FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=release%2F14.3.0-p14 2026-05-20T02:12:20Z 2026-05-20T02:12:20Z Mark Johnston markj@FreeBSD.org 2026-05-19T23:47:34Z urn:sha1:6281466c3266a64d28c1988e4baea2a1a59420a8 Approved by: so 2026-05-20T02:12:20Z Mariusz Zaborski oshogbo@FreeBSD.org 2026-05-12T08:33:41Z urn:sha1:b3baecf084053e9f6f262ad9f85c8fcdc5bfe132 If the old limit had family/hosts/sockaddr set, the new limit must have them too. Before, a missing key in the new limit was treated as "allow any", which let a caller silently extend their limits. Approved by: so Security: FreeBSD-SA-26:24.cap_net Security: CVE-2026-45254 Reported by: Joshua Rogers of AISLE Research Team Reviewed by: markj MFC after: 1 day Differential Revision: https://reviews.freebsd.org/D56991 (cherry picked from commit d705a519525f2acae3c1efba11436ec6ee8aea0a) (cherry picked from commit b79faca1c5964d89c125d02de35928b733041f3f) 2026-05-20T02:12:20Z Mark Johnston markj@FreeBSD.org 2026-05-12T14:16:46Z urn:sha1:9cb0be8381f7c9ecab5892f4f7277f53b7fcc5f6 The f_menu_wpa_scan_results() function returns a list of networks discovered by a scan. The untrusted network names are evaluated in f_dialog_menu_wireless_edit. The quoting applied in f_menu_wpa_scan_results() protects against evaluation of something like "$(whoami)" but one can add single quotes to defeat that. Pass the SSID names through f_shell_escape to work around this. Escape single quotes in f_dialog_wireless_edit() and f_menu_wireless_configs() too for consistency. I note that this module doesn't seem to actually work, see e.g., bugzilla PR 229883. Approved by: so Security: FreeBSD-SA-26:23.bsdinstall Security: CVE-2026-45255 Reported by: Austin Ralls Reviewed by: dteske, des Differential Revision: https://reviews.freebsd.org/D56974 2026-05-20T02:12:20Z Renato Botelho garga@FreeBSD.org 2024-05-20T13:43:35Z urn:sha1:7b80739d1290bb634fa7f45137297a0a8d02b3cd The wlanconfig utility is not careful about handling untrusted network names, which can contain shell metacharacters. Factor network selection into a subroutine and use the `set -- "$@"` trick to build up a list of positional parameters for bsddialog without evaluating them. Approved by: so Security: FreeBSD-SA-26:23.bsdinstall Security: CVE-2026-45255 Reported by: Austin Ralls Reviewed by: dteske, des, asiciliano Differential Revision: https://reviews.freebsd.org/D56973 2026-05-20T02:12:20Z Mariusz Zaborski oshogbo@FreeBSD.org 2026-05-18T15:32:49Z urn:sha1:cbec318381734159c4d1e2a831ddc5c2ad402eb0 The previous implementation used FD_SET() on a stack-allocated fd_set, which is an out-of-bounds write whenever the socket fd is >= FD_SETSIZE (1024). poll(2) takes an array indexed by slot rather than by fd value, so it has no FD_SETSIZE limit. Approved by: so Security: FreeBSD-SA-26:22.libcasper Security: CVE-2026-39461 Reported by: Joshua Rogers Reviewed by: markj Differential Revision: https://reviews.freebsd.org/D56695 2026-05-20T02:12:20Z Mark Johnston markj@FreeBSD.org 2026-05-12T17:32:17Z urn:sha1:45bd421661c401b117b452e92dd473950b8d9ee0 - Fix an off-by-one in the system call number check. A value of SYS_MAXSYSCALL was permitted. - Validate the system call number after we've dealt with syscall(2)/__syscall(2), since they pass the syscall number as an argument. - When the syscall number is for syscall(2) or __syscall(2), we must make sure that nargs > 0 to avoid an underflow when shifting arguments down. Add regression tests. Approved by: so Security: FreeBSD-SA-26:21.ptrace Security: CVE-2026-45253 Fixes: 140ceb5d956b ("ptrace(2): add PT_SC_REMOTE remote syscall request") Reported by: Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai Reviewed by: kib, emaste Differential Revision: https://reviews.freebsd.org/D56978 2026-05-20T02:12:20Z Alan Somers asomers@FreeBSD.org 2026-05-04T19:35:11Z urn:sha1:53f3bf4ee1ce1d985c1070d4e5b1e4978f2bb92b The fuse protocol requires server to respond to LISTXATTR with a NUL-terminated string. If they don't, report an error rather than attempt to scan through uninitialized memory for a NUL. Approved by: so Security: FreeBSD-SA-26:20.fusefs Security: CVE-2026-45252 admbugs: 1039 Reported by: Joshua Rogers Sponsored by: ConnectWise 2026-05-19T23:48:36Z Mark Johnston markj@FreeBSD.org 2026-05-19T00:09:54Z urn:sha1:659818009d15a75d504c316a1e497c9bbe42450b Approved by: so Security: FreeBSD-SA-26:19.file Security: CVE-2026-45251 2026-05-19T23:48:36Z Mark Johnston markj@FreeBSD.org 2026-05-08T13:03:49Z urn:sha1:c20b3d4a83adcae4beec1c0c73bf42caa344a963 Otherwise they are left on a freed list after procdesc_free() is called. This can be exploited to elevate privileges. Remove the PDF_SELECTED micro-optimization. doselwakeup() is a no-op if no one ever called selrecord() on the file description, so I see no reason to complicate the code to avoid the call. Add some regression tests. Approved by: so Security: FreeBSD-SA-26:19.file Security: CVE-2026-45251 Reported by: 75Acol, Lexpl0it, fcgboy, and robinzeng2015 Reviewed by: kib, oshogbo Fixes: cfb5f7686588 ("Add experimental support for process descriptors") Differential Revision: https://reviews.freebsd.org/D56887 2026-05-19T23:48:36Z Dag-Erling Smørgrav des@FreeBSD.org 2026-05-07T08:06:35Z urn:sha1:bfff5c180193845664a0d9f56f94111214e7c80b Since groups is a pointer to a pointer to an array of gid_t, we should use sizeof(**groups) or sizeof(gid_t) when calculating how much to allocate and copy in. We were using sizeof(*groups) instead, which meant that on 64-bit platforms, we would allocate and copy in twice as much as we should. Unfortunately, in the smallgroups case, we copy into a preallocated buffer which has the correct size, which means that if sc_supp_groups_nb >= CRED_SMALLGROUPS_NB / 2, we overflow smallgroups. This is a direct commit to stable/14. Approved by: so Security: FreeBSD-SA-26:18.setcred Reported by: Ryan of Calif.io Fixes: ddb3eb4efe55 ("New setcred() system call and associated MAC hooks")