Month: June 2026

A third release candidate for FreeBSD 15.1, critical x86 bootloader bugs, a flood of AI-discovered vulnerabilities, and the Frankfurt hackathon recap – this week was packed for FreeBSD.

FreeBSD 15.1-RC3 Released – Release Pushed to Mid-June

The week’s headline event: Colin Percival announced FreeBSD 15.1-RC3 on June 6. A third release candidate was needed because a critical bug in the x86 bootloader/kernel handoff was discovered that could cause systems to hang during boot – most commonly, but not exclusively, when Intel microcode updates are being loaded.

The announcement explicitly warns: when upgrading to RC3, you must install the updated EFI bootloader. The originally planned early-June release date has slipped to mid-June.

RC2 (May 31) had already re-introduced PadLock RNG support for VIA/Zhaoxin processors and integrated security fixes from SA-26:19 through SA-26:24. RC3 builds on that with the critical bootloader fix.

Available images include amd64, powerpc64(le), armv7, aarch64 (including RPI, PINE64, ROCK64), and riscv64, plus VM images (QCOW2, VHD, VMDK, raw), OCI container images, and Amazon EC2 AMI images.

Security Advisories – AI-Driven Vulnerability Discovery Makes Its Mark

The wave of security advisories published in late May (SA-26:18 through SA-26:24) continues to dominate discussions. Notably, most of these vulnerabilities were discovered through AI-driven security research:

SA-26:18.setcred – Stack Buffer Overflow via setcred(2)

A stack buffer overflow in the new setcred(2) system call that could lead to local privilege escalation (CVE-2026-45250).

SA-26:19.file – Kernel Use-After-Free via File Descriptor Syscalls

Discovered by Calif.io. A use-after-free in the kernel through file descriptor system calls.

SA-26:20.fusefs – Heap Overflow in FUSE_LISTXATTR

Discovered by the AISLE Research Team. A heap overflow in the FUSE file system code.

SA-26:21.ptrace – Missing Validation in ptrace(PTSCREMOTE)

Found by researchers using GLM-5.1 from Z.ai. Unprivileged local users could escalate privileges to root.

SA-26:22.libcasper – select(2) FD Set Overflow → Stack Overflow

Also from the AISLE Research Team. A file descriptor set overflow in select(2) led to a stack overflow. CVE-2026-39457 and CVE-2026-39461 were assigned.

SA-26:23.bsdinstall – RCE via Wi-Fi Access Point Scans

A suitably crafted network name (SSID) could cause command execution via sub-shell during Wi-Fi scans in bsdinstall and bsdconfig.

SA-26:24.capnet – Incorrect libcapnet Permission List Manipulation

Incorrect manipulation of permission lists in libcap_net could extend a process’s permissions.

Earlier Advisory from April: SA-26:14.pf – pf Stack Overflow via SCTP

Published April 29 but relevant context for the current wave: invalid SCTP packets could trigger unbounded recursion in pf, resulting in a stack overflow and kernel panic (CVE-2026-7164).

AISLE: Three setuid-root Stack Buffer Overflows Uncovered

On May 25, the AISLE Research Team published a detailed blog post on discovering three separate stack buffer overflows in FreeBSD, all reachable through the same basic attack vector:

1. ping6: The setuid-root binary lost a safety check that the closely related ping program retained. A local user could open many file descriptors and then execute /sbin/ping6, forcing later descriptors above 1023 and reaching unchecked FD_SET() calls.
2. libnv: The same FD_SET overflow in the NV encoding library.
3. libcasper: Ironically, the bug also hit FreeBSD’s Capsicum/Casper sandboxing infrastructure, which exists specifically to contain untrusted operations.

Particularly interesting: the ping6 bug had been fixed in closely related code back in 2002, but the corresponding guard was removed during a refactoring and never restored.

Blog Posts and Articles

“An AI audit of FreeBSD” (blog.calif.io, May 28)

Calif.io published a comprehensive retrospective on their AI-driven audit campaign against FreeBSD. Result: 15 kernel bugs, including 3 Remote Code Execution (RCE), 5 Local Privilege Escalation (LPE), and 1 bhyve escape.

“CVE-2026-7270: How I Get Root on FreeBSD with a Shell Script” (blog.calif.io, May 7)

Another Calif.io article demonstrating how a single shell script was enough to gain root access on a FreeBSD system.

AISLE: “AISLE matches Anthropic Mythos on FreeBSD zero-days” (May 6)

AISLE reports independently reproducing three of the eight FreeBSD security advisories from April 2026 that were also found by Nicholas Carlini at Anthropic (Claude Mythos).

AISLE: “AISLE Finds 21-Year-Old FreeBSD RCE Hidden in dhclient” (May 7)

CVE-2026-42511: A 21-year-old remote code execution vulnerability in dhclient, where the BOOTP file field was not properly escaped, allowing injection of arbitrary dhclient.conf directives.

Frankfurt Area FreeBSD Hackathon Recap (FreeBSD Foundation, June 2)

The FreeBSD Foundation published a recap of the first regional hackathon in the Frankfurt area (April 24–26). Results: 120 closed bug reports, successful implementation of SBOM (Software Bill of Materials) functionality, and a German translation of Sylve.

“FreeBSD May 2026 Security Batch – An Operator’s Triage Guide” (maxiujun.com)

A practical triage guide for admins: of the seven simultaneously published advisories, two are kernel-side and trivially exploitable by any local user – patch those first.

Mailing List Discussions

mtree(1) POLA Violation

Gleb Smirnoff flagged on the freebsd-current list that the recent mtree(1) import from NetBSD constitutes a POLA (Principle of Least Astonishment) violation: checksum behavior has changed. Jose Luis Duran and Xin LI discussed potential corrections; a differential (D56013) was submitted to add missing entries.

15.1 Release Planning

Mailing list activity shows the typical end-of-cycle intensity: RC1, RC2, and RC3 were each announced on freebsd-stable. The delay from additional release candidates has drawn mixed reactions – understanding of the security fixes, but also impatience for the final release.

Looking Ahead

• BSDCan 2026 and the FreeBSD Developer Summit take place June 17–18 in Ottawa, Canada.
• FreeBSD 15.1-RELEASE is expected mid-June, assuming no further critical issues surface.
• AI-driven security research (Calif.io, AISLE, Anthropic Mythos) has established itself as a serious force – expect more findings.

This was one of the most security-intensive weeks in recent FreeBSD history. Between AI-discovered vulnerabilities, a new release candidate, and the Foundation’s Executive Director daily-driving FreeBSD on a laptop, there was plenty to talk about.

FreeBSD 15.1-RC1 Released

On May 29, Colin Percival released the first release candidate for FreeBSD 15.1. RC1 includes a batch of security fixes (more below), improvements to the fwget firmware tool, and various small kernel bug fixes and man page updates.

The 15.1-RELEASE is planned for June, assuming no further surprises. The release cycle has been fairly smooth so far: BETA1 dropped on May 2, and RC1 is the latest milestone.

Download: https://download.freebsd.org/releases/ISO-IMAGES/15.1/

Security Advisories: The May 2026 Batch

On May 20, FreeBSD published seven security advisories in a single day — enough to make even seasoned operators sweat. Xiujun Ma published an excellent triage guide that I recommend every admin read.

The two most critical:

SA-26:18.setcred — Kernel-Level RCE

The setcred(2) system call copies a user-supplied list of supplementary groups into a fixed-size kernel stack buffer without checking the length. The result: a kernel stack overflow that enables arbitrary kernel-level code execution. Any local user can trigger this, no special configuration required, all supported FreeBSD versions affected. Patch immediately.

SA-26:21.ptrace — Local Privilege Escalation (CVE-2026-45253)

Insufficient parameter validation in the PT_SC_REMOTE ptrace operation allows unprivileged local users to execute arbitrary system calls inside a target process. Local → root. On multi-user boxes and jail hosts, this is also a same-day patch.

The remaining five advisories:

Advisory	Issue	Urgency
SA-26:24.cap_net	Capsicum permission limit bypass	This week
SA-26:22.libcasper	Stack overflow via select(2) with >1024 file descriptors (CVE-2026-45252)	This week
SA-26:23.bsdinstall	Root RCE via malicious Wi-Fi SSIDs during installer scanning (CVE-2026-45255)	Before next install/re-image
SA-26:20.fusefs	Kernel heap disclosure/injection via rogue FUSE daemon	Only if fusefs.kois loaded
SA-26:19.file	file(1) / libmagic issue	This week

AI-Discovered Vulnerabilities: Calif.io and AISLE

This is the big story of the week: AI systems are now actively finding FreeBSD kernel bugs.

Calif.io — “An AI Audit of FreeBSD”

Security research firm Calif.io published a detailed blog postdescribing their AI-driven audit of the FreeBSD kernel. Within a few weeks, the AI found:

• 5 local privilege escalations
• 1 bhyve guest-to-host escape
• A handful of memory disclosures and DoS bugs

In total, 15 kernel bugs, all reported to the FreeBSD security team. Notably, Calif.io coordinated with the FreeBSD team, focused on their priorities, and only reported high/critical bugs — no CVE-chasing, just targeted help.

One of the published exploits is setcred (CVE-2026-45250): a single-character sizeof confusion in kern_setcred_copyin_supp_groups that turns into a stack overflow and then a local root shell. Only FreeBSD 14.4 is exploitable, despite the same source bug being present in 14.3 and 15.0.

AISLE — Autonomous Vulnerability Discovery

The AISLE Research Team also made waves. On May 25, they published a report on three stack buffer overflows in ping6, libnv, and libcasper — all reachable through the same fundamental mechanism: FD_SET() with file descriptors above 1023.

The ping6 bug is particularly notable: the binary runs setuid-root, meaning any local user can trigger the vulnerable path in a process with effective UID 0. Ironically, FreeBSD had already fixed this exact bug class in closely related code back in 2002 — the guard in ping6 disappeared during a later refactoring and never returned.

AISLE also discovered a 21-year-old RCE in dhclient (CVE-2026-42511) and reported that their autonomous system independently found three of the eight April security advisories — matching Anthropic’s “Claude Mythos” on capability.

Deb Goodkin Daily-Drives FreeBSD on a Framework Laptop

Deb Goodkin, the FreeBSD Foundation’s Executive Director since 2005, spoke at the Open Source Summit + ELC NA 2026 in Minneapolis about her experience daily-driving FreeBSD on a Framework Laptop. Until recently, she hadn’t been running FreeBSD as her daily OS because it “felt like a mountain.”

Her takeaways:

• Touchscreen worked out of the box
• KDE desktop ran stable
• Peripherals like a wireless mouse worked without issues
• Zoom eventually worked after some troubleshooting
• Webcam required manual setup
• Microsoft Teams only partially functional

This aligns with the Foundation’s ongoing Laptop Integration Testing Project, which aims to close the graphics and Wi-Fi driver gap with Linux in 2026.

NVIDIA Driver Update

The NVIDIA graphics driver in FreeBSD ports was updated to version 595.71.05. Anyone running NVIDIA hardware on FreeBSD should plan to update the port.

Mailing List Discussions

• Boot issues: Multiple reports of boot-time problems and hangs with 15.1 installations, particularly in diskless operation. Discussions on freebsd-stable and freebsd-current are ongoing.
• 15.1-BETA1 pkgbase fingerprint issue: Graham Perrin reported a problem with base package fingerprints in 15.1-BETA1, which Colin Percival has acknowledged.

OpenBSD 7.9 (Neighbor Note)

OpenBSD 7.9 was released on May 30 — with support for up to 255 CPU cores and WiFi 6. Not directly FreeBSD, but worth noting for anyone following the BSD ecosystem.

Week in Review

The big takeaway: AI-driven security research is no longer a theoretical concept — it’s actively finding kernel bugs in FreeBSD. At the same time, the cooperation between Calif.io/AISLE and the FreeBSD team shows what constructive engagement looks like: short reports, suggested patches, direct communication rather than CVE-count chasing.

FreeBSD 15.1-RELEASE is approaching and will include all of these fixes. If you operate multi-user systems, patch SA-26:18.setcred and SA-26:21.ptrace immediately — the rest of the advisories can wait until this week.