A third release candidate for FreeBSD 15.1, critical x86 bootloader bugs, a flood of AI-discovered vulnerabilities, and the Frankfurt hackathon recap – this week was packed for FreeBSD.
FreeBSD 15.1-RC3 Released – Release Pushed to Mid-June
The week’s headline event: Colin Percival announced FreeBSD 15.1-RC3 on June 6. A third release candidate was needed because a critical bug in the x86 bootloader/kernel handoff was discovered that could cause systems to hang during boot – most commonly, but not exclusively, when Intel microcode updates are being loaded.
The announcement explicitly warns: when upgrading to RC3, you must install the updated EFI bootloader. The originally planned early-June release date has slipped to mid-June.
RC2 (May 31) had already re-introduced PadLock RNG support for VIA/Zhaoxin processors and integrated security fixes from SA-26:19 through SA-26:24. RC3 builds on that with the critical bootloader fix.
Available images include amd64, powerpc64(le), armv7, aarch64 (including RPI, PINE64, ROCK64), and riscv64, plus VM images (QCOW2, VHD, VMDK, raw), OCI container images, and Amazon EC2 AMI images.
Security Advisories – AI-Driven Vulnerability Discovery Makes Its Mark
The wave of security advisories published in late May (SA-26:18 through SA-26:24) continues to dominate discussions. Notably, most of these vulnerabilities were discovered through AI-driven security research:
SA-26:18.setcred – Stack Buffer Overflow via setcred(2)
A stack buffer overflow in the new setcred(2) system call that could lead to local privilege escalation (CVE-2026-45250).
SA-26:19.file – Kernel Use-After-Free via File Descriptor Syscalls
Discovered by Calif.io. A use-after-free in the kernel through file descriptor system calls.
SA-26:20.fusefs – Heap Overflow in FUSE_LISTXATTR
Discovered by the AISLE Research Team. A heap overflow in the FUSE file system code.
SA-26:21.ptrace – Missing Validation in ptrace(PTSCREMOTE)
Found by researchers using GLM-5.1 from Z.ai. Unprivileged local users could escalate privileges to root.
SA-26:22.libcasper – select(2) FD Set Overflow → Stack Overflow
Also from the AISLE Research Team. A file descriptor set overflow in select(2) led to a stack overflow. CVE-2026-39457 and CVE-2026-39461 were assigned.
SA-26:23.bsdinstall – RCE via Wi-Fi Access Point Scans
A suitably crafted network name (SSID) could cause command execution via sub-shell during Wi-Fi scans in bsdinstall and bsdconfig.
SA-26:24.capnet – Incorrect libcapnet Permission List Manipulation
Incorrect manipulation of permission lists in libcap_net could extend a process’s permissions.
Earlier Advisory from April: SA-26:14.pf – pf Stack Overflow via SCTP
Published April 29 but relevant context for the current wave: invalid SCTP packets could trigger unbounded recursion in pf, resulting in a stack overflow and kernel panic (CVE-2026-7164).
AISLE: Three setuid-root Stack Buffer Overflows Uncovered
On May 25, the AISLE Research Team published a detailed blog post on discovering three separate stack buffer overflows in FreeBSD, all reachable through the same basic attack vector:
- ping6: The setuid-root binary lost a safety check that the closely related
pingprogram retained. A local user could open many file descriptors and then execute/sbin/ping6, forcing later descriptors above 1023 and reaching uncheckedFD_SET()calls. - libnv: The same FD_SET overflow in the NV encoding library.
- libcasper: Ironically, the bug also hit FreeBSD’s Capsicum/Casper sandboxing infrastructure, which exists specifically to contain untrusted operations.
Particularly interesting: the ping6 bug had been fixed in closely related code back in 2002, but the corresponding guard was removed during a refactoring and never restored.
Blog Posts and Articles
“An AI audit of FreeBSD” (blog.calif.io, May 28)
Calif.io published a comprehensive retrospective on their AI-driven audit campaign against FreeBSD. Result: 15 kernel bugs, including 3 Remote Code Execution (RCE), 5 Local Privilege Escalation (LPE), and 1 bhyve escape.
“CVE-2026-7270: How I Get Root on FreeBSD with a Shell Script” (blog.calif.io, May 7)
Another Calif.io article demonstrating how a single shell script was enough to gain root access on a FreeBSD system.
AISLE: “AISLE matches Anthropic Mythos on FreeBSD zero-days” (May 6)
AISLE reports independently reproducing three of the eight FreeBSD security advisories from April 2026 that were also found by Nicholas Carlini at Anthropic (Claude Mythos).
AISLE: “AISLE Finds 21-Year-Old FreeBSD RCE Hidden in dhclient” (May 7)
CVE-2026-42511: A 21-year-old remote code execution vulnerability in dhclient, where the BOOTP file field was not properly escaped, allowing injection of arbitrary dhclient.conf directives.
Frankfurt Area FreeBSD Hackathon Recap (FreeBSD Foundation, June 2)
The FreeBSD Foundation published a recap of the first regional hackathon in the Frankfurt area (April 24–26). Results: 120 closed bug reports, successful implementation of SBOM (Software Bill of Materials) functionality, and a German translation of Sylve.
“FreeBSD May 2026 Security Batch – An Operator’s Triage Guide” (maxiujun.com)
A practical triage guide for admins: of the seven simultaneously published advisories, two are kernel-side and trivially exploitable by any local user – patch those first.
Mailing List Discussions
mtree(1) POLA Violation
Gleb Smirnoff flagged on the freebsd-current list that the recent mtree(1) import from NetBSD constitutes a POLA (Principle of Least Astonishment) violation: checksum behavior has changed. Jose Luis Duran and Xin LI discussed potential corrections; a differential (D56013) was submitted to add missing entries.
15.1 Release Planning
Mailing list activity shows the typical end-of-cycle intensity: RC1, RC2, and RC3 were each announced on freebsd-stable. The delay from additional release candidates has drawn mixed reactions – understanding of the security fixes, but also impatience for the final release.
Looking Ahead
- BSDCan 2026 and the FreeBSD Developer Summit take place June 17–18 in Ottawa, Canada.
- FreeBSD 15.1-RELEASE is expected mid-June, assuming no further critical issues surface.
- AI-driven security research (Calif.io, AISLE, Anthropic Mythos) has established itself as a serious force – expect more findings.