Published May 11, 2026
The past week has been one of the most eventful in the FreeBSD project in quite some time: two beta releases, a massive security advisory bundle, eye-catching AI-driven vulnerability discoveries, and a new blog post on the pkgbase upgrade path. Here’s the rundown.
FreeBSD 15.1: Beta 1 and Beta 2 Released
The release cycle for FreeBSD 15.1 is gaining momentum. After Colin Percival announced 15.1-BETA1 on May 2, 15.1-BETA2 followed on May 8 — the weekly cadence is holding.
Changes in Beta 2 (vs. Beta 1)
- Zstd updated to 1.5.7 — latest upstream compression support
- less updated to v692
- bsdinstall now consistently uses
pkg.FreeBSD.orgfor package bootstrap operations - nuageinit only parses
user_dataas YAML when necessary - rtadvd(8) now honors
pltimeandvltimein interface declarations - Various userland bug fixes:
ifconfig(8),lockf(1),stat(1),tail(1),certctl(8) - Kernel bug fixes:
nullfs,so_splice,vt(4) - Miscellaneous manual page and test fixes
Available Architectures
Images are available for amd64, powerpc64, powerpc64le, armv7, aarch64 (including RPI, PINE64, ROCK64 variants), and riscv64. Additionally, VM disk images (QCOW2, VHD, VMDK, Raw), OCI container images (static, dynamic, runtime, notoolchain, toolchain), and Amazon EC2 AMIs are provided.
Schedule
- Beta 3 expected next week
- Release Candidate the week after
- 15.1-RELEASE on June 2, 2026 — if all goes according to plan
Critical Security Vulnerabilities — 8 Advisories on April 29
On April 29, FreeBSD published a large batch of security advisories that were widely discussed this week:
| Advisory | Module | Description | Severity |
|---|---|---|---|
| SA-26:11 | amd64 | Missing large page handling in pmap_pkru_update_range() | High |
| SA-26:12 | dhclient | Remote code execution via malicious DHCP options (CVE-2026-42511) | Critical |
| SA-26:13 | execve | Local privilege escalation via execve(2) | High |
| SA-26:14 | pf | Stack overflow parsing crafted SCTP packets | High |
| SA-26:15 | dhclient | Remotely triggerable out-of-bounds heap write in dhclient | Critical |
| SA-26:16 | libnv | Stack overflow via select() file descriptor set overflow | High |
| SA-26:17 | libnv | Heap overflow in libnv | High |
Additionally, EN-26:11 was published on May 1: an errata notice correcting overly strict dhclient lease validation behavior — a side effect of the security fixes.
The 21-Year-Old dhclient RCE (CVE-2026-42511)
Particularly notable: the vulnerability in dhclient (SA-26:12) had existed in the code for over 20 years. The BOOTP file field was written to the lease file without escaping embedded double-quotes, enabling injection of arbitrary dhclient.conf directives — and thus remote code execution after a system restart.
AI-Driven Vulnerability Research: AISLE vs. Anthropic Mythos
On May 7, AISLE published a blog post that made waves: their multi-model system had discovered three critical vulnerabilities in FreeBSD — independently of and in parallel with the findings made by Anthropic’s “Claude Mythos.”
AISLE’s findings:
- The 21-year-old dhclient RCE (CVE-2026-42511)
- A remotely triggerable heap buffer overflow in dhclient
- A stack buffer overflow in
ping6(local privilege escalation)
All three were discovered on April 13, reported on April 14, and patched on April 29.
The debate AISLE’s findings sparked is noteworthy: AI-powered security systems can be very effective even with smaller, cheaper models — a well-designed system beats pure scaling through larger models. AISLE references their research showing that security capability is “jagged”: small models can outperform larger ones at many security-relevant tasks.
FreeBSD Foundation: “Cleaning Up Critical Infrastructure”
On April 20 (still widely discussed this week), the FreeBSD Foundation published a detailed blog post about the Alpha-Omega Beach Cleaning Project. Key points:
- OpenSSL 3.5 LTS was integrated in time for FreeBSD 15.0 — avoiding an unsupported fork of OpenSSL 3.0 (EOL September 2026) for over four years
- A machine-readable inventory of the base system was created: over 1,000 components in a YAML-based database, including 73 third-party imports
- SBOM generation via SPDX 2 and SPDX 3 formats
- CODEOWNERS-style reports for better maintainership tracking
- Preparation for importing
pkginto the base system as part of the pkgbase transition
Vermaden: PKGBASE Minor Upgrades with ZFS Boot Environments
On May 10, well-known FreeBSD blogger Vermaden published a practical guide for minor upgrades (e.g., 15.0 to 15.1) using PKGBASE and ZFS Boot Environments. Since PKGBASE is still marked as experimental and freebsd-update(8) is no longer available for minor releases, he demonstrates two methods:
- Classic method: Create a new ZFS BE, chroot, configure pkg.repo, run
pkg upgrade -r FreeBSD-base - Alternative method: Use
pkg --chrootandABI/OSVERSIONoverrides without manual devfs mounting
Both methods allow a safe rollback via ZFS Boot Environments if the upgrade causes issues.
Q1 2026 Status Report: 45 Entries
The FreeBSD Status Report for the first quarter of 2026 was published on April 23 — with a record 45 entries. Highlights:
- Cyber Resilience Act (CRA) Readiness Project — preparing for EU regulation
- amd64 FRED support — new CPU flexibility features
- LinuxKPI 802.11 and Native Wireless Update — WiFi driver progress
- Suspend/Resume and Hibernate improvements
- Sylve — a unified system management platform for FreeBSD
- daemonless — native FreeBSD OCI containers without a daemon
- KDE on FreeBSD — Plasma 6 and Wayland progress
- FreeBSD on EC2 and STACKIT Cloud Integration
- bhyve: Full CPUID Control, Management GUI
Looking Ahead
With Beta 3 coming next week and the Release Candidate after that, FreeBSD 15.1-RELEASE on June 2 is fast approaching. Anyone running supported versions should urgently apply the April 29 security advisories — especially the critical dhclient RCE. And for those testing pkgbase, Vermaden’s guide provides a solid starting point.
Links: