diff --git a/website/static/security/advisories/FreeBSD-EN-26:15.openssl.asc b/website/static/security/advisories/FreeBSD-EN-26:15.openssl.asc index f3bb91d1b7..5ab0b57512 100644 --- a/website/static/security/advisories/FreeBSD-EN-26:15.openssl.asc +++ b/website/static/security/advisories/FreeBSD-EN-26:15.openssl.asc @@ -1,188 +1,187 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-26:15.openssl Errata Notice The FreeBSD Project Topic: Update OpenSSL to 3.0.20 and 3.5.6 Category: contrib Module: openssl Announced: 2026-06-09 Affects: All supported versions of FreeBSD. Corrected: 2026-04-12 02:15:10 UTC (stable/15, 15.0-STABLE) 2026-06-09 19:19:33 UTC (releng/15.0, 15.0-RELEASE-p10) 2026-04-13 00:12:11 UTC (stable/14, 14.4-STABLE) 2026-06-09 19:18:58 UTC (releng/14.4, 14.4-RELEASE-p6) 2026-06-09 19:18:25 UTC (releng/14.3, 14.3-RELEASE-p15) CVE Name: CVE-2026-2673, CVE-2026-28387, CVE-2026-28388, CVE-2026-28389, CVE-2026-31789, CVE-2026-31790 For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit for the Transport Layer Security (TLS) protocol. It is also a general-purpose cryptography library. II. Problem Description The OpenSSL releases included with the affected FreeBSD versions predate OpenSSL 3.0.20 (FreeBSD 14) and 3.5.6 (FreeBSD 15). This update imports the current upstream point release on each branch. The import resolves several issues affecting different OpenSSL versions, and therefore different FreeBSD versions. Instead of listing detailed writeups for each issue, please see the referenced advisory from OpenSSL. Issues affecting FreeBSD 15 (OpenSSL 3.5): CVE-2026-2673 - DEFAULT keyword corrupts the key-agreement group list CVE-2026-28387 - Possible use-after-free in DANE client code CVE-2026-28388 - NULL dereference when processing a delta CRL CVE-2026-28389 - NULL dereference processing CMS KeyAgreeRecipientInfo CVE-2026-31789 - Heap buffer overflow in hexadecimal conversion CVE-2026-31790 - NULL dereference processing CMS KeyTransRecipientInfo Issues affecting FreeBSD 14 (OpenSSL 3.0): CVE-2026-28387 - Possible use-after-free in DANE client code CVE-2026-28388 - NULL dereference when processing a delta CRL CVE-2026-28389 - NULL dereference processing CMS KeyAgreeRecipientInfo CVE-2026-31789 - Heap buffer overflow in hexadecimal conversion CVE-2026-31790 - NULL dereference processing CMS KeyTransRecipientInfo III. Impact The issues include missing input validation, NULL pointer dereferences, a use-after-free, and a heap buffer overflow. Impact is generally limited to a crash and a Denial of Service. See the OpenSSL advisory for specific details. IV. Workaround No workaround is available. V. Solution Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. A reboot is required following the upgrade to ensure that all applications and kernel code are rebuilt with the updated OpenSSL-provided code. Perform one of the following: 1) To update your system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for an erratum fix" 2) To update your system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for an erratum fix" 3) To update your system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.0] # fetch https://security.FreeBSD.org/patches/EN-26:15/openssl-15.0.patch # fetch https://security.FreeBSD.org/patches/EN-26:15/openssl-15.0.patch.asc # gpg --verify openssl-15.0.patch.asc [FreeBSD 14.4] # fetch https://security.FreeBSD.org/patches/EN-26:15/openssl-14.4.patch # fetch https://security.FreeBSD.org/patches/EN-26:15/openssl-14.4.patch.asc # gpg --verify openssl-14.4.patch.asc [FreeBSD 14.3] # fetch https://security.FreeBSD.org/patches/EN-26:15/openssl-14.3.patch # fetch https://security.FreeBSD.org/patches/EN-26:15/openssl-14.3.patch.asc # gpg --verify openssl-14.3.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all daemons that use the library, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 51a80be04fe6 stable/15-n282933 releng/15.0/ 0f6e90c4cc4f releng/15.0-n281050 stable/14/ 27ac9d336f71 stable/14-n273945 releng/14.4/ 1bfe60bae8b8 releng/14.4-n273712 releng/14.3/ d95a8c20f3bc releng/14.3-n271512 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References - The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- -iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmooiTUbFIAAAAAABAAO -bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv7GgP/Rlmd7bwJWjqt05Rdw+u -QEJnicVJ4PaoXKlDOxyZ5e8N24tV2MImhgxb1lIS0EluYSVYw8dN0jMymgAK0qxJ -W0UfgE05tOvEncUmAM62Rm+aQCljP9xu65CNcYkP4JJ3Rx+ebPugi6hbXwH4jlgG -PIL1E0WJrOQhC/ZhJ79kU4yRTy5Lo1CRNQ54z+84nV81xWiKDrHoGlFzcr491xZv -E+MysddGPq8o/YhuAR0aG/dokUbNsdBpak0zzXTAPQxCHO/MmnTRg3I+iWIhyTkp -y+vq10xqZaZVOmumlsn6hbyDTcCyWP6uFwvk2KS0xLW1JU+PjYPmo9yJF64HD0ic -IWEW2GQ1wCk0N/JKoUZIkW+Xnz2dOZtpYm05hgJyqaNcyUqZ1rHUpE2nTkgUlGMk -NX+kroBqwqEy/+UZUa6b2B5sWDw/sOe7q08moso8ayXgM3/cvVpxh7x0o2SUC0jq -IZd7y5HvvNqVnhAapSFFiQQ2LZNohcR5z8QSLf+ksr20nh+4841dSEry6s9iZxMD -EMtx2JmFfLhsEOAyG4EoKHJnSIIcpDScqhT1xBpZLzceiOhKRWR34/TBcnkku+aR -/zehcFDZjHFkmh1ZSrzzFSLB6Ph1VUjT32jhetfcjCeYgY8J0AmCJb6HZVVNLTRl -Av4Oox3d6umxDz3LWggvJqNU -=jdTF +iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoolw4bFIAAAAAABAAO +bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv5ewP/3XwoJ809Y0eVU/MrvNM +VujyPzQFeMYHg9Od8AYqCfL9AsJaPPnI9sDLHLTIlwfC34ahC8xksEhfpKAoVn/9 +kSgKG8Evmb2xOxxz9mnH3cj/4IuyfvDoA7bWLI1yjdjXdm7rP9dE+nI0xktm1aeX +TkMHrpTzeR0F/M1fehjuUuYKdHzINvorKFA49fZm3GvDWogLPWGzU2fLhpHwGa8Z +D7Maxi9U+cuv5zlw6GxKHvPTJTwzLy7F9GejFEq+25YFdhvyKe7ZB8J33ttz1nlc +Ee8z/QkJM/O8/YrvX2i4ZqFmSjgOPbOrbSOiLo13Yusj1TQn/wmsuymP4Vjxf7xM +7ERML9TW1yti0ZCxriwcWUNSt7agPqP18Gjo2las1v8EVuGZ3PB/EhMmP+s0RPtd +ZhVSK7UVJiX0zrIhE5bse+2A67l71rDNLKh7pt7P2FFID2yKLDBgUjMoUbNODsvO +rOeZ09ndMQT24yrkjYM7uKHqmicQs/uBJzXItEr8NU5psKe4gIAfzrWDSl6Lg53y +yJPtEitkcGPHRwDV4fdCcauri2fiw1S8yWH6DXl/CLviAApE9w7NRpD181g0eo5E +QkRHy/rge2A9vK00KGpZsm7HPeIggdob3iK9TkYg3N+tZhBRfh7WtnQR7ZN7iMpv +J6mK8Rm9NoDASI4IXgdRR5gs +=Ocgt -----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-26:28.capsicum.asc b/website/static/security/advisories/FreeBSD-SA-26:28.capsicum.asc index 6c374b1c3b..5479bdfadb 100644 --- a/website/static/security/advisories/FreeBSD-SA-26:28.capsicum.asc +++ b/website/static/security/advisories/FreeBSD-SA-26:28.capsicum.asc @@ -1,193 +1,170 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:28.capsicum Security Advisory The FreeBSD Project Topic: sigqueue(2) missing capability mode restriction Category: core Module: capsicum Announced: 2026-06-09 Credits: Ed Maste Affects: All supported versions of FreeBSD. Corrected: 2026-05-29 19:11:40 UTC (stable/15, 15.1-STABLE) 2026-06-09 19:20:09 UTC (releng/15.1, 15.1-RC3-p1) 2026-06-09 19:19:46 UTC (releng/15.0, 15.0-RELEASE-p10) 2026-05-29 19:12:58 UTC (stable/14, 14.4-STABLE) 2026-06-09 19:19:08 UTC (releng/14.4, 14.4-RELEASE-p6) 2026-06-09 19:18:38 UTC (releng/14.3, 14.3-RELEASE-p15) CVE Name: CVE-2026-45259 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Capsicum is a lightweight OS capability and sandbox framework. It provides two kernel primitives: capability mode, and capabilities. Capability mode restricts the ability of a sandboxed process to interact with the global namespace, including the ability to send signals to other processes, other than via capability-based interfaces. In capability mode, kill(2) restricts signal delivery to the calling process only, preventing a sandboxed process from signalling other processes. sigqueue(2) provides similar signal delivery functionality, and is similarly permitted in capability mode. II. Problem Description sigqueue(2) was marked as permitted in capability mode with the introduction of Capsicum in 2011, but the implementation of kern_sigqueue did not include a capability mode check restricting signal delivery to the calling process's own PID. III. Impact A process in capability mode can use sigqueue(2) to send signals to any process it could signal following standard Unix permissions, bypassing the Capsicum sandbox restriction. A compromised sandboxed process could interfere with other processes, for example by sending SIGKILL or SIGSTOP. This could be any process running as the same user, or any process, for a superuser sandboxed process. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base -# shutdown -r +10min "Rebooting for a security update" +# shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install -# shutdown -r +10min "Rebooting for a security update" +# shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.1] # fetch https://security.FreeBSD.org/patches/SA-26:28/capsicum-15.1.patch # fetch https://security.FreeBSD.org/patches/SA-26:28/capsicum-15.1.patch.asc # gpg --verify capsicum-15.1.patch.asc [FreeBSD 15.0] # fetch https://security.FreeBSD.org/patches/SA-26:28/capsicum-15.0.patch # fetch https://security.FreeBSD.org/patches/SA-26:28/capsicum-15.0.patch.asc # gpg --verify capsicum-15.0.patch.asc [FreeBSD 14.x] # fetch https://security.FreeBSD.org/patches/SA-26:28/capsicum-14.patch # fetch https://security.FreeBSD.org/patches/SA-26:28/capsicum-14.patch.asc # gpg --verify capsicum-14.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch - - -c) Recompile the operating system using buildworld and installworld as -described in . - - - -c) Recompile the operating system using buildworld and installworld as -described in . - -Restart the applicable daemons, or reboot the system. - - - -c) Recompile the operating system using buildworld and installworld as -described in . - -Restart all daemons that use the library, or reboot the system. - - - c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ defd9b86ef99 stable/15-n283744 releng/15.1/ 871d33e8a66a releng/15.1-n283553 releng/15.0/ 77ee83d12625 releng/15.0-n281055 stable/14/ d11ff01b3aec stable/14-n274231 releng/14.4/ eab757f954ed releng/14.4-n273717 releng/14.3/ f56e8cb94df6 releng/14.3-n271517 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References - - The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- -iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmooiVUbFIAAAAAABAAO -bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv4bQP/RpYAfFW142SRvxSSRWP -505S6F5yIGc3T2xsH1Y6x7wunEjN0FaNGw5WVi/ehyP74+G7d818tuDfs+qCS3Mc -jtS/OpyZuZ2ZhqoP5iEPBH1JfiQdEDKClg9voMd7JOoorXM6blQmb1sLUdG8hM1+ -x8oedLmEnXn+8iej2qLF5i89qu2k9L3Aoh6gMCPjslDnfj8NvomMXfOO1eET9V06 -VswHU/psB7PVz3SKmfvtPIUaLHo7SnnISnoOIwEElwObTsbPokjOk+TORLBFVEB/ -EiBcaapsgcO4lsXk3nq+jwa9nMj+lUk09Ec454/m/98W2OlJCKf4nf1JzUQFnT53 -ONMhejUntzI2XQ61+h/z7nMIHhFbEdiCEuLzaoM7vPJwbne3/hNFaEtJ5LLtd76u -cZI8SnMFQzRj5ltjbyh0ITb0jkEdXe6QXOlhtY05lm42KjkI1aoTcSOyr6weSYNs -CtVLbIVPKEX2PAufbUGZ6sxmv0/Vyg+JSsaChLld47l8En2v+tFqKRw8gFvTzN3J -sO21ZSEgTTNBe2Qn0nx63ttvz/8F++mrPtRcY2idkgiSVJVb6zh//g8kpTT8OPgP -z8lPuaF6kcQG+mL8lHYv0kTY5WQ8mc4oDHfVSj107d2aa7fO0vCRKiqv08+AWw5m -7sLyEwRuA8hJEX3rl3Z38Z/z -=gZCX +iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoolxAbFIAAAAAABAAO +bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv9xQQALSpP1xklc9UjGzlSpTo +2owWykX02TVDqd7a57jEFpak6F9sJ1B83jrkEQVIGjBGQpTIWYt/C34QEzeo502F ++dqfqXr32MyudPDq+lsWB7HhafG/gktTDpibJrQkqPDdTc+TwzzhoHxGAdckAMsr +vCqnUF6UmtmTzQEyoQBqPGPWbVnyVboOQ0ZvKouMZdMBVlC7IvWPDlbpMEOLePTE +NPHeuxFYbFHMUkOLq97Dhg4XTqdIG0t3n/0jA1kjCDvJWDbXpR1bPy1USTNxHO35 +xjeZshL2IWXDJSxLFBNE+cNFwg4dyp5vXcQXh3HtyMC9PMPMyIbJT7zQluV3CVI7 +9gC6MMH7QiLssj5hJqMSXccrNzkag6Alu9ET5A/NtoGjyogbXmIPsQ9hLAqf/c9v +5m4O86dlHBL/JsGcPqsGw3+gucqgso2gy4yQ8h1GqGwNGv440TMAHRz5eAu+qOZq +tDxo3OqK3HIEoChiQaRZp5bc/p0L1Rfka10J0HmIxB2KkdHEjdMn5SBsEYRsIv5v +Sp34rl0cLm0oHraIQ0jNVTwZetrxl4CMIAexHYO1hJ+jZDRdBQ5CC7S83+t2Tbnu +JgRsm6A+1TZfWsaflIx9ga42DEndXgqpmdrtjIFoO1zNQjrvcd3sqJH6GTMNdywg +2woyv6Bb/bwINWDE7EhicoJl +=WJPW -----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-26:29.ip6_multicast.asc b/website/static/security/advisories/FreeBSD-SA-26:29.ip6_multicast.asc index 0b94ee40e8..35cfb1e197 100644 --- a/website/static/security/advisories/FreeBSD-SA-26:29.ip6_multicast.asc +++ b/website/static/security/advisories/FreeBSD-SA-26:29.ip6_multicast.asc @@ -1,166 +1,164 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:29.ip6_multicast Security Advisory The FreeBSD Project Topic: Use-after-free bug in the IPV6_MSFILTER socket option handler Category: core Module: ip6_multicast Announced: 2026-06-09 Credits: Andrew Griffiths at Calif.io Credits: Maik Münch Affects: All supported versions of FreeBSD Corrected: 2026-06-09 19:17:32 UTC (stable/15, 15.1-STABLE) 2026-06-09 19:20:10 UTC (releng/15.1, 15.1-RC3-p1) 2026-06-09 19:19:47 UTC (releng/15.0, 15.0-RELEASE-p10) 2026-06-09 19:17:49 UTC (stable/14, 14.4-STABLE) 2026-06-09 19:19:09 UTC (releng/14.4, 14.4-RELEASE-p6) 2026-06-09 19:18:39 UTC (releng/14.3, 14.3-RELEASE-p15) CVE Name: CVE-2026-49412 This vulnerability was independently reported by multiple parties prior to publication. For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD's IPv6 multicast subsystem supports source-specific multicast filtering via the IPV6_MSFILTER socket option. This option, set with setsockopt(2), allows applications to specify which remote hosts are permitted to send to a joined multicast group. II. Problem Description The kernel handler for IPV6_MSFILTER dropped a serializing lock in order to copy the source-filter list from userspace, then reacquired the lock. During this window another thread could free the multicast filter structure, leaving the handler with a stale pointer to freed memory. III. Impact An unprivileged local user can exploit this use-after-free to escalate privileges. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.1] # fetch https://security.FreeBSD.org/patches/SA-26:29/ip6_multicast-15.1.patch # fetch https://security.FreeBSD.org/patches/SA-26:29/ip6_multicast-15.1.patch.asc # gpg --verify ip6_multicast-15.1.patch.asc [FreeBSD 15.0] # fetch https://security.FreeBSD.org/patches/SA-26:29/ip6_multicast-15.0.patch # fetch https://security.FreeBSD.org/patches/SA-26:29/ip6_multicast-15.0.patch.asc # gpg --verify ip6_multicast-15.0.patch.asc [FreeBSD 14.x] # fetch https://security.FreeBSD.org/patches/SA-26:29/ip6_multicast-14.patch # fetch https://security.FreeBSD.org/patches/SA-26:29/ip6_multicast-14.patch.asc # gpg --verify ip6_multicast-14.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ ce2b95932ec2 stable/15-n283885 releng/15.1/ 3d80e4aec3c1 releng/15.1-n283554 releng/15.0/ ed4692b8226e releng/15.0-n281056 stable/14/ 522182827ea1 stable/14-n274314 releng/14.4/ a7062a6de005 releng/14.4-n273718 releng/14.3/ e6859453de61 releng/14.3-n271518 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References - - The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- -iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmooiVobFIAAAAAABAAO -bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvzggP/ipDAfSQ5xRpZGeiUPi1 -9/cC+tIvnbGLcq+KY99kB6bRKw4QZoWuvHs1Eiq5cQ5ayTDYdTOGjkH8VsOIVdTH -yiahtW+zpd4VRIDZqF4aZu0mH3U+FZ0bOwcooCwLVQ8Z4vn8De4hc002Vub52O0B -xiFNuNdjV5G6exX1M5z/pPpJ8CCuE3iHh3B4fVg3/dnamwrL8BrCkJJ6FU7bx0r3 -nygPWTDXeY8bNSip+BGA8r4k+L5wYD/1kRoE02bmcwEBsvLxVJ4mPZ90IFhqjLji -cZJbNPSepOSp/vsR+HZIXCXT4Qp3znLUzrN6CppqLMFPWWFHKd70mjaogOT0mIAo -j3tIw3pltpIzXdBLJhBRNCB68FG5SeKRDUUn043z9GSuRZ33H3ubEuHKB8YHHxZw -9tLhDAvXx0zPeXoa9RlC3xhllI6leI5THI+cTzULd3WUIHJDasc6gEZ+u7qGjEqB -oWlfq+xYNg88mSk+cEys8Fmgv3NNnWgKgWtV2omAW4sxxJQWobo5ZORPq4TZhKIE -MqLOLmYcE9N0YLEEdutSDnlJl6qLHIO6kCzqa1YbiKMUf05MnKCrC/YRGmid1wPW -yqrY++maJo0CyseKqKVM+uJmft07CLhIyJeqL4I9vLLun1+JpzphjFkuHs9TNYNc -aCF6nBYuVBRDwUawohxo8EDb -=BPGK +iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoolxMbFIAAAAAABAAO +bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv7wUP/30Oo0Z61lnOg4P7VBtk +K6bljtcQ0SoiW++eWtX2TFHqCrcNS0qPSxQFVKDkkUf2Wx9M/zfkhUWnTpAwbQdB +m+8bUN8CGEjhvAihfKgCAQZGSqcVq8A2km+JgFpc9ehZ3RjnjFQ0DYZTOh1goZiQ +TPsWf8NwKQfed1LhQcDLp0hw7R4//wBICfluzFvLDqPG7TtcAvcJN04jrmd6XCaY +zddGXzWvrPGuRPY7/xgiwg26B4yK/OwzOJ0uBzBGLGzkuUKJjZgzot3kVy7WmTVw +iWKRChKQiakM+hkf/xi3CZiyUVGdlxd5GDWxJ8HvaNkYtk/iRzvalVMkSrZNdnaJ +rVMCmt0d+PxD6+2xORikqn+FiYNc+5gUB64O9t74+L1/XMtM0IWz/g2Zs66qding +0gABccQX5217YvZK8fubpihEPF7NCNblfikIZbdWYwmMk7azQ93tTO0ySCpuzIVX ++OJWR2QRrz004ohwgl9peBfcDEvbxN5KEovVDt/QTZ1JGKQ8AeiJCd7JZsNP1zMw +SAOof6EyOEzuilT8JDmOXhnXptOVwCG470bD9rYL3O6apFfcWqFVh+5njEaGMrBf +8W381AnPDmkEROxj3fzJkM7Xik64aJrHgLGFuHZAQ1Yjpr+SrJRKcdHx295qFp4a +m+8DOaIYeHuOhRTGRLMubJIj +=uFAo -----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-26:30.linux.asc b/website/static/security/advisories/FreeBSD-SA-26:30.linux.asc index daf88f29c3..6249b33b3a 100644 --- a/website/static/security/advisories/FreeBSD-SA-26:30.linux.asc +++ b/website/static/security/advisories/FreeBSD-SA-26:30.linux.asc @@ -1,161 +1,159 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:30.linux Security Advisory The FreeBSD Project Topic: Flaw in Linuxulator execution of setugid binaries Category: core Module: linux Announced: 2026-06-09 Credits: Minseong Kim of NSHC Red Alert Labs Affects: All supported versions of FreeBSD Corrected: 2026-06-09 19:17:33 UTC (stable/15, 15.1-STABLE) 2026-06-09 19:20:11 UTC (releng/15.1, 15.1-RC3-p1) 2026-06-09 19:19:48 UTC (releng/15.0, 15.0-RELEASE-p10) 2026-06-09 19:17:50 UTC (stable/14, 14.4-STABLE) 2026-06-09 19:19:11 UTC (releng/14.4, 14.4-RELEASE-p6) 2026-06-09 19:18:40 UTC (releng/14.3, 14.3-RELEASE-p15) CVE Name: CVE-2026-49413 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD provides a Linux system call emulation layer through a loadable kernel module, referred to as the Linuxulator. This allows users to run unmodified Linux binaries on FreeBSD. When the kernel executes a set-user-ID or set-group-ID Linux binary, it passes the AT_SECURE flag in the ELF auxiliary vector to tell the runtime linker (typically, glibc) to disable dangerous features such as LD_PRELOAD. glibc's runtime linker relies on this setting and in particular does not query the kernel to determine whether it is loading a set-user-ID or set-group-ID executable. II. Problem Description The Linuxulator determined whether a binary was set-user-ID or set-group-ID by checking the P_SUGID process flag. During execve(2), this flag is not yet set at the point where the auxiliary vector is constructed, so AT_SECURE was incorrectly set to zero for set-user-ID and set-group-ID executables. III. Impact An unprivileged local user can inject a shared library via LD_PRELOAD into a set-user-ID or set-group-ID Linux binary, gaining the privileges of that binary. IV. Workaround No workaround is available. Systems that do not have either linux.ko or linux64.ko loaded, or which do not have any Linux executables with the set-uid or set-gid bits set, are not affected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-26:30/linux.patch # fetch https://security.FreeBSD.org/patches/SA-26:30/linux.patch.asc # gpg --verify linux.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 3ac9726c4269 stable/15-n283886 releng/15.1/ a4d36c975be0 releng/15.1-n283555 releng/15.0/ 0b18ec59972b releng/15.0-n281057 stable/14/ ff411cc40cd4 stable/14-n274315 releng/14.4/ 3fe092282025 releng/14.4-n273719 releng/14.3/ 0dcf9bba4b9f releng/14.3-n271519 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References - - The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- -iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmooiV8bFIAAAAAABAAO -bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv0FIP/02OEBY45obFssFGRdG6 -60cczCoWvrZpV+bbWLDk3LGN69HMUfE2bGAaWDfPvjDU+oOGmmp1bqhG3oQ/ZJ51 -aJ1GrXCna2t+b5R2Eo8/BsP1SeKgRYgClY8Q4yaasiBnor0XILLHSYEjqidEy9ks -nYm4LFFjpsiV/Q/DeNNrWyApL2w/egmSyKaLQGlkJY5iLEBY8BNBbvLhqr1YeZ6X -L1YgYgJ9lenfrid5jOWxdjZsAfujYLZC2/dlHYWgDt9sPny2b8X7gzKZ0XIfXRS1 -r2PvmX/V1oIwP/3bIBK3YiuJJTlIqhE6xiLhCpEvgTQbVi7Zb3PTMrjA1f8y0zx1 -yYVjFbiodubLknsyp/IfT8U7J/dfNR0JJkLxDLhfHBCxOSEpOSBR1PEvXGZLK44G -uXbaeZU2eR4VnQa+4nSwx00+OKoHbabvCr/c12Mxf8OFx3+uX5S+cl8N0GRYc9GY -w/ZK1mOucoj0zvtD+UAmvvT+QYemAg6WVUuCekj6uRjXuO4YX/x5BkbFqn6AebVN -wd3VDsxuoWsoxqFdOywQLcDVkgldAlAqAxrdkVJziEsZctvuW/jwZViqcggwqct0 -UG7Zc/dYf1uKMgAhMjXJM2zsrEG4UKMEJM1ztIt9aOpxNKEsULeldN1tfMagVf/u -3qjP0UV0iTl+KjCvpuDbxL5q -=prFi +iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoolxUbFIAAAAAABAAO +bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv0MEQAI764nJgo/wT5iqrDJrx +F4G4LlMCqgxEB82jU48GEvy2/vbjp+nsB7hpQW/LnANWBmbbZzFUutXEqLcZKZp1 +eE8ZoSoqTbCw82t7GJGcNrIt3+woBgW8IGb/onL4VxiVuFPEU/0GnJ8nwwOa9LGL +LjdtvRcXaKVnWWqIDUq25cuz6+yBu5UIDWTbSHFeWr8swVhKA5Vjt1wKTXekFJhy +qtEVWv8Jm5nb0C17eRYo8AY/nGh1DZv7LdJNc4dAZyy3H+QNDH7P7atYvyU06pvD +Q+YNH6HENqqkGvg0YAYqrol+5me82oIK/Sz66b3VBYiBLD4FX8LaJePOfhSoKof4 +f9Tk6lvpouJOmOETwZX2sAYrGDh/LMd+l/Np7vDMhQSrow4+0CDNHSI3yur8Kfkf +I6pyEC3iCVi6x/xsQ2AjInMCz+Pw+YpKLKGJLyNT9hKqidQq2ebTBe86GMzPZtAM +OdJ7rRMIXt2QNJmovverYVMBVBd8rXBVn//gB8Uu5CyjHG3jN/f/Rc1BhADgBS3R +H1KOBxIOl3CzXU5GLxSEniI7czyeY2q9paWwddPR0BK0mqF6IP31OEekc0irRmjC +damqozUiNlFFP7rC2fj2eVbhrowrtVSpo4D4oEsI6EPkVB3A67+Pq0untDa096gc +X86EUvnyRijJsIl5JXb+OJoT +=4LUk -----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-26:32.elf.asc b/website/static/security/advisories/FreeBSD-SA-26:32.elf.asc index 3f6624e5b6..61d27529b4 100644 --- a/website/static/security/advisories/FreeBSD-SA-26:32.elf.asc +++ b/website/static/security/advisories/FreeBSD-SA-26:32.elf.asc @@ -1,169 +1,167 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:32.elf Security Advisory The FreeBSD Project Topic: ASLR bypass for setuid executables via procctl(2) Category: core Module: kernel Announced: 2026-06-09 Credits: Synacktiv Affects: All supported versions of FreeBSD Corrected: 2026-06-09 19:17:35 UTC (stable/15, 15.1-STABLE) 2026-06-09 19:20:13 UTC (releng/15.1, 15.1-RC3-p1) 2026-06-09 19:19:51 UTC (releng/15.0, 15.0-RELEASE-p10) 2026-06-09 19:17:53 UTC (stable/14, 14.4-STABLE) 2026-06-09 19:19:13 UTC (releng/14.4, 14.4-RELEASE-p6) 2026-06-09 19:18:43 UTC (releng/14.3, 14.3-RELEASE-p15) CVE Name: CVE-2026-49414 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Address Space Layout Randomization (ASLR) randomizes the base addresses of executable images and shared libraries in a process's address space. FreeBSD enables ASLR by default for Position-Independent Executables (PIEs). The procctl(2) system call allows a process to set per-process ASLR preferences, including force-disabling randomization. When a setuid or setgid binary is executed, the kernel is expected to ignore any such user-set preferences if they come from an unprivileged user. II. Problem Description The ELF image activator cleared per-process ASLR preference flags for setuid binaries after the code that computes the PIE base address, rather than before. As a result, a user-requested ASLR disable was still in effect at the point where the base address was chosen. III. Impact An unprivileged local user can disable ASLR for a setuid PIE binary by calling procctl(2) before execve(2). This makes exploitation of any separate memory corruption vulnerability in that binary significantly easier. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.x] # fetch https://security.FreeBSD.org/patches/SA-26:32/elf-15.patch # fetch https://security.FreeBSD.org/patches/SA-26:32/elf-15.patch.asc # gpg --verify elf-15.patch.asc [FreeBSD 14.4] # fetch https://security.FreeBSD.org/patches/SA-26:32/elf-14.4.patch # fetch https://security.FreeBSD.org/patches/SA-26:32/elf-14.4.patch.asc # gpg --verify elf-14.4.patch.asc [FreeBSD 14.3] # fetch https://security.FreeBSD.org/patches/SA-26:32/elf-14.3.patch # fetch https://security.FreeBSD.org/patches/SA-26:32/elf-14.3.patch.asc # gpg --verify elf-14.3.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ e1cdc49846c1 stable/15-n283888 releng/15.1/ 796579bcfbc4 releng/15.1-n283557 releng/15.0/ 6e51dfc401e7 releng/15.0-n281059 stable/14/ e417948e6139 stable/14-n274317 releng/14.4/ 547fc2a98a24 releng/14.4-n273721 releng/14.3/ 744f62ccbf82 releng/14.3-n271521 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References - - The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- -iQJOBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmooiWcbFIAAAAAABAAO -bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvtGUP+Jh8FMrCt+it7CdyH8cc -dcSCDxVeRn66y86KrEekoSN4qUKimJaI+WjPm75XnIIdKvNPro3zQYSjboS6cvVF -byRJFUK+MPqpQYoW2zrSdZ8c7ar/GPqbxUkbzsB9DlMrCwjMSybPudFyHgyc5gxs -KRidP1k8PHMegOt4/x3iQVtm0UpyWJGOrvVwmyKXRVdvvd9c2oRWYXiR78x1vCT3 -mrh202B/bTwBoXQaMiVlVSnMFyeU1KTLvr3lSxeT/nSKuiPJoVngx6pv6PE8/+dd -MFFyY8AN7n8O4b3zy6/6E0KjNMtyvx64RqxImlifYxudnUbdIAbQlmtgh08zWD/g -78lN1tsnnXgTPOoLkXFdAAa4tUCrdi4eZOMOoy30BUYsritGav7QzcMAcAHFzxSs -ySv4MzSn7A27QI2Dq2dM5qLCtIdbWKQsa9mC1sOUFjPbR70EvhJGbAb5WUw7gzdm -+DQnDkmfEm2HwnzbzRZxDdnLB8Crb+0tv0SvTyJbywJ+KuomOzvTAfHNM2Q36+VO -j8p/9FgbC9gw7UMScsoF3VWT2/tTh8ElYQ9I+cnKpbpD+VCG9JPwrND5IvC0b3pt -uJLh3xXgggXFCDbeBfJ2WBeczmhtwtviz7sa226jlpWEMnM0IZyJOiGLQwzSv7HG -UqyCxvNWaTDy973R+pj6i68= -=FYrH +iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoolxcbFIAAAAAABAAO +bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvzjAP/izsPLlrhPmUVbO6pLVA +22HiuxV4URIIzMe4SbVa8ALyWM85TNAKjRUyr7VwAslFvfzRCtL0o/w0Fypsvoss +a4jpiC8QHjeUFlRz6fmYq4sgHZdi/sz0zOmGKHVYiCA1Jdrp1tM4NxkKeDquc61d +iD1yulnjkr8axb4gv4Y/C1McT7fvECbiaK9ni/vgwwluy0cqRIz7rPe8NrAD6pYn +1WPgkHmGeNwpIhPHbBd9WCoQNiU+BLyNyuFASWjZWiIMiMwCKQdvm0qVJ1fPWxeP +2GxxpWfoftwDkRy1/tURs0dVuI+Ko40sTFKiUVUMyOu0ndnyuR8VGICWlwA903yY +N05s8R65FpXJbERu3Bc4HO+fKzQxCqWocgcUHBI9VO9QGIcNRR1S1PgkltNUI0wI +KTJith+ru6XFRK5ts74cBR7i2p2r+cVFs/FyzXXP1v4A1U+Fe6PwwdhWdwJy9r4s +aOJPh5b5Go2BvRayptPt+18vdXm8N4L1xk94lk/h9X6lrMe9+WhWnH1BUnMD3dVm +m8mSczWkkveFNiEfj3WGdbTlpVvXUqHdwIx+v2obj0fBUDkg9r1M2ZZjaW3DEPM9 +aLOrjdK9t+ntJyNBQCnNCRZFaiFGHK9bdEjm9WhyfMAnxoKg1hNhzhq+jyxrPDZY +OY6FBpNTQ9NhGUkgpkgArAEj +=unW5 -----END PGP SIGNATURE----- diff --git a/website/static/security/advisories/FreeBSD-SA-26:35.openssl.asc b/website/static/security/advisories/FreeBSD-SA-26:35.openssl.asc index c5fbcc1945..888a4e24b1 100644 --- a/website/static/security/advisories/FreeBSD-SA-26:35.openssl.asc +++ b/website/static/security/advisories/FreeBSD-SA-26:35.openssl.asc @@ -1,208 +1,208 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:35.openssl Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in OpenSSL Category: contrib Module: openssl Announced: 2026-06-09 -Credits: XX +Credits: See linked vendor advisory in References section Affects: All supported versions of FreeBSD. Corrected: 2026-06-09 19:17:36 UTC (stable/15, 15.1-STABLE) 2026-06-09 19:20:15 UTC (releng/15.1, 15.1-RC3-p1) 2026-06-09 19:19:54 UTC (releng/15.0, 15.0-RELEASE-p10) 2026-06-09 19:17:54 UTC (stable/14, 14.4-STABLE) 2026-06-09 19:19:16 UTC (releng/14.4, 14.4-RELEASE-p6) 2026-06-09 19:18:46 UTC (releng/14.3, 14.3-RELEASE-p15) CVE Name: CVE-2026-7383, CVE-2026-9076, CVE-2026-34180, CVE-2026-34181, CVE-2026-34182, CVE-2026-34183, CVE-2026-42764, CVE-2026-42766, CVE-2026-42767, CVE-2026-42768, CVE-2026-42769, CVE-2026-42770, CVE-2026-45445, CVE-2026-45446, CVE-2026-45447 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit for the Transport Layer Security (TLS) protocol. It is also a general-purpose cryptography library. II. Problem Description Multiple issues have been reported as part of this advisory with different issues affecting different OpenSSL versions and therefore different FreeBSD versions. Instead of exhaustively listing detailed writeups for each issue, please see the referenced advisory from OpenSSL. Issues affecting FreeBSD 15.x (OpenSSL 3.5): CVE-2026-7383 - Possible heap buffer overflow in ASN.1 string conversion CVE-2026-9076 - Out-of-bounds read in CMS password-based decryption CVE-2026-34180 - Heap buffer over-read in ASN.1 content parsing CVE-2026-34181 - PKCS#12 files with PBMAC1 accepted with short HMAC keys CVE-2026-34182 - CMS AuthEnvelopedData may accept forged messages CVE-2026-34183 - Unbounded memory growth in the QUIC PATH_CHALLENGE handler CVE-2026-42764 - NULL dereference in QUIC server initial packet handling CVE-2026-42766 - Possible NULL dereference in password-based CMS decryption CVE-2026-42767 - NULL dereference in CRMF EncryptedValue decryption CVE-2026-42768 - Bleichenbacher oracle in CMS_decrypt() and PKCS7_decrypt() CVE-2026-42769 - Trust-anchor substitution in CMP rootCaKeyUpdate handling CVE-2026-42770 - FFC-DH peer validation uses attacker-supplied q CVE-2026-45445 - AES-OCB IV ignored on the EVP_Cipher() one-shot path CVE-2026-45446 - Empty-message tag bypass in AES-GCM-SIV and AES-SIV modes CVE-2026-45447 - Heap use-after-free in PKCS7_verify() Issues affecting FreeBSD 14.x (OpenSSL 3.0): CVE-2026-7383 - Possible heap buffer overflow in ASN.1 string conversion CVE-2026-9076 - Out-of-bounds read in CMS password-based decryption CVE-2026-34180 - Heap buffer over-read in ASN.1 content parsing CVE-2026-34182 - CMS AuthEnvelopedData may accept forged messages CVE-2026-42766 - Possible NULL dereference in password-based CMS decryption CVE-2026-42770 - FFC-DH peer validation uses attacker-supplied q CVE-2026-45445 - AES-OCB IV ignored on the EVP_Cipher() one-shot path CVE-2026-45446 - Empty-message tag bypass in AES-GCM-SIV and AES-SIV modes CVE-2026-45447 - Heap use-after-free in PKCS7_verify() III. Impact The issues include heap buffer overflows and over-reads, NULL pointer dereferences, a use-after-free, unbounded memory allocation, and several cryptographic flaws permitting message forgery, integrity bypass, or recovery of a private key. Security impact ranges from a Denial of Service to a potential remote code execution. See the OpenSSL advisory for specific details. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.x] # fetch https://security.FreeBSD.org/patches/SA-26:35/openssl-15.patch # fetch https://security.FreeBSD.org/patches/SA-26:35/openssl-15.patch.asc # gpg --verify openssl-15.patch.asc [FreeBSD 14.x] # fetch https://security.FreeBSD.org/patches/SA-26:35/openssl-14.patch # fetch https://security.FreeBSD.org/patches/SA-26:35/openssl-14.patch.asc # gpg --verify openssl-14.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart all daemons that use the library, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 865c8ff56693 stable/15-n283889 releng/15.1/ 083bb80a125a releng/15.1-n283559 releng/15.0/ 0d6ccbb7524f releng/15.0-n281062 stable/14/ ec6bfa889b83 stable/14-n274318 releng/14.4/ 1929d9e173e5 releng/14.4-n273724 releng/14.3/ dd3096b4efe6 releng/14.3-n271524 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- -iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmooiXEbFIAAAAAABAAO -bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv4HoP/iVj8j9S8nEcYqlZ1Sl4 -OWduy3w8BZXfeRdmJHT9cuAMDxpbkFENbeNobnlCa/VeJ96csXb3fL61ZhxkfDZo -VlQGaD7STKgezHzCfFD//jWLNiwditqfvWyZP7vu9oLzhz2oMIAn2fJ4uiQ1R11T -f1iWR0KXIaLQOpa4aLg7taZxpgHvNiwYNRLjuixlKfid+mLUuZEDhZCLD0Q/P66F -+kXo46aVtcSC6ZaBfMQ7G0lWP/UB0lpVAWEjZSgOMfSkBdecJF87qhTuzabYU0aA -mlZfxH2M+NScr95GX6T3XzXdki6NVHT6eM8YKckIrEARzO+yoYGFO3Oz9rRua8k1 -lhEyqqTyIkGEGzvOm0pwb8drP3PMDkFNCeGhm372N5fDY9a31cxBpRaT1E5nFze1 -MdTHDXi5qnjwuc1EHvACOg7fxHDhmZkn04HXW0wS4fHMGfvs3GNmNiFZh7u2Fm9I -WKimI+3fP6bL32P1J8ThRdwLnm8UQwHGj5yQ+8Gsa3gHEcnPpW6sAXppMQuZhRHJ -E1WYeejCdL0YjsTf/h9LfZL/kFsu0ZOPzBGFucmRNFtt/tG8D3U8qdeKDNibwPM1 -pZp2wEoW0Hzf4UAC+vP9pFiiEJmcjg4KkLGDbwJb5bKrMVrbD9mtzyxkTi3/9h78 -B7dWV8uVqkUR4ef8FdJZFE3u -=X4Lu +iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoolxkbFIAAAAAABAAO +bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvIjEQALlvtT/r8WJ72cw03AZP +1qPNWibqFxrMccV/fEtVq2csUzMkSq6PvgK3ZZoKgh8e2whpJkEULxRJ5Th8IEoD +McbPdU4+zgqcehfmH6mvuv/yshDJLe0U2iLFSTbzgbx8xe0XRyWJlutlNXSZmLvo +N87HGEtO/gXCXJxZuWFDE4JfO/bECn8wgZ468AD+OMwKRnx13hszmqKnp4cn/bZ8 +764BqDsyweCBSVbW7AC0A5/BP7e+S+eOGHDSDqm48Jxk8eVsEVvw5wEo7DMLQgQw +/kHc9BSiQ6HPgMvjDryUzX/FhF3El3sKQxkUXNFGcYk8yChTEVtD1C+zf3FACQJA +ZTeDNgJelmeJdK7uzrJtX/8Laozma0+x1+2+YrY+Y1aCqOZ0iicmlytZHRHgZc3R +riEEJdw3nlV6r43WtwBYjJNyOIiqPusYK8K0/RLnMeMtS+mwjjNjGxqcHdFPbSa7 +Xjs4zSAHgkg9NHMwD4S+F+upRZ3yVoZOvIDtqUKO85Mf70OYHHoaZJE4Q7mIPDyE +CbtpeaNpjSkujTR5/Us4JgxRfDqDGyyER/Ub1yZl8uuhKNU7QuOWRQMTeIXp42Es +uClHfLQz5Dvmwy7muDfg5cY0R/F9whvpwSOmILrsViBjcygkzFY9lE1ufW685vbH +1srvsOXI5oN55cZrX4+H6G17 +=UV/w -----END PGP SIGNATURE-----