Month: May 2026

This week saw the third beta of FreeBSD 15.1, a critical execve() privilege escalation vulnerability, the KDE desktop installer option being pushed to 15.2, and two libnv security advisories that remain highly relevant. Here’s your summary.

FreeBSD 15.1 Beta 3 Released

FreeBSD 15.1-BETA3 was released over the weekend as the latest weekly test candidate. The release is entering its final stretch — the Release Candidate (RC) is expected next week, and if all goes well, FreeBSD 15.1-RELEASE is targeted for June 2, 2026.

Key changes in Beta 3:

• OpenZFS 2.4.2 has been integrated — the latest OpenZFS release with various fixes and minor enhancements.
• Cloud images now automatically run pkg upgrade on first boot to apply security updates to the base system. A sensible improvement for cloud deployments that often start from stale images.
• Kerberos has been updated.
• bsdinstall scripted installations now use pkgbase.

The beta cycle has been relatively smooth so far. BETA1 and BETA2 in previous weeks brought Zstd 1.5.7, userland fixes for ifconfig, lockf, stat, tail, and certctl, plus kernel fixes for nullfs, so_splice, and VT.

BETA2 Recap (May 8)

• Updated to Zstd 1.5.7
• bsdinstall now consistently uses pkg.freebsd.org for package bootstrap
• Various userland and kernel bug fixes

Critical execve() Privilege Escalation — CVE-2026-7270

A serious kernel vulnerability disclosed in late April continues to generate discussion. FreeBSD-SA-26:13.execdescribes an operator-precedence error in the execve(2) implementation that leads to a buffer overflow. Attacker-controlled data can spill into adjacent argument buffers, corrupt kernel state, and grant unprivileged users root access.

The flaw affects all supported FreeBSD releases (13.5 through the 15 branch). Patches were published within hours, adding explicit parentheses to enforce the intended evaluation order and tightening size checks.

Community Reaction

• Positive: Rapid response — the advisory went live less than an hour after discovery, with patches available for every supported branch the same day.
• Concerns: There is no workaround. Administrators who can’t immediately reboot (e.g., high-availability systems) remain exposed.
• Source-based installations require kernel recompilation and reboot, which can take hours on older hardware.
• Early adopters on the 15 branch reported a minor regression in custom execve wrapper scripts that relied on the previous (buggy) argument handling.

Two libnv Security Advisories (SA-26:16 and SA-26:17)

Also disclosed on April 29, two libnv vulnerabilities remain relevant for anyone who hasn’t patched yet:

• SA-26:16 (CVE-2026-39457): Stack overflow via select() file descriptor set overflow — when a socket descriptor exceeds FD_SETSIZE (1024), select(2) overflows its file descriptor set. An attacker who can force a program to open many descriptors can trigger stack corruption and potentially escalate privileges via setuid-root programs. Discovered by Joshua Rogers (AISLE Research Team).
• SA-26:17 (CVE-2026-35547): Heap overflow in libnv — message size is not properly validated when processing headers, enabling out-of-bounds writes on the heap. This can cause crashes, panics, or potential privilege escalation by unprivileged users. Discovered by Mariusz Zaborski.

Both affect all supported FreeBSD versions with no workaround. Upgrade and reboot are mandatory.

KDE Desktop Installer Option Delayed to FreeBSD 15.2

The long-awaited KDE desktop installation option in the FreeBSD installer has been delayed again — this time from 15.1 to FreeBSD 15.2 (expected December 2026). Originally planned for 15.0, then moved to 15.1, the installation script needs updates for new NVIDIA drivers and removal of obsolete components. After committing to CURRENT, a testing period in STABLE is required, which no longer fits the 15.1 timeline.

Until then, KDE Plasma can be set up manually via pkg after installation.

Mailing List Discussions

Update Strategy and Timing (freebsd-current)

Bob Prohaska kicked off a discussion about preferred update strategies for self-hosted FreeBSD systems. On stable branches, freebsd-update is straightforward. On current, things get more complex. Warner Losh, Rick Macklem, Mark Millard, and others weighed in on the trade-offs of different approaches — a worthwhile read for anyone running current in production.

PKGBASE: Upgrading 15.0 to 15.1-BETA2

Vermaden asked about the upgrade path from FreeBSD 15.0-RELEASE to 15.1-BETA2 using the PKGBASE model. Colin Percival confirmed this path isn’t fully documented yet. The PKGBASE system remains marked as experimental, and the minor-release upgrade workflow needs more work.

Beach Cleaning Project: Infrastructure Cleanup

The FreeBSD Foundation published a detailed report on the Beach Cleaning Project in late April that continues to draw attention:

• Machine-readable inventory of over 1,000 components in the base system, including 73 third-party imports
• OpenSSL 3.5 LTS was integrated in time for FreeBSD 15.0 (replacing OpenSSL 3.0, which reaches EOL September 2026)
• SBOM generation in SPDX 2 and SPDX 3 formats
• CODEOWNERS-style reports for better maintainability
• Preparation for importing pkg into the base system as part of the pkgbase transition

The project was funded by Alpha-Omega and produced practical tooling, security assessments, and implementation plans that will serve FreeBSD development well beyond the project’s lifespan.

Blog Posts This Week

Vermaden: FreeBSD PKGBASE Minor Upgrades

Vermaden published a practical guide for upgrading FreeBSD 15.0 to 15.1-BETA2 using PKGBASE and ZFS Boot Environments. The walkthrough covers creating a new BE, configuring the pkg repository, upgrading the base system, and rolling back if needed — including an alternative approach using --chroot.

Going Back to BSD

Pete shared a personal blog post about returning to BSD after decades on Linux. He describes moving from Arch Linux to FreeBSD, setting up mail servers with Bastille jails, and appreciating the simplicity of the rc system compared to systemd. A nostalgic and practical read.

Looking Ahead

Next week will see the Release Candidate for FreeBSD 15.1. If no unexpected issues arise, the final release is expected on June 2, 2026. Administrators should patch the three security vulnerabilities (execve, libnv x2) immediately if they haven’t already.

Sources: Phoronix, FreeBSD Mailing Lists, FreeBSD Security Advisories, FreeBSD Foundation, Vermaden Blog, LavX News, peteftw.com

Published May 11, 2026

The past week has been one of the most eventful in the FreeBSD project in quite some time: two beta releases, a massive security advisory bundle, eye-catching AI-driven vulnerability discoveries, and a new blog post on the pkgbase upgrade path. Here’s the rundown.

FreeBSD 15.1: Beta 1 and Beta 2 Released

The release cycle for FreeBSD 15.1 is gaining momentum. After Colin Percival announced 15.1-BETA1 on May 2, 15.1-BETA2 followed on May 8 — the weekly cadence is holding.

Changes in Beta 2 (vs. Beta 1)

• Zstd updated to 1.5.7 — latest upstream compression support
• less updated to v692
• bsdinstall now consistently uses pkg.FreeBSD.org for package bootstrap operations
• nuageinit only parses user_data as YAML when necessary
• rtadvd(8) now honors pltime and vltime in interface declarations
• Various userland bug fixes: ifconfig(8), lockf(1), stat(1), tail(1), certctl(8)
• Kernel bug fixes: nullfs, so_splice, vt(4)
• Miscellaneous manual page and test fixes

Available Architectures

Images are available for amd64, powerpc64, powerpc64le, armv7, aarch64 (including RPI, PINE64, ROCK64 variants), and riscv64. Additionally, VM disk images (QCOW2, VHD, VMDK, Raw), OCI container images (static, dynamic, runtime, notoolchain, toolchain), and Amazon EC2 AMIs are provided.

Schedule

• Beta 3 expected next week
• Release Candidate the week after
• 15.1-RELEASE on June 2, 2026 — if all goes according to plan

Critical Security Vulnerabilities — 8 Advisories on April 29

On April 29, FreeBSD published a large batch of security advisories that were widely discussed this week:

Advisory	Module	Description	Severity
SA-26:11	amd64	Missing large page handling in pmap_pkru_update_range()	High
SA-26:12	dhclient	Remote code execution via malicious DHCP options (CVE-2026-42511)	Critical
SA-26:13	execve	Local privilege escalation via execve(2)	High
SA-26:14	pf	Stack overflow parsing crafted SCTP packets	High
SA-26:15	dhclient	Remotely triggerable out-of-bounds heap write in dhclient	Critical
SA-26:16	libnv	Stack overflow via select() file descriptor set overflow	High
SA-26:17	libnv	Heap overflow in libnv	High

Additionally, EN-26:11 was published on May 1: an errata notice correcting overly strict dhclient lease validation behavior — a side effect of the security fixes.

The 21-Year-Old dhclient RCE (CVE-2026-42511)

Particularly notable: the vulnerability in dhclient (SA-26:12) had existed in the code for over 20 years. The BOOTP file field was written to the lease file without escaping embedded double-quotes, enabling injection of arbitrary dhclient.conf directives — and thus remote code execution after a system restart.

AI-Driven Vulnerability Research: AISLE vs. Anthropic Mythos

On May 7, AISLE published a blog post that made waves: their multi-model system had discovered three critical vulnerabilities in FreeBSD — independently of and in parallel with the findings made by Anthropic’s “Claude Mythos.”

AISLE’s findings:

1. The 21-year-old dhclient RCE (CVE-2026-42511)
2. A remotely triggerable heap buffer overflow in dhclient
3. A stack buffer overflow in ping6 (local privilege escalation)

All three were discovered on April 13, reported on April 14, and patched on April 29.

The debate AISLE’s findings sparked is noteworthy: AI-powered security systems can be very effective even with smaller, cheaper models — a well-designed system beats pure scaling through larger models. AISLE references their research showing that security capability is “jagged”: small models can outperform larger ones at many security-relevant tasks.

FreeBSD Foundation: “Cleaning Up Critical Infrastructure”

On April 20 (still widely discussed this week), the FreeBSD Foundation published a detailed blog post about the Alpha-Omega Beach Cleaning Project. Key points:

• OpenSSL 3.5 LTS was integrated in time for FreeBSD 15.0 — avoiding an unsupported fork of OpenSSL 3.0 (EOL September 2026) for over four years
• A machine-readable inventory of the base system was created: over 1,000 components in a YAML-based database, including 73 third-party imports
• SBOM generation via SPDX 2 and SPDX 3 formats
• CODEOWNERS-style reports for better maintainership tracking
• Preparation for importing pkg into the base system as part of the pkgbase transition

Vermaden: PKGBASE Minor Upgrades with ZFS Boot Environments

On May 10, well-known FreeBSD blogger Vermaden published a practical guide for minor upgrades (e.g., 15.0 to 15.1) using PKGBASE and ZFS Boot Environments. Since PKGBASE is still marked as experimental and freebsd-update(8) is no longer available for minor releases, he demonstrates two methods:

1. Classic method: Create a new ZFS BE, chroot, configure pkg.repo, run pkg upgrade -r FreeBSD-base
2. Alternative method: Use pkg --chroot and ABI/OSVERSION overrides without manual devfs mounting

Both methods allow a safe rollback via ZFS Boot Environments if the upgrade causes issues.

Q1 2026 Status Report: 45 Entries

The FreeBSD Status Report for the first quarter of 2026 was published on April 23 — with a record 45 entries. Highlights:

• Cyber Resilience Act (CRA) Readiness Project — preparing for EU regulation
• amd64 FRED support — new CPU flexibility features
• LinuxKPI 802.11 and Native Wireless Update — WiFi driver progress
• Suspend/Resume and Hibernate improvements
• Sylve — a unified system management platform for FreeBSD
• daemonless — native FreeBSD OCI containers without a daemon
• KDE on FreeBSD — Plasma 6 and Wayland progress
• FreeBSD on EC2 and STACKIT Cloud Integration
• bhyve: Full CPUID Control, Management GUI

Looking Ahead

With Beta 3 coming next week and the Release Candidate after that, FreeBSD 15.1-RELEASE on June 2 is fast approaching. Anyone running supported versions should urgently apply the April 29 security advisories — especially the critical dhclient RCE. And for those testing pkgbase, Vermaden’s guide provides a solid starting point.

Links:

• FreeBSD 15.1-BETA2 Announcement
• FreeBSD Security Advisories
• AISLE: 3 Critical Vulnerabilities in FreeBSD
• AISLE: CVE-2026-42511
• FreeBSD Foundation: Beach Cleaning Project
• Vermaden: PKGBASE Minor Upgrades
• FreeBSD Q1 2026 Status Report
• FreeBSD 15.1 Release Notes (Work in Progress)