FreeBSD source tree https://cgit-dev.freebsd.org/src/atom?h=release%2F15.0.0-p7 2026-04-28T20:09:31Z 2026-04-28T20:09:31Z Mark Johnston markj@FreeBSD.org 2026-04-28T20:09:31Z urn:sha1:bbfdabc12895ce2538444747684c6a4fe53298ba Approved by: so 2026-04-28T19:27:12Z Mariusz Zaborski oshogbo@FreeBSD.org 2026-04-28T14:36:09Z urn:sha1:b345e07c8d71e2c00cabe26ea2f96d65368aa1dd nvlist_check_header() validated nvlh_size for overflow before performing conversion. An mallicous user can set NV_FLAG_BIG_ENDIAN in the header and craft nvlh_size so that the orginall value passes the check, but after the conversion the sizeof(nvlist_header) + size can overflow. This can lead to a heap buffer overflow. Approved by: so Security: FreeBSD-SA-26:17.libnv Security: CVE-2026-35547 Fixes: 36fa90dbde0060aacb5677d0b113ee168e839071 Reviewed by: markj Differential Revision: https://reviews.freebsd.org/D56342 2026-04-28T19:27:12Z Mariusz Zaborski oshogbo@FreeBSD.org 2026-04-28T14:35:10Z urn:sha1:7e4d5363ddced9578c42c46d8149e04aa1ab9fa8 The previous implementation used FD_SET() on a stack-allocated fd_set, which is an out-of-bounds write whenever the socket fd is >= FD_SETSIZE (1024). Approved by: so Security: FreeBSD-SA-26:16.libnv Security: CVE-2026-39457 Reported by: Joshua Rogers of AISLE Research Team (https://aisle.com/) Reviewed by: markj Differential Revision: https://reviews.freebsd.org/D56689 2026-04-28T19:27:11Z Kristof Provost kp@FreeBSD.org 2026-04-26T09:34:55Z urn:sha1:c01d9bcf0cf683a0bd074383339980bcf3862be5 As per RFC5061 "4.2. New Parameter Types" the add/delete IP address parameters (0xc001, 0xc002) may not be present in an INIT or INIT-ACK chunk. They are only allowed to be present in an ASCONF chunk. This also prevents unbounded recursion while parsing an SCTP packet. Approved by: so Security: FreeBSD-SA-26:14.pf Security: CVE-2026-7164 PR: 294799 Reported by: Igor Gabriel Sousa e Souza Sponsored by: Orange Business Services 2026-04-28T19:27:11Z Mark Johnston markj@FreeBSD.org 2026-04-27T20:56:21Z urn:sha1:66d6c32ce7b84172e4c6069ce3acf8f5c422d1fa When the number of DHCP options exceeds a threshold, script_set_env() will reallocate the environment, stored as an array of pointers. The calculation of the array size failed to multiply by the pointer size, resulting in a smaller than expected buffer which admits out-of-bounds writes. Approved by: so Security: FreeBSD-SA-26:15.dhclient Security: CVE-2026-42511 Reported by: Joshua Rogers of AISLE Research Team (https://aisle.com/) 2026-04-28T19:27:11Z Mark Johnston markj@FreeBSD.org 2026-04-27T20:03:09Z urn:sha1:e7b4fb41aafaf6ccb4ff14684416223c1f6f92e8 Some options are written directly to the lease file, which may be parsed by subsequent dhclient invocations. We must make sure that a malicious server can't control the "medium" field of a lease definition, otherwise they can achieve RCE by injecting one into the lease file, whereupon it will be passed to dhclient-script, which passes it through eval. Approved by: so Security: FreeBSD-SA-26:12.dhclient Security: CVE-2026-42511 Reported by: Joshua Rogers of AISLE Research Team (https://aisle.com/) 2026-04-28T19:27:11Z Mark Johnston markj@FreeBSD.org 2026-04-22T17:58:35Z urn:sha1:934b48683c4f140cafd225518d9e056a00b46ee8 The buggy version allowed userspace to overflow the copy into adjacent execve KVA regions, which enables, among other things, injecting environment variables into privileged processes. Approved by: so Security: FreeBSD-SA-26:13.exec Security: CVE-2026-7270 Reported by: Ryan Austin of Calif.io Reviewed by: brooks, kib Fixes: f373437a01a3 ("Add helper functions to copy strings into struct image_args.") Differential Revision: https://reviews.freebsd.org/D56665 2026-04-28T19:26:02Z Kyle Evans kevans@FreeBSD.org 2026-04-20T20:18:17Z urn:sha1:182c59658218d9b0a889eaad56ad4c31d99323e9 AMD64 Architecture Programmer's Manual Volume 3 says the following: > ECX[15:0] contains a count of the number of sequential pages to > invalidate in addition to the original virtual address, starting from > the virtual address specified in rAX. A count of 0 invalidates a > single page. ECX[31]=0 indicates to increment the virtual address at > the 4K boundary. ECX[31]=1 indicates to increment the virtual address > at the 2M boundary. The maximum count supported is reported in > CPUID function 8000_0008h, EDX[15:0]. ECX[31] being what we call INVLPGB_2M_CNT, signaling to increment the VA by 2M. > This instruction invalidates the TLB entry or entries, regardless of > the page size (4 Kbytes, 2 Mbytes, 4 Mbytes, or 1 Gbyte). [...] Combined with this, my interpretation of the current code is: if <va> is aligned on a PDE boundary, we'll use INVLPGB_2M_CNT to try and invalidate <cnt> PDEs with a single call, but that only works if <va> is the start of at least <cnt> 2M pages. Otherwise, if <va> or any of the subsequent PDEs isn't actually a superpage, then we would actually only invalidate the *first* page within the PDE before skipping to the next PDE, leaving the remainder of the 4K pages in between as they were. The implication would seem to be that we would need to inspect the range that we're trying to invalidate if we're planning on using INVLPGB_2M_CNT at all, so this patch just simplifies it to a series of 4K invalidations. My gut feeling is that we likely still come out on top vs. the TLB shootdown we're avoiding. This seems to explain some issues we've seen lately with fdgrowtable() and kqueue on recent Zen4/Zen5 EPYC hardware, where we'd experience corruption that we can't explain. Approved by: so Security: FreeBSD-EN-26:10.amd64 PR: 293382 Reviewed by: alc, kib, markj (cherry picked from commit 1b8e5c02f5c07521129e06ff8ab7c660238fd75c) (cherry picked from commit 280cfe2264d7bf2199e5a41bdcbb9acb49d059c1) 2026-04-28T19:26:02Z Philip Paeps philip@FreeBSD.org 2026-04-27T05:02:20Z urn:sha1:183f96697f82a614a7423c031ee29735cd4e1a52 Changes: https://github.com/eggert/tz/blob/2025c/NEWS Changes: https://github.com/eggert/tz/blob/2026a/NEWS Changes: https://github.com/eggert/tz/blob/2026b/NEWS Approved by: so Security: FreeBSD-EN-26:09.tzdata (cherry picked from commit a86dc94b84d177da8f00d1c9420ef0860576e4c4) (cherry picked from commit b94c971dd0cfe22c17639f18677eca92abdc5189) (cherry picked from commit 6becc3dff922476d667c15f029e520da496d4295) (cherry picked from commit 564480f108e7019a8cc8443c615f7d2b5edfb092) (cherry picked from commit 9b95cab0a2927dfe07dbe6dc0056a80d5c730414) (cherry picked from commit 1e5aff8e5bc607f6bfaaf982b9c07ce365cd9bf4) 2026-04-28T19:26:02Z Kristof Provost kp@FreeBSD.org 2026-04-09T16:11:41Z urn:sha1:d91d13c12484ebc007fdb26ebcf5950490f66d1e We should look at the table name for automatic tables as well. These are different tables, so the rules using them are (or can be) different as well. Approved by: so Security: FreeBSD-EN-26:08.pf Reported by: Michael Sinatra <michael@burnttofu.net> Sponsored by: Rubicon Communications, LLC ("Netgate") (cherry picked from commit fb838352751767e756bd45cd2040fa464ed4de20) (cherry picked from commit fdcc60f52841708efda2582b2492b0a460496fcc)