This was one of the most security-intensive weeks in recent FreeBSD history. Between AI-discovered vulnerabilities, a new release candidate, and the Foundation’s Executive Director daily-driving FreeBSD on a laptop, there was plenty to talk about.
FreeBSD 15.1-RC1 Released
On May 29, Colin Percival released the first release candidate for FreeBSD 15.1. RC1 includes a batch of security fixes (more below), improvements to the fwget firmware tool, and various small kernel bug fixes and man page updates.
The 15.1-RELEASE is planned for June, assuming no further surprises. The release cycle has been fairly smooth so far: BETA1 dropped on May 2, and RC1 is the latest milestone.
Download: https://download.freebsd.org/releases/ISO-IMAGES/15.1/
Security Advisories: The May 2026 Batch
On May 20, FreeBSD published seven security advisories in a single day — enough to make even seasoned operators sweat. Xiujun Ma published an excellent triage guide that I recommend every admin read.
The two most critical:
SA-26:18.setcred — Kernel-Level RCE
The setcred(2) system call copies a user-supplied list of supplementary groups into a fixed-size kernel stack buffer without checking the length. The result: a kernel stack overflow that enables arbitrary kernel-level code execution. Any local user can trigger this, no special configuration required, all supported FreeBSD versions affected. Patch immediately.
SA-26:21.ptrace — Local Privilege Escalation (CVE-2026-45253)
Insufficient parameter validation in the PT_SC_REMOTE ptrace operation allows unprivileged local users to execute arbitrary system calls inside a target process. Local → root. On multi-user boxes and jail hosts, this is also a same-day patch.
The remaining five advisories:
| Advisory | Issue | Urgency |
|---|---|---|
| SA-26:24.cap_net | Capsicum permission limit bypass | This week |
| SA-26:22.libcasper | Stack overflow via select(2) with >1024 file descriptors (CVE-2026-45252) | This week |
| SA-26:23.bsdinstall | Root RCE via malicious Wi-Fi SSIDs during installer scanning (CVE-2026-45255) | Before next install/re-image |
| SA-26:20.fusefs | Kernel heap disclosure/injection via rogue FUSE daemon | Only if fusefs.kois loaded |
| SA-26:19.file | file(1) / libmagic issue | This week |
AI-Discovered Vulnerabilities: Calif.io and AISLE
This is the big story of the week: AI systems are now actively finding FreeBSD kernel bugs.
Calif.io — “An AI Audit of FreeBSD”
Security research firm Calif.io published a detailed blog postdescribing their AI-driven audit of the FreeBSD kernel. Within a few weeks, the AI found:
- 5 local privilege escalations
- 1 bhyve guest-to-host escape
- A handful of memory disclosures and DoS bugs
In total, 15 kernel bugs, all reported to the FreeBSD security team. Notably, Calif.io coordinated with the FreeBSD team, focused on their priorities, and only reported high/critical bugs — no CVE-chasing, just targeted help.
One of the published exploits is setcred (CVE-2026-45250): a single-character sizeof confusion in kern_setcred_copyin_supp_groups that turns into a stack overflow and then a local root shell. Only FreeBSD 14.4 is exploitable, despite the same source bug being present in 14.3 and 15.0.
AISLE — Autonomous Vulnerability Discovery
The AISLE Research Team also made waves. On May 25, they published a report on three stack buffer overflows in ping6, libnv, and libcasper — all reachable through the same fundamental mechanism: FD_SET() with file descriptors above 1023.
The ping6 bug is particularly notable: the binary runs setuid-root, meaning any local user can trigger the vulnerable path in a process with effective UID 0. Ironically, FreeBSD had already fixed this exact bug class in closely related code back in 2002 — the guard in ping6 disappeared during a later refactoring and never returned.
AISLE also discovered a 21-year-old RCE in dhclient (CVE-2026-42511) and reported that their autonomous system independently found three of the eight April security advisories — matching Anthropic’s “Claude Mythos” on capability.
Deb Goodkin Daily-Drives FreeBSD on a Framework Laptop
Deb Goodkin, the FreeBSD Foundation’s Executive Director since 2005, spoke at the Open Source Summit + ELC NA 2026 in Minneapolis about her experience daily-driving FreeBSD on a Framework Laptop. Until recently, she hadn’t been running FreeBSD as her daily OS because it “felt like a mountain.”
Her takeaways:
- Touchscreen worked out of the box
- KDE desktop ran stable
- Peripherals like a wireless mouse worked without issues
- Zoom eventually worked after some troubleshooting
- Webcam required manual setup
- Microsoft Teams only partially functional
This aligns with the Foundation’s ongoing Laptop Integration Testing Project, which aims to close the graphics and Wi-Fi driver gap with Linux in 2026.
NVIDIA Driver Update
The NVIDIA graphics driver in FreeBSD ports was updated to version 595.71.05. Anyone running NVIDIA hardware on FreeBSD should plan to update the port.
Mailing List Discussions
- Boot issues: Multiple reports of boot-time problems and hangs with 15.1 installations, particularly in diskless operation. Discussions on
freebsd-stableandfreebsd-currentare ongoing. - 15.1-BETA1 pkgbase fingerprint issue: Graham Perrin reported a problem with base package fingerprints in 15.1-BETA1, which Colin Percival has acknowledged.
OpenBSD 7.9 (Neighbor Note)
OpenBSD 7.9 was released on May 30 — with support for up to 255 CPU cores and WiFi 6. Not directly FreeBSD, but worth noting for anyone following the BSD ecosystem.
Week in Review
The big takeaway: AI-driven security research is no longer a theoretical concept — it’s actively finding kernel bugs in FreeBSD. At the same time, the cooperation between Calif.io/AISLE and the FreeBSD team shows what constructive engagement looks like: short reports, suggested patches, direct communication rather than CVE-count chasing.
FreeBSD 15.1-RELEASE is approaching and will include all of these fixes. If you operate multi-user systems, patch SA-26:18.setcred and SA-26:21.ptrace immediately — the rest of the advisories can wait until this week.