+x1+2+YrY+Y1aCqOZ0iicmlytZHRHgZc3R
+riEEJdw3nlV6r43WtwBYjJNyOIiqPusYK8K0/RLnMeMtS+mwjjNjGxqcHdFPbSa7
+Xjs4zSAHgkg9NHMwD4S+F+upRZ3yVoZOvIDtqUKO85Mf70OYHHoaZJE4Q7mIPDyE
+CbtpeaNpjSkujTR5/Us4JgxRfDqDGyyER/Ub1yZl8uuhKNU7QuOWRQMTeIXp42Es
+uClHfLQz5Dvmwy7muDfg5cY0R/F9whvpwSOmILrsViBjcygkzFY9lE1ufW685vbH
+1srvsOXI5oN55cZrX4+H6G17
+=UV/w
-----END PGP SIGNATURE-----