========================================================================== Ubuntu Security Notice USN-8280-2 May 22, 2026 linux-azure, linux-azure-5.4, linux-azure-fips vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux-azure: Linux kernel for Microsoft Azure Cloud systems - linux-azure-fips: Linux kernel for Microsoft Azure Cloud systems with FIPS - linux-azure-5.4: Linux kernel for Microsoft Azure cloud systems Details: It was discovered that the Linux kernel algif_aead module did not properly handle in-place cryptographic operations. This flaw is known as Copy Fail. A local attacker could use this to escalate privileges, or possibly escape a container. (CVE-2026-31431) Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - Cryptographic API; - Packet sockets; - TLS protocol; (CVE-2026-31504, CVE-2026-31533, CVE-2026-43033, CVE-2026-43077, CVE-2026-43078) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS linux-image-5.4.0-1163-azure 5.4.0-1163.169 Available with Ubuntu Pro linux-image-5.4.0-1163-azure-fips 5.4.0-1163.169+fips1 Available with Ubuntu Pro linux-image-azure-5.4 5.4.0.1163.155 Available with Ubuntu Pro linux-image-azure-fips 5.4.0.1163.99 Available with Ubuntu Pro linux-image-azure-fips-5.4 5.4.0.1163.99 Available with Ubuntu Pro linux-image-azure-lts-20.04 5.4.0.1163.155 Available with Ubuntu Pro Ubuntu 18.04 LTS linux-image-5.4.0-1163-azure 5.4.0-1163.169~18.04.1 Available with Ubuntu Pro linux-image-azure 5.4.0.1163.169~18.04.1 Available with Ubuntu Pro linux-image-azure-5.4 5.4.0.1163.169~18.04.1 Available with Ubuntu Pro After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://ubuntu.com/security/notices/USN-8280-2 https://ubuntu.com/security/notices/USN-8280-1 CVE-2026-31431, CVE-2026-31504, CVE-2026-31533, CVE-2026-43033, CVE-2026-43077, CVE-2026-43078
Friday, May 22, 2026
[USN-8290-1] Path-to-Regexp vulnerability
========================================================================== Ubuntu Security Notice USN-8290-1 May 21, 2026 node-path-to-regexp vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: Path-to-Regexp could be made to crash if it received specially crafted network traffic. Software Description: - node-path-to-regexp: Turn a path string such as /user/:name into a regular expression. Details: It was discovered that Path-to-Regexp incorrectly handled route patterns containing multiple named parameters separated by non-delimiter characters such as hyphens. An attacker could possibly use this issue to cause a denial of service via catastrophic backtracking in the generated regular expressions. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS node-path-to-regexp 6.2.1-1ubuntu0.1~esm1 Available with Ubuntu Pro Ubuntu 22.04 LTS node-path-to-regexp 6.2.0-2ubuntu0.1~esm1 Available with Ubuntu Pro Ubuntu 20.04 LTS node-path-to-regexp 6.1.0-2ubuntu0.1~esm1 Available with Ubuntu Pro Ubuntu 18.04 LTS node-path-to-regexp 1.0.1-1ubuntu0.18.04.1~esm1 Available with Ubuntu Pro Ubuntu 16.04 LTS node-path-to-regexp 1.0.1-1ubuntu0.16.04.1~esm1 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8290-1 CVE-2024-45296
[USN-8291-2] Linux kernel (Low Latency) vulnerabilities
========================================================================== Ubuntu Security Notice USN-8291-2 May 22, 2026 linux-lowlatency-hwe-5.15 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS Summary: Several security issues were fixed in the Linux kernel. Software Description: - linux-lowlatency-hwe-5.15: Linux low latency kernel Details: Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This update corrects flaws in the following subsystems: - SMB network file system; - Netfilter; - io_uring subsystem; (CVE-2024-35862, CVE-2024-50060, CVE-2026-23274, CVE-2026-23351) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS linux-image-5.15.0-178-lowlatency 5.15.0-178.188~20.04.1 Available with Ubuntu Pro linux-image-5.15.0-178-lowlatency-64k 5.15.0-178.188~20.04.1 Available with Ubuntu Pro linux-image-lowlatency-5.15 5.15.0.178.188~20.04.1 Available with Ubuntu Pro linux-image-lowlatency-64k-5.15 5.15.0.178.188~20.04.1 Available with Ubuntu Pro linux-image-lowlatency-64k-hwe-20.04 5.15.0.178.188~20.04.1 Available with Ubuntu Pro linux-image-lowlatency-hwe-20.04 5.15.0.178.188~20.04.1 Available with Ubuntu Pro After a standard system update you need to reboot your computer to make all the necessary changes. ATTENTION: Due to an unavoidable ABI change the kernel updates have been given a new version number, which requires you to recompile and reinstall all third party kernel modules you might have installed. Unless you manually uninstalled the standard kernel metapackages (e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual, linux-powerpc), a standard system upgrade will automatically perform this as well. References: https://ubuntu.com/security/notices/USN-8291-2 https://ubuntu.com/security/notices/USN-8291-1 CVE-2024-35862, CVE-2024-50060, CVE-2026-23274, CVE-2026-23351
[USN-8295-1] Evince vulnerability
========================================================================== Ubuntu Security Notice USN-8295-1 May 22, 2026 evince vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: Evince could be made to run programs as your login if it opened a specially crafted file. Software Description: - evince: Document viewer Details: It was discovered that Evince did not properly sanitize command-line arguments in PDF /GoToR actions. If a user opened a specially crafted PDF file, an attacker could possibly use this issue to execute arbitrary code. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS evince 49~alpha-2ubuntu2.1 evince-common 49~alpha-2ubuntu2.1 Ubuntu 25.10 evince 48.1-3ubuntu2.1 evince-common 48.1-3ubuntu2.1 Ubuntu 24.04 LTS evince 46.3.1-0ubuntu1.1 evince-common 46.3.1-0ubuntu1.1 Ubuntu 22.04 LTS evince 42.3-0ubuntu3.2 evince-common 42.3-0ubuntu3.2 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8295-1 CVE-2026-46529 Package Information: https://launchpad.net/ubuntu/+source/evince/49~alpha-2ubuntu2.1 https://launchpad.net/ubuntu/+source/evince/48.1-3ubuntu2.1 https://launchpad.net/ubuntu/+source/evince/46.3.1-0ubuntu1.1 https://launchpad.net/ubuntu/+source/evince/42.3-0ubuntu3.2
Thursday, May 21, 2026
[USN-8294-1] PostgreSQL vulnerabilities
========================================================================== Ubuntu Security Notice USN-8294-1 May 21, 2026 postgresql-14, postgresql-16, postgresql-17, postgresql-18 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: Several security issues were fixed in PostgreSQL. Software Description: - postgresql-18: Object-relational SQL database - postgresql-17: Object-relational SQL database - postgresql-16: Object-relational SQL database - postgresql-14: Object-relational SQL database Details: It was discovered that PostgreSQL did not correctly enforce authorization for CREATE TYPE. An attacker could possibly use this issue to execute arbitrary SQL functions. (CVE-2026-6472) It was discovered that PostgreSQL incorrectly handled large user input in multiple server features. An attacker could possibly use this issue to cause PostgreSQL to crash, resulting in a denial of service, or execute arbitrary code. (CVE-2026-6473) It was discovered that PostgreSQL incorrectly handled format strings in the timeofday() function. An attacker could possibly use this issue to obtain sensitive information. (CVE-2026-6474) It was discovered that PostgreSQL incorrectly followed symbolic links in pg_basebackup and pg_rewind. An attacker could possibly use this issue to overwrite local files and execute arbitrary code. (CVE-2026-6475) It was discovered that PostgreSQL had an SQL injection vulnerability in pg_createsubscriber. An attacker could possibly use this issue to execute arbitrary SQL as a superuser. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-6476) It was discovered that PostgreSQL used an unsafe libpq function in large object operations. An attacker could possibly use this issue to overwrite client memory and execute arbitrary code. (CVE-2026-6477) It was discovered that PostgreSQL did not compare MD5-hashed passwords in constant time. An attacker could possibly use this issue to obtain sensitive information. (CVE-2026-6478) It was discovered that PostgreSQL had uncontrolled recursion during SSL and GSS negotiation. An attacker could possibly use this issue to cause a denial of service. (CVE-2026-6479) It was discovered that PostgreSQL incorrectly handled array length mismatches in pg_restore_attribute_stats(). An attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 26.04 LTS. (CVE-2026-6575) It was discovered that PostgreSQL had a stack buffer overflow in the refint module. An attacker could use this issue to cause PostgreSQL to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2026-6637) It was discovered that PostgreSQL had an SQL injection vulnerability in logical replication REFRESH PUBLICATION. An attacker could possibly use this issue to execute arbitrary SQL. This issue only affected Ubuntu 24.04 LTS, Ubuntu 25.10, and Ubuntu 26.04 LTS. (CVE-2026-6638) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS postgresql-18 18.4-0ubuntu0.26.04.1 Ubuntu 25.10 postgresql-17 17.10-0ubuntu0.25.10.1 Ubuntu 24.04 LTS postgresql-16 16.14-0ubuntu0.24.04.1 Ubuntu 22.04 LTS postgresql-14 14.23-0ubuntu0.22.04.1 This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart PostgreSQL to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8294-1 CVE-2026-6472, CVE-2026-6473, CVE-2026-6474, CVE-2026-6475, CVE-2026-6476, CVE-2026-6477, CVE-2026-6478, CVE-2026-6479, CVE-2026-6575, CVE-2026-6637, CVE-2026-6638 Package Information: https://launchpad.net/ubuntu/+source/postgresql-18/18.4-0ubuntu0.26.04.1 https://launchpad.net/ubuntu/+source/postgresql-17/17.10-0ubuntu0.25.10.1 https://launchpad.net/ubuntu/+source/postgresql-16/16.14-0ubuntu0.24.04.1 https://launchpad.net/ubuntu/+source/postgresql-14/14.23-0ubuntu0.22.04.1
[USN-8293-1] Bind vulnerabilities
========================================================================== Ubuntu Security Notice USN-8293-1 May 21, 2026 bind9 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: Several security issues were fixed in Bind. Software Description: - bind9: Internet Domain Name Server Details: Vitaly Simonovich discovered that Bind could exhaust memory during GSS-API TKEY negotiation. A remote attacker could possibly use this issue to cause Bind to use excessive resources, leading to a denial of service. (CVE-2026-3039) Shuhan Zhang discovered that Bind incorrectly handled self-pointed glue records. A remote attacker could possibly use this issue to use Bind in denial of service amplification attacks against other systems. (CVE-2026-3592) Naresh Kandula Parmar discovered that Bind incorrectly handled memory in the DNS-over-HTTPS implementation. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service, or execute arbitrary code. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-3593) It was discovered that Bind incorrectly handled DNS messages whose class was not IN. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service. (CVE-2026-5946) Naoki Wakamatsu discovered that Bind incorrectly handled SIG(0) validation during a query flood. A remote attacker could possibly use this issue to cause Bind to crash, resulting in a denial of service. This issue only affected Ubuntu 25.10 and Ubuntu 26.04 LTS. (CVE-2026-5947) Billy Baraja discovered that Bind had an unbounded resend loop in the resolver. A remote attacker could possibly use this issue to cause Bind to use excessive resources, leading to a denial of service. (CVE-2026-5950) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS bind9 1:9.20.18-1ubuntu2.1 Ubuntu 25.10 bind9 1:9.20.11-1ubuntu2.4 Ubuntu 24.04 LTS bind9 1:9.18.39-0ubuntu0.24.04.5 Ubuntu 22.04 LTS bind9 1:9.18.39-0ubuntu0.22.04.4 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8293-1 CVE-2026-3039, CVE-2026-3592, CVE-2026-3593, CVE-2026-5946, CVE-2026-5947, CVE-2026-5950 Package Information: https://launchpad.net/ubuntu/+source/bind9/1:9.20.18-1ubuntu2.1 https://launchpad.net/ubuntu/+source/bind9/1:9.20.11-1ubuntu2.4 https://launchpad.net/ubuntu/+source/bind9/1:9.18.39-0ubuntu0.24.04.5 https://launchpad.net/ubuntu/+source/bind9/1:9.18.39-0ubuntu0.22.04.4
[USN-8292-1] libarchive vulnerabilities
========================================================================== Ubuntu Security Notice USN-8292-1 May 21, 2026 libarchive vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 25.10 - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS - Ubuntu 14.04 LTS Summary: Several security issues were fixed in libarchive. Software Description: - libarchive: Library to read/write archive files Details: It was discovered that libarchive incorrectly handled certain RAR archives. An attacker could possibly use this issue to cause an out-of-bounds read via a crafted RAR archive, leading to sensitive memory disclosure. (CVE-2026-4424) It was discovered that libarchive incorrectly handled certain ISO files. An attacker could possibly use this issue to cause incorrect memory allocation via a crafted ISO file, leading to a denial of service. (CVE-2026-4426) It was discovered that libarchive incorrectly handled block pointer allocation in zisofs on 32-bit systems. An attacker could possibly use this issue to cause a heap buffer overflow via a crafted ISO9660 image, possibly leading to arbitrary code execution. (CVE-2026-5121) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS libarchive-dev 3.8.5-1ubuntu2.1 libarchive-tools 3.8.5-1ubuntu2.1 libarchive13t64 3.8.5-1ubuntu2.1 Ubuntu 25.10 libarchive-dev 3.7.7-0ubuntu3.2 libarchive-tools 3.7.7-0ubuntu3.2 libarchive13t64 3.7.7-0ubuntu3.2 Ubuntu 24.04 LTS libarchive-dev 3.7.2-2ubuntu0.7 libarchive-tools 3.7.2-2ubuntu0.7 libarchive13t64 3.7.2-2ubuntu0.7 Ubuntu 22.04 LTS libarchive-dev 3.6.0-1ubuntu1.7 libarchive-tools 3.6.0-1ubuntu1.7 libarchive13 3.6.0-1ubuntu1.7 Ubuntu 20.04 LTS libarchive-dev 3.4.0-2ubuntu1.5+esm2 Available with Ubuntu Pro libarchive-tools 3.4.0-2ubuntu1.5+esm2 Available with Ubuntu Pro libarchive13 3.4.0-2ubuntu1.5+esm2 Available with Ubuntu Pro Ubuntu 18.04 LTS bsdcpio 3.2.2-3.1ubuntu0.7+esm3 Available with Ubuntu Pro bsdtar 3.2.2-3.1ubuntu0.7+esm3 Available with Ubuntu Pro libarchive-dev 3.2.2-3.1ubuntu0.7+esm3 Available with Ubuntu Pro libarchive-tools 3.2.2-3.1ubuntu0.7+esm3 Available with Ubuntu Pro libarchive13 3.2.2-3.1ubuntu0.7+esm3 Available with Ubuntu Pro Ubuntu 16.04 LTS bsdcpio 3.1.2-11ubuntu0.16.04.8+esm3 Available with Ubuntu Pro bsdtar 3.1.2-11ubuntu0.16.04.8+esm3 Available with Ubuntu Pro libarchive-dev 3.1.2-11ubuntu0.16.04.8+esm3 Available with Ubuntu Pro libarchive13 3.1.2-11ubuntu0.16.04.8+esm3 Available with Ubuntu Pro Ubuntu 14.04 LTS bsdcpio 3.1.2-7ubuntu2.8+esm5 Available with Ubuntu Pro bsdtar 3.1.2-7ubuntu2.8+esm5 Available with Ubuntu Pro libarchive-dev 3.1.2-7ubuntu2.8+esm5 Available with Ubuntu Pro libarchive13 3.1.2-7ubuntu2.8+esm5 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8292-1 CVE-2026-4424, CVE-2026-4426, CVE-2026-5121 Package Information: https://launchpad.net/ubuntu/+source/libarchive/3.8.5-1ubuntu2.1 https://launchpad.net/ubuntu/+source/libarchive/3.7.7-0ubuntu3.2 https://launchpad.net/ubuntu/+source/libarchive/3.7.2-2ubuntu0.7 https://launchpad.net/ubuntu/+source/libarchive/3.6.0-1ubuntu1.7
[USN-8288-1] Bubblewrap vulnerability
========================================================================== Ubuntu Security Notice USN-8288-1 May 20, 2026 bubblewrap vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 25.10 Summary: Bubblewrap could be made to bypass sandbox restrictions. Software Description: - bubblewrap: Low-level unprivileged sandboxing tool used by Flatpak and similar projects Details: It was discovered that Bubblewrap incorrectly handled the sandbox setup phase when installed in setuid mode. A local attacker could possibly use this issue to bypass sandbox restrictions. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS bubblewrap 0.11.1-1ubuntu0.1 Ubuntu 25.10 bubblewrap 0.11.0-2ubuntu0.1 In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8288-1 CVE-2026-41163 Package Information: https://launchpad.net/ubuntu/+source/bubblewrap/0.11.1-1ubuntu0.1 https://launchpad.net/ubuntu/+source/bubblewrap/0.11.0-2ubuntu0.1
Wednesday, May 20, 2026
Bouncing messages from freebsd-announce@FreeBSD.org
Hi, this is the Mlmmj program managing the <freebsd-announce@FreeBSD.org> mailing list. Some messages to you could not be delivered. If you're seeing this message it means things are back to normal, and it's merely for your information. Here is the list of the bounced messages: - 259, Message-ID: <20260520222412.AB1E59E91@freefall.freebsd.org> - 260, Message-ID: <20260520222417.DCC0C9E21@freefall.freebsd.org>
FreeBSD Security Advisory FreeBSD-SA-26:22.libcasper
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:22.libcasper Security Advisory The FreeBSD Project Topic: select(2) file descriptor set overflow causes stack overflow Category: core Module: libcasper Announced: 2026-05-20 Credits: Joshua Rogers of AISLE Research Team Affects: All supported versions of FreeBSD. Corrected: 2026-05-20 19:36:41 UTC (stable/15, 15.0-STABLE) 2026-05-20 19:39:35 UTC (releng/15.0, 15.0-RELEASE-p9) 2026-05-20 19:38:00 UTC (stable/14, 14.4-STABLE) 2026-05-20 19:40:00 UTC (releng/14.4, 14.4-RELEASE-p5) 2026-05-20 19:40:38 UTC (releng/14.3, 14.3-RELEASE-p14) CVE Name: CVE-2026-39461 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background libcasper(3) allows Capsicum-sandboxed applications to access system interfaces that are otherwise unavailable within the sandbox. It is used by numerous programs in the base system. II. Problem Description libcasper(3) communicates with helper processes via UNIX domain sockets, and uses the select(2) system call to wait for data to become available. However, it does not verify that its socket descriptor fits within select(2)'s descriptor set size limit of FD_SETSIZE (1024). III. Impact An attacker able to cause an application using libcasper(3) to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, may trigger stack corruption. If the target application runs with setuid root privileges, this could be used to escalate local privileges. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, which were not installed using base system packages, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.x] # fetch https://security.FreeBSD.org/patches/SA-26:22/libcasper-15.patch # fetch https://security.FreeBSD.org/patches/SA-26:22/libcasper-15.patch.asc # gpg --verify libcasper-15.patch.asc [FreeBSD 14.x] # fetch https://security.FreeBSD.org/patches/SA-26:22/libcasper-14.patch # fetch https://security.FreeBSD.org/patches/SA-26:22/libcasper-14.patch.asc # gpg --verify libcasper-14.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. Restart the applicable daemons, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 23929d729d1a stable/15-n283644 releng/15.0/ e22f3f55c360 releng/15.0-n281044 stable/14/ 9e74d5e2e5e4 stable/14-n274167 releng/14.4/ ae34dd1a391f releng/14.4-n273707 releng/14.3/ cbec31838173 releng/14.3-n271507 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat <commit hash> Or visit the following URL, replacing NNNNNN with the hash: <URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References <URL:https://www.cve.org/CVERecord?id=CVE-2026-39461> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:22.libcasper.asc> -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKHsbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrveQAP/iyv1O1XI6tSrRictadU 9tBJFE5WlWGPrB8ID/12nLsKaTM5hzbA1G+v8c3So3FaSEl+m7D8BTri4X0XPibQ 5Pp4v67MO+yqsNxOjwyqAizOnD5bk/sEUuBV5JijZuqsAiEWFw5l0dKDU83zt3vu hyk8/eeKuIxEwDiWQoeE32RM3BupY1ClWp46kiSjvOVzUK04miHQjgFFnVqkBuI7 DeanTjzCw3g+RQNTRKVGE2LYRLFHka6m4Z5RYT7beFOLdlD58T7lvQLl3l3f2QSR hXcq5RxAhf4omPkm432fIdd4nev4gti3rxJC76NM2rIHGeSlRd4O7MHreNwNkU2O 8Rv8IWMCM20zZCtbov7q8XbTqKp8JXSJ/8g15iZuZ4wk+THnpRy7dsRe5eYQvVbB J/zBKB9xMXGp69+88uZHDsSSoS841pkZ61+MlxeK4xC3MO6tlTO0Hannhmy8WCb4 U5GimvX3EcvhGeBWRvPTdPJY9EcrDPDU2djaiFzPZZ7rrUjR8YJ685fyj161nnb+ ibubcwiz7ygQu8b9T0rc1AV5ZTAC/QAlRarDpRNx2Ynh/FlZ89n+N5LnSHwGXc/v /P+ob/5AqdLfyofw5pcx/FVuAiK4bjqDGGYuZw1tplg/L7AV3k87zIMYdCgr3e95 PyQCsFAG014gMVETPGHKm6/7 =ypPx -----END PGP SIGNATURE-----
FreeBSD Security Advisory FreeBSD-SA-26:21.ptrace
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:21.ptrace Security Advisory The FreeBSD Project Topic: Missing validation in ptrace(PT_SC_REMOTE) Category: core Module: ptrace Announced: 2026-05-20 Credits: Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai Credits: Ryan at Calif.io Affects: All supported versions of FreeBSD. Corrected: 2026-05-20 19:36:40 UTC (stable/15, 15.0-STABLE) 2026-05-20 19:39:34 UTC (releng/15.0, 15.0-RELEASE-p9) 2026-05-20 19:37:59 UTC (stable/14, 14.4-STABLE) 2026-05-20 19:39:59 UTC (releng/14.4, 14.4-RELEASE-p5) 2026-05-20 19:40:37 UTC (releng/14.3, 14.3-RELEASE-p14) CVE Name: CVE-2026-45253 This vulnerability was independently reported by multiple parties prior to publication. For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background The ptrace(2) system call provides facilities for a debugger to control the execution of a target process and to obtain status information about it. Among other capabilities, it permits a debugger to execute arbitrary system calls in the target process via the PT_SC_REMOTE operation. II. Problem Description ptrace(PT_SC_REMOTE) failed to properly validate parameters for the syscall(2) and __syscall(2) meta-system calls. As a result, a user with the ability to debug a process may trigger arbitrary code execution in the kernel, even if the target process has no special privileges. III. Impact The missing validation allows an unprivileged local user to escalate privileges, potentially gaining full control of the affected system. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.0] # fetch https://security.FreeBSD.org/patches/SA-26:21/ptrace-15.patch # fetch https://security.FreeBSD.org/patches/SA-26:21/ptrace-15.patch.asc # gpg --verify ptrace-15.patch.asc [FreeBSD 14.4] # fetch https://security.FreeBSD.org/patches/SA-26:21/ptrace-14.4.patch # fetch https://security.FreeBSD.org/patches/SA-26:21/ptrace-14.4.patch.asc # gpg --verify ptrace-14.4.patch.asc [FreeBSD 14.3] # fetch https://security.FreeBSD.org/patches/SA-26:21/ptrace-14.3.patch # fetch https://security.FreeBSD.org/patches/SA-26:21/ptrace-14.3.patch.asc # gpg --verify ptrace-14.3.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 3b4afab9add2 stable/15-n283643 releng/15.0/ fd24dd0b38a8 releng/15.0-n281043 stable/14/ fac902a3e039 stable/14-n274166 releng/14.4/ c21d23f0f8be releng/14.4-n273706 releng/14.3/ 45bd421661c4 releng/14.3-n271506 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat <commit hash> Or visit the following URL, replacing NNNNNN with the hash: <URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References <URL:https://www.cve.org/CVERecord?id=CVE-2026-45253> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:21.ptrace.asc> -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKHcbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvLd0QAOQGyaTmlTQJTS+EIPMU +poVU59Fe4L+/+H8LSibnCPBbycH1bv6m9e906s/za0IBLGVq7PhY0U1YtPO5++J A86nLzgqk4hEU5RWmA3+dnLYrIxOf3fVvSev/XAZe/1eWwcljYRCtqLV+IBmyxeZ amfYoXliUTuZHO+r+88HVAgDy6efZ3IlnHF9iMlpsF0IFezpgFh4E6tiJk9/pMlz wuXpHCm34rEjy6bvQaDP9G1zXGszrEatT25d9rKZnHscZCQuRgtpLaOVCuH8oDca +1PFTfTNJnepH9Ir1nSaYLViZdHfuDK40CafZm54q4669AramrySoxNJlnNHOiMK DN4aqxMfW5xCEEK+fIJYqTyW2L3WzRJ8tm3bF/zzsMYTsNmclcklzmuMNqsGQls1 TGIhb+J+e0vkdZOpuJaT65pmGaF2dJeBvwNsIMJgtY3yotUPbDFD1ALNVUwIkKYh m68XK0Ykw93ySLjbORUVFLP5nv5PvYtubAy37q5tskN6hXLlyX5a0QxIL5T5u0jx hwDnyl4UAHGmkBM8U0CnaQbixP/yV0p5q+3NtpBurHB74tov593/U1eroydDywRl Mw2R3k7AFIC5CszwMA6J0l3W2tLq/j7tcTQ/8CNgPpP/TPVntQxQShxB93F+/MdX n9D4phEb7cKk4Y9QIBKkdbYZ =egz5 -----END PGP SIGNATURE-----
FreeBSD Security Advisory FreeBSD-SA-26:20.fusefs
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:20.fusefs Security Advisory The FreeBSD Project Topic: Heap overflow in FUSE_LISTXATTR Category: core Module: fusefs Announced: 2026-05-20 Credits: Joshua Rogers of AISLE Research Team Affects: All supported versions of FreeBSD. Corrected: 2026-05-20 19:36:38 UTC (stable/15, 15.0-STABLE) 2026-05-20 19:39:32 UTC (releng/15.0, 15.0-RELEASE-p9) 2026-05-20 19:37:58 UTC (stable/14, 14.4-STABLE) 2026-05-20 19:39:58 UTC (releng/14.4, 14.4-RELEASE-p5) 2026-05-20 19:40:36 UTC (releng/14.3, 14.3-RELEASE-p14) CVE Name: CVE-2026-45252 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>. I. Background The fusefs file system delegates file system operations to a userspace daemon. This daemon ordinarily requires root privileges to operate. When the "vfs.usermount" sysctl is set to 1 (not the default), unprivileged users are permitted to run such daemons and mount fusefs file systems. II. Problem Description When a fusefs file system implements extended attributes, the kernel may send a FUSE_LISTXATTR message to the userspace daemon to retrieve the list of extended attributes for a given file. The FUSE protocol requires the daemon to return a packed list of NUL-terminated strings. The fusefs kernel module calls strlen() on this daemon-supplied buffer without first verifying that the entire list is NUL-terminated. III. Impact If a malicious daemon sends a non-NUL-terminated list, the fusefs kernel module may read beyond the end of one heap-allocated buffer and potentially write beyond the end of a second buffer. A malicious daemon could disclose up to 253 bytes of kernel heap memory, or it could inject up to 250 attacker-controlled bytes into unallocated kernel heap space. IV. Workaround No workaround is available, but systems that do not load the fusefs kernel module or set vfs.usermount=1 are unaffected. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.0] # fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-15.patch # fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-15.patch.asc # gpg --verify fusefs-15.patch.asc [FreeBSD 14.4] # fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-14.4.patch # fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-14.4.patch.asc # gpg --verify fusefs-14.4.patch.asc [FreeBSD 14.3] # fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-14.3.patch # fetch https://security.FreeBSD.org/patches/SA-26:20/fusefs-14.3.patch.asc # gpg --verify fusefs-14.3.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ df3f3fa82775 stable/15-n283642 releng/15.0/ 0dd8b983db3c releng/15.0-n281042 stable/14/ 25148c51c8c6 stable/14-n274165 releng/14.4/ 6a299460f159 releng/14.4-n273705 releng/14.3/ 53f3bf4ee1ce releng/14.3-n271505 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat <commit hash> Or visit the following URL, replacing NNNNNN with the hash: <URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References <URL:https://www.cve.org/CVERecord?id=CVE-2026-45252> The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:20.fusefs.asc> -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoOKHIbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvobkP/R3O3bwsnJkhG1NQ6pKh UFcwpZ8TSAqtccHZRQz2zoKTqu/EeClT7Bdgw/Qa8gbZ7IfZgS8AJaR7e4fgpE96 AhHU6cbyZrpwvWUatIKgX57032+M1ioMiz9g0KbGg4W4WKe/QHj4yt45F7qRfLNb BD7Qp7E0XtV+UrNXkhOQQmHyVTpB85tK/e5Yc+vcSgAQ3LWrzwO4zED4f78e3faw oiLm1oE/Vx0jfrRKsnCECdJS532xlfH6iJ2/2ZXfUthGQmZQe34wOMwYS0EcaGZV TQoLwsg5qLj4hJOGMCZk4X4TjrkoQquWdsAQetB8tqXIyw7QEgbMIIbhS3mQZ5CW aEq3wbYMowxCMb/6Dd/R56wDqyGI2Z6GHmUT58M0OSIIISfsD+UHOCW2lrQQ5zrI o1O/IFAvqsmCN6JQzFgC3KC8BLLZWzxf5Bun6yOls/YA31zOXAen0isnbOvVnGot 42Dy65fENCUQMt+p3eDDLQzxDhlqGAGbiqysBmxwTA5Wqc4furv7O0wmBPwOOGeH NqlKYsqO9u4kEW2lTCPs7R5+wsc+EACc07kikDQgp1m59JlkMfmXU4Kbcgw9r4GR 9OWtidfTCDGmt9mXzJVKaBurgJ1iqsBfzzLamWo0iDpUMgUP7VA9jVjVbUmtjH1V qAWdXCXwrbOr+eA50IIPxkal =HzW3 -----END PGP SIGNATURE-----