File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 1- 2026-6
1+ 2026-12
Original file line number Diff line number Diff line change 1+ id : MNBSD-2026-10
2+ summary : Missing large page handling in pmap_pkru_update_range()
3+ details : |
4+ In order to apply a particular protection key to an address range, the kernel
5+ must update the corresponding page table entries. The subroutine which handled
6+ this failed to take into account the presence of 1GB largepage mappings created
7+ using the shm_create_largepage(3) interface. In particular, it would always
8+ treat a page directory page entry as pointing to another page table page.
9+
10+ The bug can be abused by an unprivileged user to cause pmap_pkru_update_range()
11+ to treat userspace memory as a page table page, and thus overwrite memory to
12+ which the application would otherwise not have access.
13+ affected :
14+ - package :
15+ name : kernel
16+ ecosystem : MidnightBSD
17+ ranges :
18+ - type : ECOSYSTEM
19+ events :
20+ - introduced : " 0"
21+ - fixed : " 4.1.0"
22+ references :
23+ - type : WEB
24+ url : https://security.FreeBSD.org/advisories/FreeBSD-SA-26:11.amd64.asc
25+ - type : WEB
26+ url : https://www.cve.org/CVERecord?id=CVE-2026-6386
27+ aliases :
28+ - CVE-2026-6386
29+ modified : " 2026-04-21T12:00:00Z"
30+ published : " 2026-04-21T12:00:00Z"
Original file line number Diff line number Diff line change 1+ id : MNBSD-2026-11
2+ summary : Kernel use-after-free bug in the TIOCNOTTY handler
3+ details : |
4+ The implementation of TIOCNOTTY failed to clear a back-pointer from the
5+ structure representing the controlling terminal to the calling process'
6+ session. If the invoking process then exits, the terminal structure
7+ may end up containing a pointer to freed memory.
8+
9+ A malicious process can abuse the dangling pointer to grant itself root
10+ privileges.
11+ affected :
12+ - package :
13+ name : kernel
14+ ecosystem : MidnightBSD
15+ ranges :
16+ - type : ECOSYSTEM
17+ events :
18+ - introduced : " 0"
19+ - fixed : " 4.1.0"
20+ references :
21+ - type : WEB
22+ url : https://security.FreeBSD.org/advisories/FreeBSD-SA-26:10.tty.asc
23+ - type : WEB
24+ url : https://www.cve.org/CVERecord?id=CVE-2026-5398
25+ aliases :
26+ - CVE-2026-5398
27+ modified : " 2026-04-21T12:00:00Z"
28+ published : " 2026-04-21T12:00:00Z"
Original file line number Diff line number Diff line change 1+ id : MNBSD-2026-12
2+ summary : Remote code execution via RPCSEC_GSS packet validation
3+ details : |
4+ Each RPCSEC_GSS data packet is validated by a routine which checks a signature
5+ in the packet. This routine copies a portion of the packet into a stack buffer,
6+ but fails to ensure that the buffer is sufficiently large, and a malicious
7+ client can trigger a stack overflow. Notably, this does not require the client
8+ to authenticate itself first.
9+
10+ As kgssapi.ko's RPCSEC_GSS implementation is vulnerable, remote code execution
11+ in the kernel is possible by an authenticated user that is able to send packets
12+ to the kernel's NFS server while kgssapi.ko is loaded into the kernel.
13+
14+ In userspace, applications which have librpcgss_sec loaded and run an RPC server
15+ are vulnerable to remote code execution from any client able to send it packets.
16+ We are not aware of any such applications in the FreeBSD base system.
17+ affected :
18+ - package :
19+ name : rpcsec_gss
20+ ecosystem : MidnightBSD
21+ ranges :
22+ - type : ECOSYSTEM
23+ events :
24+ - introduced : " 0"
25+ - fixed : " 4.0.5"
26+ references :
27+ - type : WEB
28+ url : https://security.FreeBSD.org/advisories/FreeBSD-SA-26:08.rpcsec_gss.asc
29+ - type : WEB
30+ url : https://www.cve.org/CVERecord?id=CVE-2026-4747
31+ aliases :
32+ - CVE-2026-4747
33+ modified : " 2026-03-26T12:00:00Z"
34+ published : " 2026-03-26T12:00:00Z"
Original file line number Diff line number Diff line change 1+ id : MNBSD-2026-7
2+ summary : pf can overflow the stack parsing crafted SCTP packets
3+ details : |
4+ pf parses SCTP packets to discover additional addresses for SCTP endpoints,
5+ allowing it to create states allowing connections between these additional
6+ addresses.
7+
8+ Incorrect packet validation allowed unbounded recursion parsing SCTP chunk
9+ parameters. This can eventually result in a stack overflow and panic.
10+
11+ Remote attackers can craft packets which cause affected systems to panic.
12+ This affects any system where pf is configured to process traffic,
13+ independent of the configured ruleset.
14+ affected :
15+ - package :
16+ name : pf
17+ ecosystem : MidnightBSD
18+ ranges :
19+ - type : ECOSYSTEM
20+ events :
21+ - introduced : " 0"
22+ - fixed : " 4.0.5"
23+ references :
24+ - type : WEB
25+ url : https://security.FreeBSD.org/advisories/FreeBSD-SA-26:14.pf.asc
26+ - type : WEB
27+ url : https://www.cve.org/CVERecord?id=CVE-2026-7164
28+ aliases :
29+ - CVE-2026-7164
30+ modified : " 2026-04-29T12:00:00Z"
31+ published : " 2026-04-29T12:00:00Z"
Original file line number Diff line number Diff line change 1+ id : MNBSD-2026-8
2+ summary : Local privilege escalation via execve()
3+ details : |
4+ An operator precedence bug in the kernel results in a scenario where a buffer
5+ overflow causes attacker-controlled data to overwrite adjacent execve(2)
6+ argument buffers.
7+
8+ The bug may be exploitable by an unprivileged user to obtain superuser
9+ privileges.
10+ affected :
11+ - package :
12+ name : kernel
13+ ecosystem : MidnightBSD
14+ ranges :
15+ - type : ECOSYSTEM
16+ events :
17+ - introduced : " 0"
18+ - fixed : " 4.0.5"
19+ references :
20+ - type : WEB
21+ url : https://security.FreeBSD.org/advisories/FreeBSD-SA-26:13.exec.asc
22+ - type : WEB
23+ url : https://www.cve.org/CVERecord?id=CVE-2026-7270
24+ aliases :
25+ - CVE-2026-7270
26+ modified : " 2026-04-29T12:00:00Z"
27+ published : " 2026-04-29T12:00:00Z"
Original file line number Diff line number Diff line change 1+ id : MNBSD-2026-9
2+ summary : Remote code execution via malicious DHCP options
3+ details : |
4+ The BOOTP file field is written to the lease file without escaping embedded
5+ double-quotes, allowing injection of arbitrary dhclient.conf directives.
6+ When the lease file is subsequently re-parsed by dhclient, e.g., after a
7+ system restart, an attacker-controlled field from the lease is passed to
8+ dhclient-script(8), which evaluates it.
9+
10+ A rogue DHCP server may be able to execute arbitrary code as root on a system
11+ running dhclient.
12+ affected :
13+ - package :
14+ name : dhclient
15+ ecosystem : MidnightBSD
16+ ranges :
17+ - type : ECOSYSTEM
18+ events :
19+ - introduced : " 0"
20+ - fixed : " 4.1.0"
21+ references :
22+ - type : WEB
23+ url : https://security.FreeBSD.org/advisories/FreeBSD-SA-26:12.dhclient.asc
24+ - type : WEB
25+ url : https://www.cve.org/CVERecord?id=CVE-2026-42511
26+ aliases :
27+ - CVE-2026-42511
28+ modified : " 2026-04-29T12:00:00Z"
29+ published : " 2026-04-29T12:00:00Z"
You can’t perform that action at this time.
0 commit comments