Month: April 2026

This week brought two critical security advisories (both discovered with AI-assisted fuzzing), a bumper Q1 status report with 45 entries, and the official start of the 15.1 release cycle. If you’re still on FreeBSD 13.5, the clock is ticking.

Two Security Advisories, One Day

On April 21, the FreeBSD Security Team released two advisories — both credited to Nicholas Carlini using Claude (Anthropic). AI-assisted fuzzing finding two independent kernel bugs is noteworthy and signals a shift in how vulnerability research is done.

SA-26:10.tty — Use-After-Free in TIOCNOTTY Handler (CVE-2026-5398, CVSS 8.4 HIGH)

The TIOCNOTTY ioctl lets a process detach from its controlling terminal. The implementation failed to clear a back-pointer from the terminal structure to the calling process’s session. When the process subsequently exits, the terminal structure retains a dangling pointer to freed memory — which a malicious process can exploit to escalate to root.

All supported FreeBSD versions are affected (13.5, 14.3, 14.4, 15.0). No workaround exists. Patch and reboot.

SA-26:11.amd64 — Missing Large Page Handling in pmap_pkru_update_range() (CVE-2026-6386)

The pmap_pkru_update_range() function updates page table entries when applying Memory Protection Keys (PKRU) to an address range. It didn’t account for 1GB large page mappings created via shm_create_largepage(). Instead of recognizing a page directory entry as a large page, it treated it as a pointer to another page table page.

The result: an unprivileged user can trick the kernel into treating userspace memory as a page table, overwriting memory they shouldn’t have access to. Affects all supported versions on amd64. No workaround.

Takeaway: If you run amd64 systems, patch immediately. Both bugs are locally exploitable, and SA-26:10 leads directly to root. The AI-assisted discovery method is a clear signal: defenders need to adopt these tools as fast as attackers already have.

Q1 2026 Status Report: 45 Entries

The Q1 2026 Status Report landed on April 22 with 45 entries — the first under a newly enforced editorial schedule. Highlights:

Alpha-Omega Beach Cleaning

The FreeBSD Foundation continues its Beach Cleaning project, funded by the Linux Foundation’s Alpha-Omega initiative. The goal: proactively find and fix security vulnerabilities in third-party base system software. The repository includes build infrastructure and fuzzing setups for components like libxml2, SQLite, and other base system dependencies. The connection to this week’s two SAs is obvious — structured fuzzing pays off.

Cyber Resilience Act (CRA) Readiness

The EU’s Cyber Resilience Act is law, and FreeBSD must prepare. The Foundation launched a dedicated CRA Readiness project with monthly updates. Core questions: Which SBOM requirements apply? How is vulnerability management documented? Anyone deploying FreeBSD in EU-compliant products should follow this closely.

Laptop Testing & Integration

The Laptop Integration Testing Project introduced a Python application that automates FreeBSD compatibility testing on laptops. The Foundation is asking the community to submit hardware probes to build a public compatibility matrix. Other laptop progress:

• S0ix (Modern Standby): Suspend/Resume support for modern laptops
• Hibernate (Suspend-to-Disk): Under active development
• CPPC: AMD CPPC support for Zen 2+ processors (out-of-tree module available)
• Intel FRED: Konstantin Belousov (kib) submitted initial patches for Intel’s Flexible Return and Event Delivery — CPUID, MSR, and CR4 bits are in main, full FRED support is under review

Sylvea v0.2.3

The management tool Sylvea reached v0.2.3 with enhanced jail and VM support. A lightweight GUI for Bhyve, Jails, ZFS, and networking — an interesting alternative to web-based tools like TrueNAS.

HPC Initiative

FreeBSD is getting ports for Slurm, OpenMPI, and UCX — high-performance computing is landing on the platform. Niche, but strategically important.

Cloud

FreeBSD on EC2 with updated AMIs, plus a new STACKIT Cloud integration (a European cloud provider in the IAD group).

Ports Updates

• KDE Plasma 6.6.3
• OpenJDK 21/25
• Wazuh 4.14.3 (Security Monitoring)

FreeBSD 15.1: Code Slush Reached

The 15.1 release cycle hit Code Slush on April 17 — commits to the stable/15 branch no longer require explicit approval, but new features should be avoided. The remaining schedule:

FreeBSD 15.0 reaches end-of-life on September 30, 2026. Stable/15 will be supported through December 2029.

FreeBSD 13.5: EOL on April 30

Anyone still running FreeBSD 13.5 has less than a week to upgrade. Support ends April 30 — no more security patches after that. The Release Engineering Team has already stopped weekly snapshot builds for stable/13.

Migration to 14.4 or 15.0 is now urgent. Especially given SA-26:10 and SA-26:11, running an EOL version would be negligent.

ZFS: Snapshot Automount Deadlock Fixed

Hamza (ixhamza) contributed two significant ZFS fixes:

1. Snapshot automount deadlock during concurrent zfs recv — When a snapshot is automounted while zfs recv is running, the system could deadlock. The fix reorganizes the locking order.
2. AVL tree panic from snapshot automount race — A race condition during parallel snapshot mounts could trigger an AVL tree panic. Solved by switching to AVL lookup instead of linear scan.

Additionally, a memory leak in zfsctl_snapshot_mount was fixed — the options structure wasn’t being properly freed.

For anyone running zfs recv in production (and you should be if you do replication), these fixes matter. The deadlock was hitting real users, as open issue #18073 confirms.

BastilleBSD Hiring Plans

BastilleBSD announced plans to hire a part-time FreeBSD/Bastille sysadmin (~20 hrs/week), targeting EMEA/APAC time zones. The role involves working with Bastille’s creator on a cybersecurity startup, with an expected start in mid-to-late 2026. A sign that the FreeBSD jail management ecosystem is professionalizing.

TopBar: Wayland Desktop Environment

TopBar was featured on DiscoverBSD — a customizable desktop environment built with Quickshell and QML for Wayland compositors like MangoWM and Hyprland. It integrates a status bar, app launcher, lock screen, and wallpaper manager into a single cohesive system. For FreeBSD laptop users exploring Wayland, this is worth watching.

ZFS Performance Without New Hardware

A DiscoverBSD article rounded up ZFS performance tips that don’t require hardware investment:

• Tune recordsize to workload (16K for databases, 1M–4M for storage)
• Enable LZ4 compression — often reduces I/O overhead rather than increasing it
• Pool topology: Replace wide RAIDz configs with mirrored VDEVs for more parallelism
• Disable prefetch for random-access workloads (databases)

Nothing new for ZFS veterans, but a solid reference for newcomers.

What This Week Means

Two critical SAs in one week, both discovered via AI-assisted fuzzing — that’s a wake-up call. The tools are getting better, and attackers will use them too. The Q1 status report shows a healthy project: laptop support is growing, HPC is arriving, CRA preparation is professional. And with the code slush for 15.1, the next release is approaching.

If you’re on 13.5: upgrade now. If you’re on 15.0 or 14.4: patch now. Anything else is negligent.

This week brought two critical security advisories (both discovered with AI-assisted fuzzing), a bumper Q1 status report with 45 entries, and the official start of the 15.1 release cycle. If you’re still on FreeBSD 13.5, the clock is ticking.

Two Security Advisories, One Day

On April 21, the FreeBSD Security Team released two advisories — both credited to Nicholas Carlini using Claude (Anthropic). AI-assisted fuzzing finding two independent kernel bugs is noteworthy and signals a shift in how vulnerability research is done.

SA-26:10.tty — Use-After-Free in TIOCNOTTY Handler (CVE-2026-5398, CVSS 8.4 HIGH)

The TIOCNOTTY ioctl lets a process detach from its controlling terminal. The implementation failed to clear a back-pointer from the terminal structure to the calling process’s session. When the process subsequently exits, the terminal structure retains a dangling pointer to freed memory — which a malicious process can exploit to escalate to root.

All supported FreeBSD versions are affected (13.5, 14.3, 14.4, 15.0). No workaround exists. Patch and reboot.

SA-26:11.amd64 — Missing Large Page Handling in pmap_pkru_update_range() (CVE-2026-6386)

The pmap_pkru_update_range() function updates page table entries when applying Memory Protection Keys (PKRU) to an address range. It didn’t account for 1GB large page mappings created via shm_create_largepage(). Instead of recognizing a page directory entry as a large page, it treated it as a pointer to another page table page.

The result: an unprivileged user can trick the kernel into treating userspace memory as a page table, overwriting memory they shouldn’t have access to. Affects all supported versions on amd64. No workaround.

Takeaway: If you run amd64 systems, patch immediately. Both bugs are locally exploitable, and SA-26:10 leads directly to root. The AI-assisted discovery method is a clear signal: defenders need to adopt these tools as fast as attackers already have.

Q1 2026 Status Report: 45 Entries

The Q1 2026 Status Report landed on April 22 with 45 entries — the first under a newly enforced editorial schedule. Highlights:

Alpha-Omega Beach Cleaning

The FreeBSD Foundation continues its Beach Cleaning project, funded by the Linux Foundation’s Alpha-Omega initiative. The goal: proactively find and fix security vulnerabilities in third-party base system software. The repository includes build infrastructure and fuzzing setups for components like libxml2, SQLite, and other base system dependencies. The connection to this week’s two SAs is obvious — structured fuzzing pays off.

Cyber Resilience Act (CRA) Readiness

The EU’s Cyber Resilience Act is law, and FreeBSD must prepare. The Foundation launched a dedicated CRA Readiness project with monthly updates. Core questions: Which SBOM requirements apply? How is vulnerability management documented? Anyone deploying FreeBSD in EU-compliant products should follow this closely.

Laptop Testing & Integration

The Laptop Integration Testing Project introduced a Python application that automates FreeBSD compatibility testing on laptops. The Foundation is asking the community to submit hardware probes to build a public compatibility matrix. Other laptop progress:

• S0ix (Modern Standby): Suspend/Resume support for modern laptops
• Hibernate (Suspend-to-Disk): Under active development
• CPPC: AMD CPPC support for Zen 2+ processors (out-of-tree module available)
• Intel FRED: Konstantin Belousov (kib) submitted initial patches for Intel’s Flexible Return and Event Delivery — CPUID, MSR, and CR4 bits are in main, full FRED support is under review

Sylvea v0.2.3

The management tool Sylvea reached v0.2.3 with enhanced jail and VM support. A lightweight GUI for Bhyve, Jails, ZFS, and networking — an interesting alternative to web-based tools like TrueNAS.

HPC Initiative

FreeBSD is getting ports for Slurm, OpenMPI, and UCX — high-performance computing is landing on the platform. Niche, but strategically important.

Cloud

FreeBSD on EC2 with updated AMIs, plus a new STACKIT Cloud integration (a European cloud provider in the IAD group).

Ports Updates

• KDE Plasma 6.6.3
• OpenJDK 21/25
• Wazuh 4.14.3 (Security Monitoring)

FreeBSD 15.1: Code Slush Reached

The 15.1 release cycle hit Code Slush on April 17 — commits to the stable/15 branch no longer require explicit approval, but new features should be avoided. The remaining schedule:

FreeBSD 15.0 reaches end-of-life on September 30, 2026. Stable/15 will be supported through December 2029.

FreeBSD 13.5: EOL on April 30

Anyone still running FreeBSD 13.5 has less than a week to upgrade. Support ends April 30 — no more security patches after that. The Release Engineering Team has already stopped weekly snapshot builds for stable/13.

Migration to 14.4 or 15.0 is now urgent. Especially given SA-26:10 and SA-26:11, running an EOL version would be negligent.

ZFS: Snapshot Automount Deadlock Fixed

Hamza (ixhamza) contributed two significant ZFS fixes:

1. Snapshot automount deadlock during concurrent zfs recv — When a snapshot is automounted while zfs recv is running, the system could deadlock. The fix reorganizes the locking order.
2. AVL tree panic from snapshot automount race — A race condition during parallel snapshot mounts could trigger an AVL tree panic. Solved by switching to AVL lookup instead of linear scan.

Additionally, a memory leak in zfsctl_snapshot_mount was fixed — the options structure wasn’t being properly freed.

For anyone running zfs recv in production (and you should be if you do replication), these fixes matter. The deadlock was hitting real users, as open issue #18073 confirms.

BastilleBSD Hiring Plans

BastilleBSD announced plans to hire a part-time FreeBSD/Bastille sysadmin (~20 hrs/week), targeting EMEA/APAC time zones. The role involves working with Bastille’s creator on a cybersecurity startup, with an expected start in mid-to-late 2026. A sign that the FreeBSD jail management ecosystem is professionalizing.

TopBar: Wayland Desktop Environment

TopBar was featured on DiscoverBSD — a customizable desktop environment built with Quickshell and QML for Wayland compositors like MangoWM and Hyprland. It integrates a status bar, app launcher, lock screen, and wallpaper manager into a single cohesive system. For FreeBSD laptop users exploring Wayland, this is worth watching.

ZFS Performance Without New Hardware

A DiscoverBSD article rounded up ZFS performance tips that don’t require hardware investment:

• Tune recordsize to workload (16K for databases, 1M–4M for storage)
• Enable LZ4 compression — often reduces I/O overhead rather than increasing it
• Pool topology: Replace wide RAIDz configs with mirrored VDEVs for more parallelism
• Disable prefetch for random-access workloads (databases)

Nothing new for ZFS veterans, but a solid reference for newcomers.

What This Week Means

Two critical SAs in one week, both discovered via AI-assisted fuzzing — that’s a wake-up call. The tools are getting better, and attackers will use them too. The Q1 status report shows a healthy project: laptop support is growing, HPC is arriving, CRA preparation is professional. And with the code slush for 15.1, the next release is approaching.

If you’re on 13.5: upgrade now. If you’re on 15.0 or 14.4: patch now. Anything else is negligent.

A summary of the most important developments, security advisories, and discussions in the FreeBSD ecosystem over the past week.

Release Engineering: 15.1 Approaches Code Slush

On April 17, the stable/15 code slush began in preparation for FreeBSD 15.1. The full schedule, published by Release Engineering Lead Colin Percival back in January, looks like this:

Percival noted in January that 15.1 might be “a relatively bumpy minor release” given the experience with 15.0, particularly due to additional pkgbase changes. Meanwhile, stable/13 reaches its End-of-Life at the end of April — weekly snapshot builds for that branch will cease.

Security: SA-26:08 — Critical Stack Overflow in rpcsec_gss

Perhaps the most notable security development of recent weeks is FreeBSD Security Advisory SA-26:08, which describes a stack overflow in svc_rpc_gss_validate(). The vulnerability allows remote code execution and affects all supported FreeBSD versions. Patches are available for 15.0-RELEASE-p5 and the 14.x series.

What makes this advisory remarkable: the vulnerability was discovered and exploited by Nicholas Carlini using Claude AI (Anthropic) — an early example of AI-assisted security research uncovering real kernel vulnerabilities. The fix commit by Mark Johnston (143293c) addresses the buffer overflow in the GSS validation routine.

Q1 2026 Status Reports Published

The FreeBSD status reports for the first quarter of 2026 are now online. The Release Engineering Team update documents the successful 14.4-RELEASE publication in March and the ongoing planning for 15.1.

Laptop Project: Community Testing Call

The FreeBSD Foundation published a Call for Testing for the Laptop Integration Testing Project on April 6. Following the Year-One Update in February, the team has been building testing infrastructure since January. Community members can now test their laptops:

pkg install python hw-probe
git clone https://github.com/FreeBSDFoundation/freebsd-laptop-testing
cd freebsd-laptop-testing
make

The testing tool automatically probes laptop hardware and creates anonymized reports that can be submitted via Pull Request. Results feed into a public compatibility matrix at freebsdfoundation.github.io/freebsd-laptop-testing.

OpenZFS: Native relatime Property

On April 1, OpenZFS gained a native relatime property (commit 1685849 by @amotin). Relatime (relative atime) only updates a file’s access time when it is older than its modification or status change time, significantly reducing unnecessary write operations — especially beneficial for SSDs and caches. Previously only configurable via mount options, relatime can now be set natively per dataset.

Ports: GNU ld Checks Removed

Brooks Davis committed a tree-wide cleanup (d87609e) on April 13, removing all checks for whether the base linker is GNU ld. Since FreeBSD adopted lld (the LLVM linker) as default, these checks have been obsolete. The commit affects Makefiles across the entire ports tree.

Mailing Lists

IPv6-Only RA: Proposal to Adopt RFC 8925

Pouria Mousavizadeh Tehrani proposed on freebsd-current to remove the experimental implementation of the IETF draft DRAFT_IETF_6MAN_IPV6ONLY_FLAG and adopt RFC 8925 (IPv6-Only preference via DHCP option) instead. The backstory is interesting: Bjoern Zeeb originally proposed marking networks as IPv6-only via an RA flag. The draft was abandoned because RAs can be trivially forged — an attacker could maliciously disable IPv4 networks. Google later submitted the same idea as a DHCP option, which became RFC 8925. Pouria is seeking feedback on removing the draft-specific code paths from the kernel and userland.

Kqueue Panic: knlist Assertions Added

A kernel panic — “knote was already on knlist” — was reported on freebsd-current after build main-n284826. Kyle Evans (kevans91) responded by adding assertions in knlist_add() and knlist_remove_kq() (commit 306c904) to catch such error states earlier and more reliably. The related bug report (Bug 293382) describes deadlocks and crashes around closefp_impl, suggesting the issue involves file descriptor closure and kqueue registration interaction.