Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > muc.lists.freebsd.security > #4201 > unrolled thread
| Started by | FreeBSD Security Advisories <security-advisories@freebsd.org> |
|---|---|
| First post | 2026-06-17 16:41 +0000 |
| Last post | 2026-06-18 15:25 +0200 |
| Articles | 3 — 3 participants |
Back to article view | Back to muc.lists.freebsd.security
FreeBSD Security Advisory FreeBSD-SA-26:26.ktls [REVISED] FreeBSD Security Advisories <security-advisories@freebsd.org> - 2026-06-17 16:41 +0000
Re: FreeBSD Security Advisory FreeBSD-SA-26:26.ktls [REVISED] LuMiWa <lumiwa@dismail.de> - 2026-06-18 09:42 +0000
Re: FreeBSD Security Advisory FreeBSD-SA-26:26.ktls [REVISED] Dag-Erling Smørgrav <des@FreeBSD.org> - 2026-06-18 15:25 +0200
| From | FreeBSD Security Advisories <security-advisories@freebsd.org> |
|---|---|
| Date | 2026-06-17 16:41 +0000 |
| Subject | FreeBSD Security Advisory FreeBSD-SA-26:26.ktls [REVISED] |
| Message-ID | <20260617164126.81E521C6D6@freefall.freebsd.org> |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-26:26.ktls Security Advisory
The FreeBSD Project
Topic: Arbitrary file overwrite via the KTLS receive path
Category: core
Module: ktls
Announced: 2026-06-09
Credits: Bumsrakete
Affects: All supported versions of FreeBSD
Corrected: 2026-06-09 19:17:28 UTC (stable/15, 15.1-STABLE)
2026-06-09 19:20:06 UTC (releng/15.1, 15.1-RC3-p1)
2026-06-09 19:19:43 UTC (releng/15.0, 15.0-RELEASE-p10)
2026-06-09 19:17:46 UTC (stable/14, 14.4-STABLE)
2026-06-09 19:19:05 UTC (releng/14.4, 14.4-RELEASE-p6)
2026-06-09 19:18:35 UTC (releng/14.3, 14.3-RELEASE-p15)
CVE Name: CVE-2026-45257
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
0. Revision History
v1.0 -- Initial revision
v1.1 -- Update workaround section
I. Background
Kernel TLS (KTLS) moves Transport Layer Security (TLS) record processing
into the kernel, allowing applications to encrypt and decrypt socket data
without copying it to and from userspace and to serve TLS data with
sendfile(2). When a connection uses software KTLS on the receive path,
the kernel decrypts each incoming TLS record in place within the socket
buffer.
II. Problem Description
The KTLS receive path decrypted each record in place, assuming that the
mbufs holding received data were anonymous and safe to modify. This
assumption does not hold for data placed on a socket by sendfile(2),
which can reference file-backed memory directly through non-anonymous
M_EXTPG pages or EXT_SFBUF mbufs. When the sender transmits such data
over a loopback connection without enabling KTLS on the transmit side,
the file-backed mbufs reach the receiver's decryption path unchanged.
Decrypting a record in place then overwrites the backing file's page
cache instead of a private copy of the data.
III. Impact
An unprivileged local user who can read a file can overwrite its
contents with data of their choosing by sending the file over a loopback
connection on which they have enabled KTLS receive. The write modifies
the page cache directly, so it bypasses file flags such as schg and is
written back to disk. By overwriting a setuid binary or other trusted
file, a local user can escalate privileges, potentially gaining full
control of the affected system.
IV. Workaround
Set sysctl kern.ipc.tls.enable=0 to disable KTLS entirely.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot the system.
Perform one of the following:
1) To update your vulnerable system installed from base system packages:
Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64
platforms, which were installed using base system packages, can be updated
via the pkg(8) utility:
# pkg upgrade -r FreeBSD-base
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system installed from binary distribution sets:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms
which were not installed using base system packages can be updated via the
freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-26:26/ktls.patch
# fetch https://security.FreeBSD.org/patches/SA-26:26/ktls.patch.asc
# gpg --verify ktls.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ a51345704403 stable/15-n283882
releng/15.1/ 48c1c5e3c348 releng/15.1-n283550
releng/15.0/ 540a315cdb46 releng/15.0-n281052
stable/14/ 333bdd7e9427 stable/14-n274311
releng/14.4/ d43259dd66b3 releng/14.4-n273714
releng/14.3/ af3398862ac0 releng/14.3-n271514
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat <commit hash>
Or visit the following URL, replacing NNNNNN with the hash:
<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
<URL:https://www.cve.org/CVERecord?id=CVE-2026-45257>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:26.ktls.asc>
-----BEGIN PGP SIGNATURE-----
iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoyuewbFIAAAAAABAAO
bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvze8P/RRvp3TUprrxMgg4prj6
Mv7sglMFvwyVPGJstM0zBV2k+seMm8S5QmJtO+m8N5NHAIyJWL6PzvMFE9klI/IC
g8Jov8lcEcAml0G+xJFCPeeG0fYszqtE8/gxGNdatDv01AnMoFnVMUyy4y1QpSyo
kJzymPs49LysxggffSmPgmX446hEo7pZ6iQLBuEc0XKNN/7LYmiYq6kcVLzTpkRa
kfYwsJphWZkfdR2AVzCSxMiMb9D/NQ7WN96B3o+xYX8XoHgrsQmvZ2YrvRf9nyRs
lgAm9QxlkTcWlwPrNoacg2sN/jZFb3k01GRJAFbcKbDP1t3lkFygD+UHNnlStO+s
hb5fKHgQgrUpX7atsD2UQ2W+irca0ejLhflxxvgY7pRTLnnmJ20fXDhDn2sWb7zs
cPxir+4bJk4IZvomK0raFH5eMeJ434/rfkMjfE87WOEryFHabnGsiH9xO2u6+ADT
UhMl4iBY+wOoaHTTqfpOQpAk2/gO7UUvXtbOkEa8SYZjSQAxMAz7nqyL7Lucix9n
7ES4hLmic87cr7+q+8iwvASvcNjlDxqyGYRoLa2+TECsTmKqVbwEEANcufNKemb+
aPoRFi5apShhwe1kl7/vVCDGPtCssRRYZ+ejwpQY6m4PpRKY9soNFUt2WjOGVmaB
iQR9r08fcX9SuW2dTuTzXLEi
=wfi1
-----END PGP SIGNATURE-----
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de
[toc] | [next] | [standalone]
| From | LuMiWa <lumiwa@dismail.de> |
|---|---|
| Date | 2026-06-18 09:42 +0000 |
| Message-ID | <20260618094206.18231bcd.lumiwa@dismail.de> |
| In reply to | #4201 |
On Wed, 17 Jun 2026 16:41:26 +0000 (UTC) FreeBSD Security Advisories <security-advisories@freebsd.org> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > ============================================================================= > FreeBSD-SA-26:26.ktls Security Advisory > The FreeBSD Project > > Topic: Arbitrary file overwrite via the KTLS receive path > > Category: core > Module: ktls > Announced: 2026-06-09 > Credits: Bumsrakete > Affects: All supported versions of FreeBSD > Corrected: 2026-06-09 19:17:28 UTC (stable/15, 15.1-STABLE) > 2026-06-09 19:20:06 UTC (releng/15.1, 15.1-RC3-p1) > 2026-06-09 19:19:43 UTC (releng/15.0, 15.0-RELEASE-p10) > 2026-06-09 19:17:46 UTC (stable/14, 14.4-STABLE) > 2026-06-09 19:19:05 UTC (releng/14.4, 14.4-RELEASE-p6) > 2026-06-09 19:18:35 UTC (releng/14.3, 14.3-RELEASE-p15) > CVE Name: CVE-2026-45257 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit <URL:https://security.FreeBSD.org/>. > > 0. Revision History > > v1.0 -- Initial revision > v1.1 -- Update workaround section > > I. Background > > Kernel TLS (KTLS) moves Transport Layer Security (TLS) record processing > into the kernel, allowing applications to encrypt and decrypt socket data > without copying it to and from userspace and to serve TLS data with > sendfile(2). When a connection uses software KTLS on the receive path, > the kernel decrypts each incoming TLS record in place within the socket > buffer. > > II. Problem Description > > The KTLS receive path decrypted each record in place, assuming that the > mbufs holding received data were anonymous and safe to modify. This > assumption does not hold for data placed on a socket by sendfile(2), > which can reference file-backed memory directly through non-anonymous > M_EXTPG pages or EXT_SFBUF mbufs. When the sender transmits such data > over a loopback connection without enabling KTLS on the transmit side, > the file-backed mbufs reach the receiver's decryption path unchanged. > Decrypting a record in place then overwrites the backing file's page > cache instead of a private copy of the data. > > III. Impact > > An unprivileged local user who can read a file can overwrite its > contents with data of their choosing by sending the file over a loopback > connection on which they have enabled KTLS receive. The write modifies > the page cache directly, so it bypasses file flags such as schg and is > written back to disk. By overwriting a setuid binary or other trusted > file, a local user can escalate privileges, potentially gaining full > control of the affected system. > > IV. Workaround > > Set sysctl kern.ipc.tls.enable=0 to disable KTLS entirely. > > V. Solution > > Upgrade your vulnerable system to a supported FreeBSD stable or > release / security branch (releng) dated after the correction date, > and reboot the system. > > Perform one of the following: > > 1) To update your vulnerable system installed from base system packages: > > Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 > platforms, which were installed using base system packages, can be updated > via the pkg(8) utility: > > # pkg upgrade -r FreeBSD-base > # shutdown -r +10min "Rebooting for a security update" > > 2) To update your vulnerable system installed from binary distribution sets: > > Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms > which were not installed using base system packages can be updated via the > freebsd-update(8) utility: > > # freebsd-update fetch > # freebsd-update install > # shutdown -r +10min "Rebooting for a security update" > > 3) To update your vulnerable system via a source code patch: > > The following patches have been verified to apply to the applicable > FreeBSD release branches. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch https://security.FreeBSD.org/patches/SA-26:26/ktls.patch > # fetch https://security.FreeBSD.org/patches/SA-26:26/ktls.patch.asc > # gpg --verify ktls.patch.asc > > b) Apply the patch. Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile your kernel as described in > <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the > system. > > VI. Correction details > > This issue is corrected as of the corresponding Git commit hash in the > following stable and release branches: > > Branch/path Hash Revision > - ------------------------------------------------------------------------- > stable/15/ a51345704403 stable/15-n283882 > releng/15.1/ 48c1c5e3c348 releng/15.1-n283550 > releng/15.0/ 540a315cdb46 releng/15.0-n281052 > stable/14/ 333bdd7e9427 stable/14-n274311 > releng/14.4/ d43259dd66b3 releng/14.4-n273714 > releng/14.3/ af3398862ac0 releng/14.3-n271514 > - ------------------------------------------------------------------------- > > Run the following command to see which files were modified by a > particular commit: > > # git show --stat <commit hash> > > Or visit the following URL, replacing NNNNNN with the hash: > > <URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> > > To determine the commit count in a working tree (for comparison against > nNNNNNN in the table above), run: > > # git rev-list --count --first-parent HEAD > > VII. References > > <URL:https://www.cve.org/CVERecord?id=CVE-2026-45257> > > The latest revision of this advisory is available at > <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:26.ktls.asc> > -----BEGIN PGP SIGNATURE----- > > iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoyuewbFIAAAAAABAAO > bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvze8P/RRvp3TUprrxMgg4prj6 > Mv7sglMFvwyVPGJstM0zBV2k+seMm8S5QmJtO+m8N5NHAIyJWL6PzvMFE9klI/IC > g8Jov8lcEcAml0G+xJFCPeeG0fYszqtE8/gxGNdatDv01AnMoFnVMUyy4y1QpSyo > kJzymPs49LysxggffSmPgmX446hEo7pZ6iQLBuEc0XKNN/7LYmiYq6kcVLzTpkRa > kfYwsJphWZkfdR2AVzCSxMiMb9D/NQ7WN96B3o+xYX8XoHgrsQmvZ2YrvRf9nyRs > lgAm9QxlkTcWlwPrNoacg2sN/jZFb3k01GRJAFbcKbDP1t3lkFygD+UHNnlStO+s > hb5fKHgQgrUpX7atsD2UQ2W+irca0ejLhflxxvgY7pRTLnnmJ20fXDhDn2sWb7zs > cPxir+4bJk4IZvomK0raFH5eMeJ434/rfkMjfE87WOEryFHabnGsiH9xO2u6+ADT > UhMl4iBY+wOoaHTTqfpOQpAk2/gO7UUvXtbOkEa8SYZjSQAxMAz7nqyL7Lucix9n > 7ES4hLmic87cr7+q+8iwvASvcNjlDxqyGYRoLa2+TECsTmKqVbwEEANcufNKemb+ > aPoRFi5apShhwe1kl7/vVCDGPtCssRRYZ+ejwpQY6m4PpRKY9soNFUt2WjOGVmaB > iQR9r08fcX9SuW2dTuTzXLEi > =wfi1 > -----END PGP SIGNATURE----- > I try to update and got: "freebsd-update fetch Looking up update.FreeBSD.org mirrors... 3 mirrors found. Fetching metadata signature for 15.0-RELEASE from update2.freebsd.org... done. Fetching metadata index... done. Inspecting system... done. Preparing to download files... done. No updates needed to update system to 15.0-RELEASE-p10." Is it okay, please? Thank you. -- “Some people talk in their sleep. Lecturers talk while other people sleep” ― Albert Camus -- Posted automagically by a mail2news gateway at muc.de e.V. Please direct questions, flames, donations, etc. to news-admin@muc.de
[toc] | [prev] | [next] | [standalone]
| From | Dag-Erling Smørgrav <des@FreeBSD.org> |
|---|---|
| Date | 2026-06-18 15:25 +0200 |
| Message-ID | <86tsr02d6q.fsf@ltc.des.dev> |
| In reply to | #4204 |
LuMiWa <lumiwa@dismail.de> writes: > I try to update and got: > [...] > No updates needed to update system to 15.0-RELEASE-p10. > > Is it okay, please? The email you replied to already contains all the information you need to make that determination. Please take the time to read it. DES -- Dag-Erling Smørgrav - des@FreeBSD.org -- Posted automagically by a mail2news gateway at muc.de e.V. Please direct questions, flames, donations, etc. to news-admin@muc.de
[toc] | [prev] | [standalone]
Back to top | Article view | muc.lists.freebsd.security
csiph-web