src/lib, branch release/14.3.0-p12

libnv: fix heap overflow in nvlist_recv()

2026-04-28T20:33:04Z

nvlist_check_header() validated nvlh_size for overflow before performing conversion. An mallicous user can set NV_FLAG_BIG_ENDIAN in the header and craft nvlh_size so that the orginall value passes the check, but after the conversion the sizeof(nvlist_header) + size can overflow. This can lead to a heap buffer overflow. Approved by: so Security: FreeBSD-SA-26:17.libnv Security: CVE-2026-35547 Fixes: 36fa90dbde0060aacb5677d0b113ee168e839071 Reviewed by: markj Differential Revision: https://reviews.freebsd.org/D56342

libnv: switch fd_wait() from select(2) to poll(2)

2026-04-28T20:33:04Z

The previous implementation used FD_SET() on a stack-allocated fd_set, which is an out-of-bounds write whenever the socket fd is >= FD_SETSIZE (1024). Approved by: so Security: FreeBSD-SA-26:16.libnv Security: CVE-2026-39457 Reported by: Joshua Rogers of AISLE Research Team (https://aisle.com/) Reviewed by: markj Differential Revision: https://reviews.freebsd.org/D56689

libnv: add tests to verify potential overflow issues

2026-04-28T20:33:04Z

Approved by: so Differential Revision: https://reviews.freebsd.org/D46131 (cherry picked from commit 241a7ddd7112982ed41ccdd047c1dad59ee0256e)

libnv: add test to verify null termination of string in array

2026-04-28T20:33:04Z

Approved by: so Differential Revision: https://reviews.freebsd.org/D46138 (cherry picked from commit 2981431e044fae3bc87e6fa891b8230b484dc84b)

pkru: Fix handling of 1GB largepage mappings

2026-04-21T15:45:50Z

pmap_pkru_update_range() did not handle the case where a PDPE has PG_PS set. More generally, the SET_PKRU and CLEAR_PKRU sysarch implementations did not check whether the request covers a "boundary" vm map entry. Fix this, add the missing PG_PS test, and add some tests. Approved by: so Security: FreeBSD-SA-26:11.amd64 Security: CVE-2026-6386 Reported by: Nicholas Carlini Reviewed by: kib, alc Differential Revision: https://reviews.freebsd.org/D56184

rpcsec_gss: Fix a stack overflow in svc_rpc_gss_validate()

2026-03-25T06:56:34Z

svc_rpc_gss_validate() copies the input message into a stack buffer without ensuring that the buffer is large enough. Sure enough, oa_length may be up to 400 bytes, much larger than the provided space. This enables an unauthenticated user to trigger an overflow and obtain remote code execution. Add a runtime check which verifies that the copy won't overflow. Approved by: so Security: FreeBSD-SA-26:08.rpcsec_gss Security: CVE-2026-4747 Reported by: Nicholas Carlini Reviewed by: rmacklem Fixes: a9148abd9da5d

libarchive: merge from vendor branch

2025-08-07T23:57:20Z

libarchive 3.8.1 New features: #2088 7-zip reader: improve self-extracting archive detection #2137 zip writer: added XZ, LZMA, ZSTD and BZIP2 support #2403 zip writer: added LZMA + RISCV BCJ filter #2601 bsdtar: support --mtime and --clamp-mtime #2602 libarchive: mbedtls 3.x compatibility Security fixes: #2422 tar reader: Handle truncation in the middle of a GNU long linkname (CVE-2024-57970) #2532 tar reader: fix unchecked return value in list_item_verbose() (CVE-2025-25724) #2532 unzip: fix null pointer dereference (CVE-2025-1632) #2568 warc: prevent signed integer overflow (CVE-2025-5916) #2584 rar: do not skip past EOF while reading (CVE-2025-5918) #2588 tar: fix overflow in build_ustar_entry (CVE-2025-5917) #2598 rar: fix double free with over 4 billion nodes (CVE-2025-5914) #2599 rar: fix heap-buffer-overflow (CVE-2025-5915) Important bugfixes: #2399 7-zip reader: add SPARC filter support for non-LZMA compressors #2405 tar reader: ignore ustar size when pax size is present #2435 tar writer: fix bug when -s/a/b/ used more than once with b flag #2459 7-zip reader: add POWERPC filter support for non-LZMA compressors #2519 libarchive: handle ARCHIVE_FILTER_LZOP in archive_read_append_filter #2539 libarchive: add missing seeker function to archive_read_open_FILE() #2544 gzip: allow setting the original filename for gzip compressed files #2564 libarchive: improve lseek handling #2582 rar: support large headers on 32 bit systems #2587 bsdtar: don't hardlink negative inode files together #2596 rar: support large headers on 32 bit systems #2606 libarchive: support @-prefixed Unix epoch timestamps as date strings #2634 tar: Support negative time values with pax #2637 tar: Keep block alignment after pax error #2642 libarchive: fix FILE_skip regression #2643 tar: Handle extra bytes after sparse entries #2649 compress: Prevent call stack overflow #2651 iso9660: always check archive_string_ensure return value CVE: CVE-2024-57970, CVE-2025-1632, CVE-2025-25724, CVE-2025-5914, CVE-2025-5915, CVE-2025-5916, CVE-2025-5917, CVE-2025-5918 PR: 286944 (exp-run, main, libarchive 3.8.0) Approved by: so Security: FreeBSD-SA-25:07.libarchive (cherry picked from commit 2e113ef82465598b8c26e0ca415fbe90677fbd47) (cherry picked from commit 6dad4525a2910496ecf3c41de659aac906f6c1f4)

Update in preparation for 14.3-RELEASE

2025-06-06T00:00:00Z

- Bump BRANCH to RELEASE - Add the anticipated RELEASE announcement date - Set a static __FreeBSD_version Approved by: re (implicit) Sponsored by: Amazon

Fix incorrect version introduced in manual pages

2025-06-03T23:47:57Z

Several manual pages for releng/14.3 incorrectly claim that features were first introduced in FreeBSD 15.0. I discovered these by running: git checkout origin/releng/14.3 git grep -F '.Fx 15.0' Approved by: re (cperciva) MFC After: 3 days Reviewed by: imp, ziaee Pull Request: https://github.com/freebsd/freebsd-src/pull/1685 (cherry picked from commit 5b9660caff69c70c9b6d9df5e04a3f21f8cf7996) (cherry picked from commit ef4014882ee1413eba75a78f6e307e16123c63d1)

MFV: xz 5.8.1.

2025-05-08T16:24:51Z

PR: bin/286252 Approved by: re (cperciva) (cherry picked from commit 128836d304d93f2d00eb14069c27089ab46c38d4) (cherry picked from commit 5cf27a49a2de91ae1f369912a7bf3859fbc79355)