Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]


Groups > muc.lists.freebsd.security > #4201 > unrolled thread

FreeBSD Security Advisory FreeBSD-SA-26:26.ktls [REVISED]

Started byFreeBSD Security Advisories <security-advisories@freebsd.org>
First post2026-06-17 16:41 +0000
Last post2026-06-18 15:25 +0200
Articles 3 — 3 participants

Back to article view | Back to muc.lists.freebsd.security


Contents

  FreeBSD Security Advisory FreeBSD-SA-26:26.ktls [REVISED] FreeBSD Security Advisories <security-advisories@freebsd.org> - 2026-06-17 16:41 +0000
    Re: FreeBSD Security Advisory FreeBSD-SA-26:26.ktls [REVISED] LuMiWa <lumiwa@dismail.de> - 2026-06-18 09:42 +0000
      Re: FreeBSD Security Advisory FreeBSD-SA-26:26.ktls [REVISED] Dag-Erling Smørgrav <des@FreeBSD.org> - 2026-06-18 15:25 +0200

#4201 — FreeBSD Security Advisory FreeBSD-SA-26:26.ktls [REVISED]

FromFreeBSD Security Advisories <security-advisories@freebsd.org>
Date2026-06-17 16:41 +0000
SubjectFreeBSD Security Advisory FreeBSD-SA-26:26.ktls [REVISED]
Message-ID<20260617164126.81E521C6D6@freefall.freebsd.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-SA-26:26.ktls                                       Security Advisory
                                                          The FreeBSD Project

Topic:          Arbitrary file overwrite via the KTLS receive path

Category:       core
Module:         ktls
Announced:      2026-06-09
Credits:        Bumsrakete
Affects:        All supported versions of FreeBSD
Corrected:      2026-06-09 19:17:28 UTC (stable/15, 15.1-STABLE)
                2026-06-09 19:20:06 UTC (releng/15.1, 15.1-RC3-p1)
                2026-06-09 19:19:43 UTC (releng/15.0, 15.0-RELEASE-p10)
                2026-06-09 19:17:46 UTC (stable/14, 14.4-STABLE)
                2026-06-09 19:19:05 UTC (releng/14.4, 14.4-RELEASE-p6)
                2026-06-09 19:18:35 UTC (releng/14.3, 14.3-RELEASE-p15)
CVE Name:       CVE-2026-45257

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.

0. Revision History

v1.0 -- Initial revision
v1.1 -- Update workaround section

I.   Background

Kernel TLS (KTLS) moves Transport Layer Security (TLS) record processing
into the kernel, allowing applications to encrypt and decrypt socket data
without copying it to and from userspace and to serve TLS data with
sendfile(2).  When a connection uses software KTLS on the receive path,
the kernel decrypts each incoming TLS record in place within the socket
buffer.

II.  Problem Description

The KTLS receive path decrypted each record in place, assuming that the
mbufs holding received data were anonymous and safe to modify.  This
assumption does not hold for data placed on a socket by sendfile(2),
which can reference file-backed memory directly through non-anonymous
M_EXTPG pages or EXT_SFBUF mbufs.  When the sender transmits such data
over a loopback connection without enabling KTLS on the transmit side,
the file-backed mbufs reach the receiver's decryption path unchanged.
Decrypting a record in place then overwrites the backing file's page
cache instead of a private copy of the data.

III. Impact

An unprivileged local user who can read a file can overwrite its
contents with data of their choosing by sending the file over a loopback
connection on which they have enabled KTLS receive.  The write modifies
the page cache directly, so it bypasses file flags such as schg and is
written back to disk.  By overwriting a setuid binary or other trusted
file, a local user can escalate privileges, potentially gaining full
control of the affected system.

IV.  Workaround

Set sysctl kern.ipc.tls.enable=0 to disable KTLS entirely.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot the system.

Perform one of the following:

1) To update your vulnerable system installed from base system packages:

Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64
platforms, which were installed using base system packages, can be updated
via the pkg(8) utility:

# pkg upgrade -r FreeBSD-base
# shutdown -r +10min "Rebooting for a security update"

2) To update your vulnerable system installed from binary distribution sets:

Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms
which were not installed using base system packages can be updated via the
freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-26:26/ktls.patch
# fetch https://security.FreeBSD.org/patches/SA-26:26/ktls.patch.asc
# gpg --verify ktls.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:

Branch/path                             Hash                     Revision
- -------------------------------------------------------------------------
stable/15/                              a51345704403    stable/15-n283882
releng/15.1/                            48c1c5e3c348  releng/15.1-n283550
releng/15.0/                            540a315cdb46  releng/15.0-n281052
stable/14/                              333bdd7e9427    stable/14-n274311
releng/14.4/                            d43259dd66b3  releng/14.4-n273714
releng/14.3/                            af3398862ac0  releng/14.3-n271514
- -------------------------------------------------------------------------

Run the following command to see which files were modified by a
particular commit:

# git show --stat <commit hash>

Or visit the following URL, replacing NNNNNN with the hash:

<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:

# git rev-list --count --first-parent HEAD

VII. References

<URL:https://www.cve.org/CVERecord?id=CVE-2026-45257>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:26.ktls.asc>
-----BEGIN PGP SIGNATURE-----

iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoyuewbFIAAAAAABAAO
bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvze8P/RRvp3TUprrxMgg4prj6
Mv7sglMFvwyVPGJstM0zBV2k+seMm8S5QmJtO+m8N5NHAIyJWL6PzvMFE9klI/IC
g8Jov8lcEcAml0G+xJFCPeeG0fYszqtE8/gxGNdatDv01AnMoFnVMUyy4y1QpSyo
kJzymPs49LysxggffSmPgmX446hEo7pZ6iQLBuEc0XKNN/7LYmiYq6kcVLzTpkRa
kfYwsJphWZkfdR2AVzCSxMiMb9D/NQ7WN96B3o+xYX8XoHgrsQmvZ2YrvRf9nyRs
lgAm9QxlkTcWlwPrNoacg2sN/jZFb3k01GRJAFbcKbDP1t3lkFygD+UHNnlStO+s
hb5fKHgQgrUpX7atsD2UQ2W+irca0ejLhflxxvgY7pRTLnnmJ20fXDhDn2sWb7zs
cPxir+4bJk4IZvomK0raFH5eMeJ434/rfkMjfE87WOEryFHabnGsiH9xO2u6+ADT
UhMl4iBY+wOoaHTTqfpOQpAk2/gO7UUvXtbOkEa8SYZjSQAxMAz7nqyL7Lucix9n
7ES4hLmic87cr7+q+8iwvASvcNjlDxqyGYRoLa2+TECsTmKqVbwEEANcufNKemb+
aPoRFi5apShhwe1kl7/vVCDGPtCssRRYZ+ejwpQY6m4PpRKY9soNFUt2WjOGVmaB
iQR9r08fcX9SuW2dTuTzXLEi
=wfi1
-----END PGP SIGNATURE-----


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de

[toc] | [next] | [standalone]


#4204

FromLuMiWa <lumiwa@dismail.de>
Date2026-06-18 09:42 +0000
Message-ID<20260618094206.18231bcd.lumiwa@dismail.de>
In reply to#4201
On Wed, 17 Jun 2026 16:41:26 +0000 (UTC)
FreeBSD Security Advisories <security-advisories@freebsd.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> =============================================================================
> FreeBSD-SA-26:26.ktls                                       Security Advisory
>                                                           The FreeBSD Project
> 
> Topic:          Arbitrary file overwrite via the KTLS receive path
> 
> Category:       core
> Module:         ktls
> Announced:      2026-06-09
> Credits:        Bumsrakete
> Affects:        All supported versions of FreeBSD
> Corrected:      2026-06-09 19:17:28 UTC (stable/15, 15.1-STABLE)
>                 2026-06-09 19:20:06 UTC (releng/15.1, 15.1-RC3-p1)
>                 2026-06-09 19:19:43 UTC (releng/15.0, 15.0-RELEASE-p10)
>                 2026-06-09 19:17:46 UTC (stable/14, 14.4-STABLE)
>                 2026-06-09 19:19:05 UTC (releng/14.4, 14.4-RELEASE-p6)
>                 2026-06-09 19:18:35 UTC (releng/14.3, 14.3-RELEASE-p15)
> CVE Name:       CVE-2026-45257
> 
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the
> following sections, please visit <URL:https://security.FreeBSD.org/>.
> 
> 0. Revision History
> 
> v1.0 -- Initial revision
> v1.1 -- Update workaround section
> 
> I.   Background
> 
> Kernel TLS (KTLS) moves Transport Layer Security (TLS) record processing
> into the kernel, allowing applications to encrypt and decrypt socket data
> without copying it to and from userspace and to serve TLS data with
> sendfile(2).  When a connection uses software KTLS on the receive path,
> the kernel decrypts each incoming TLS record in place within the socket
> buffer.
> 
> II.  Problem Description
> 
> The KTLS receive path decrypted each record in place, assuming that the
> mbufs holding received data were anonymous and safe to modify.  This
> assumption does not hold for data placed on a socket by sendfile(2),
> which can reference file-backed memory directly through non-anonymous
> M_EXTPG pages or EXT_SFBUF mbufs.  When the sender transmits such data
> over a loopback connection without enabling KTLS on the transmit side,
> the file-backed mbufs reach the receiver's decryption path unchanged.
> Decrypting a record in place then overwrites the backing file's page
> cache instead of a private copy of the data.
> 
> III. Impact
> 
> An unprivileged local user who can read a file can overwrite its
> contents with data of their choosing by sending the file over a loopback
> connection on which they have enabled KTLS receive.  The write modifies
> the page cache directly, so it bypasses file flags such as schg and is
> written back to disk.  By overwriting a setuid binary or other trusted
> file, a local user can escalate privileges, potentially gaining full
> control of the affected system.
> 
> IV.  Workaround
> 
> Set sysctl kern.ipc.tls.enable=0 to disable KTLS entirely.
> 
> V.   Solution
> 
> Upgrade your vulnerable system to a supported FreeBSD stable or
> release / security branch (releng) dated after the correction date,
> and reboot the system.
> 
> Perform one of the following:
> 
> 1) To update your vulnerable system installed from base system packages:
> 
> Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64
> platforms, which were installed using base system packages, can be updated
> via the pkg(8) utility:
> 
> # pkg upgrade -r FreeBSD-base
> # shutdown -r +10min "Rebooting for a security update"
> 
> 2) To update your vulnerable system installed from binary distribution sets:
> 
> Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms
> which were not installed using base system packages can be updated via the
> freebsd-update(8) utility:
> 
> # freebsd-update fetch
> # freebsd-update install
> # shutdown -r +10min "Rebooting for a security update"
> 
> 3) To update your vulnerable system via a source code patch:
> 
> The following patches have been verified to apply to the applicable
> FreeBSD release branches.
> 
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
> 
> # fetch https://security.FreeBSD.org/patches/SA-26:26/ktls.patch
> # fetch https://security.FreeBSD.org/patches/SA-26:26/ktls.patch.asc
> # gpg --verify ktls.patch.asc
> 
> b) Apply the patch.  Execute the following commands as root:
> 
> # cd /usr/src
> # patch < /path/to/patch
> 
> c) Recompile your kernel as described in
> <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
> system.
> 
> VI.  Correction details
> 
> This issue is corrected as of the corresponding Git commit hash in the
> following stable and release branches:
> 
> Branch/path                             Hash                     Revision
> - -------------------------------------------------------------------------
> stable/15/                              a51345704403    stable/15-n283882
> releng/15.1/                            48c1c5e3c348  releng/15.1-n283550
> releng/15.0/                            540a315cdb46  releng/15.0-n281052
> stable/14/                              333bdd7e9427    stable/14-n274311
> releng/14.4/                            d43259dd66b3  releng/14.4-n273714
> releng/14.3/                            af3398862ac0  releng/14.3-n271514
> - -------------------------------------------------------------------------
> 
> Run the following command to see which files were modified by a
> particular commit:
> 
> # git show --stat <commit hash>
> 
> Or visit the following URL, replacing NNNNNN with the hash:
> 
> <URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
> 
> To determine the commit count in a working tree (for comparison against
> nNNNNNN in the table above), run:
> 
> # git rev-list --count --first-parent HEAD
> 
> VII. References
> 
> <URL:https://www.cve.org/CVERecord?id=CVE-2026-45257>
> 
> The latest revision of this advisory is available at
> <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:26.ktls.asc>
> -----BEGIN PGP SIGNATURE-----
> 
> iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoyuewbFIAAAAAABAAO
> bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvze8P/RRvp3TUprrxMgg4prj6
> Mv7sglMFvwyVPGJstM0zBV2k+seMm8S5QmJtO+m8N5NHAIyJWL6PzvMFE9klI/IC
> g8Jov8lcEcAml0G+xJFCPeeG0fYszqtE8/gxGNdatDv01AnMoFnVMUyy4y1QpSyo
> kJzymPs49LysxggffSmPgmX446hEo7pZ6iQLBuEc0XKNN/7LYmiYq6kcVLzTpkRa
> kfYwsJphWZkfdR2AVzCSxMiMb9D/NQ7WN96B3o+xYX8XoHgrsQmvZ2YrvRf9nyRs
> lgAm9QxlkTcWlwPrNoacg2sN/jZFb3k01GRJAFbcKbDP1t3lkFygD+UHNnlStO+s
> hb5fKHgQgrUpX7atsD2UQ2W+irca0ejLhflxxvgY7pRTLnnmJ20fXDhDn2sWb7zs
> cPxir+4bJk4IZvomK0raFH5eMeJ434/rfkMjfE87WOEryFHabnGsiH9xO2u6+ADT
> UhMl4iBY+wOoaHTTqfpOQpAk2/gO7UUvXtbOkEa8SYZjSQAxMAz7nqyL7Lucix9n
> 7ES4hLmic87cr7+q+8iwvASvcNjlDxqyGYRoLa2+TECsTmKqVbwEEANcufNKemb+
> aPoRFi5apShhwe1kl7/vVCDGPtCssRRYZ+ejwpQY6m4PpRKY9soNFUt2WjOGVmaB
> iQR9r08fcX9SuW2dTuTzXLEi
> =wfi1
> -----END PGP SIGNATURE-----
> 
I try to update and got:

"freebsd-update fetch
Looking up update.FreeBSD.org mirrors... 3 mirrors found.
Fetching metadata signature for 15.0-RELEASE from update2.freebsd.org... done.
Fetching metadata index... done.
Inspecting system... done.
Preparing to download files... done.

No updates needed to update system to 15.0-RELEASE-p10."

Is it okay, please?

Thank you.

-- 
“Some people talk in their sleep. Lecturers talk while other people sleep”
― Albert Camus 


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de

[toc] | [prev] | [next] | [standalone]


#4205

FromDag-Erling Smørgrav <des@FreeBSD.org>
Date2026-06-18 15:25 +0200
Message-ID<86tsr02d6q.fsf@ltc.des.dev>
In reply to#4204
LuMiWa <lumiwa@dismail.de> writes:
> I try to update and got:
> [...]
> No updates needed to update system to 15.0-RELEASE-p10.
>
> Is it okay, please?

The email you replied to already contains all the information you need
to make that determination.  Please take the time to read it.

DES
-- 
Dag-Erling Smørgrav - des@FreeBSD.org


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-admin@muc.de

[toc] | [prev] | [standalone]


Back to top | Article view | muc.lists.freebsd.security


csiph-web