Skip to content

Commit a84f688

Browse files
committed
add new advisories
1 parent 2309618 commit a84f688

7 files changed

Lines changed: 180 additions & 1 deletion

File tree

latest-id.txt

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
2026-6
1+
2026-12
Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
id: MNBSD-2026-10
2+
summary: Missing large page handling in pmap_pkru_update_range()
3+
details: |
4+
In order to apply a particular protection key to an address range, the kernel
5+
must update the corresponding page table entries. The subroutine which handled
6+
this failed to take into account the presence of 1GB largepage mappings created
7+
using the shm_create_largepage(3) interface. In particular, it would always
8+
treat a page directory page entry as pointing to another page table page.
9+
10+
The bug can be abused by an unprivileged user to cause pmap_pkru_update_range()
11+
to treat userspace memory as a page table page, and thus overwrite memory to
12+
which the application would otherwise not have access.
13+
affected:
14+
- package:
15+
name: kernel
16+
ecosystem: MidnightBSD
17+
ranges:
18+
- type: ECOSYSTEM
19+
events:
20+
- introduced: "0"
21+
- fixed: "4.1.0"
22+
references:
23+
- type: WEB
24+
url: https://security.FreeBSD.org/advisories/FreeBSD-SA-26:11.amd64.asc
25+
- type: WEB
26+
url: https://www.cve.org/CVERecord?id=CVE-2026-6386
27+
aliases:
28+
- CVE-2026-6386
29+
modified: "2026-04-21T12:00:00Z"
30+
published: "2026-04-21T12:00:00Z"
Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
id: MNBSD-2026-11
2+
summary: Kernel use-after-free bug in the TIOCNOTTY handler
3+
details: |
4+
The implementation of TIOCNOTTY failed to clear a back-pointer from the
5+
structure representing the controlling terminal to the calling process'
6+
session. If the invoking process then exits, the terminal structure
7+
may end up containing a pointer to freed memory.
8+
9+
A malicious process can abuse the dangling pointer to grant itself root
10+
privileges.
11+
affected:
12+
- package:
13+
name: kernel
14+
ecosystem: MidnightBSD
15+
ranges:
16+
- type: ECOSYSTEM
17+
events:
18+
- introduced: "0"
19+
- fixed: "4.1.0"
20+
references:
21+
- type: WEB
22+
url: https://security.FreeBSD.org/advisories/FreeBSD-SA-26:10.tty.asc
23+
- type: WEB
24+
url: https://www.cve.org/CVERecord?id=CVE-2026-5398
25+
aliases:
26+
- CVE-2026-5398
27+
modified: "2026-04-21T12:00:00Z"
28+
published: "2026-04-21T12:00:00Z"
Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
id: MNBSD-2026-12
2+
summary: Remote code execution via RPCSEC_GSS packet validation
3+
details: |
4+
Each RPCSEC_GSS data packet is validated by a routine which checks a signature
5+
in the packet. This routine copies a portion of the packet into a stack buffer,
6+
but fails to ensure that the buffer is sufficiently large, and a malicious
7+
client can trigger a stack overflow. Notably, this does not require the client
8+
to authenticate itself first.
9+
10+
As kgssapi.ko's RPCSEC_GSS implementation is vulnerable, remote code execution
11+
in the kernel is possible by an authenticated user that is able to send packets
12+
to the kernel's NFS server while kgssapi.ko is loaded into the kernel.
13+
14+
In userspace, applications which have librpcgss_sec loaded and run an RPC server
15+
are vulnerable to remote code execution from any client able to send it packets.
16+
We are not aware of any such applications in the FreeBSD base system.
17+
affected:
18+
- package:
19+
name: rpcsec_gss
20+
ecosystem: MidnightBSD
21+
ranges:
22+
- type: ECOSYSTEM
23+
events:
24+
- introduced: "0"
25+
- fixed: "4.0.5"
26+
references:
27+
- type: WEB
28+
url: https://security.FreeBSD.org/advisories/FreeBSD-SA-26:08.rpcsec_gss.asc
29+
- type: WEB
30+
url: https://www.cve.org/CVERecord?id=CVE-2026-4747
31+
aliases:
32+
- CVE-2026-4747
33+
modified: "2026-03-26T12:00:00Z"
34+
published: "2026-03-26T12:00:00Z"
Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
id: MNBSD-2026-7
2+
summary: pf can overflow the stack parsing crafted SCTP packets
3+
details: |
4+
pf parses SCTP packets to discover additional addresses for SCTP endpoints,
5+
allowing it to create states allowing connections between these additional
6+
addresses.
7+
8+
Incorrect packet validation allowed unbounded recursion parsing SCTP chunk
9+
parameters. This can eventually result in a stack overflow and panic.
10+
11+
Remote attackers can craft packets which cause affected systems to panic.
12+
This affects any system where pf is configured to process traffic,
13+
independent of the configured ruleset.
14+
affected:
15+
- package:
16+
name: pf
17+
ecosystem: MidnightBSD
18+
ranges:
19+
- type: ECOSYSTEM
20+
events:
21+
- introduced: "0"
22+
- fixed: "4.0.5"
23+
references:
24+
- type: WEB
25+
url: https://security.FreeBSD.org/advisories/FreeBSD-SA-26:14.pf.asc
26+
- type: WEB
27+
url: https://www.cve.org/CVERecord?id=CVE-2026-7164
28+
aliases:
29+
- CVE-2026-7164
30+
modified: "2026-04-29T12:00:00Z"
31+
published: "2026-04-29T12:00:00Z"
Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
id: MNBSD-2026-8
2+
summary: Local privilege escalation via execve()
3+
details: |
4+
An operator precedence bug in the kernel results in a scenario where a buffer
5+
overflow causes attacker-controlled data to overwrite adjacent execve(2)
6+
argument buffers.
7+
8+
The bug may be exploitable by an unprivileged user to obtain superuser
9+
privileges.
10+
affected:
11+
- package:
12+
name: kernel
13+
ecosystem: MidnightBSD
14+
ranges:
15+
- type: ECOSYSTEM
16+
events:
17+
- introduced: "0"
18+
- fixed: "4.0.5"
19+
references:
20+
- type: WEB
21+
url: https://security.FreeBSD.org/advisories/FreeBSD-SA-26:13.exec.asc
22+
- type: WEB
23+
url: https://www.cve.org/CVERecord?id=CVE-2026-7270
24+
aliases:
25+
- CVE-2026-7270
26+
modified: "2026-04-29T12:00:00Z"
27+
published: "2026-04-29T12:00:00Z"
Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
id: MNBSD-2026-9
2+
summary: Remote code execution via malicious DHCP options
3+
details: |
4+
The BOOTP file field is written to the lease file without escaping embedded
5+
double-quotes, allowing injection of arbitrary dhclient.conf directives.
6+
When the lease file is subsequently re-parsed by dhclient, e.g., after a
7+
system restart, an attacker-controlled field from the lease is passed to
8+
dhclient-script(8), which evaluates it.
9+
10+
A rogue DHCP server may be able to execute arbitrary code as root on a system
11+
running dhclient.
12+
affected:
13+
- package:
14+
name: dhclient
15+
ecosystem: MidnightBSD
16+
ranges:
17+
- type: ECOSYSTEM
18+
events:
19+
- introduced: "0"
20+
- fixed: "4.1.0"
21+
references:
22+
- type: WEB
23+
url: https://security.FreeBSD.org/advisories/FreeBSD-SA-26:12.dhclient.asc
24+
- type: WEB
25+
url: https://www.cve.org/CVERecord?id=CVE-2026-42511
26+
aliases:
27+
- CVE-2026-42511
28+
modified: "2026-04-29T12:00:00Z"
29+
published: "2026-04-29T12:00:00Z"

0 commit comments

Comments
 (0)