FreeBSD Weekly Review – Week 25 (June 16–22, 2026)

This week belonged to FreeBSD: the 15.1 release, a massive security advisory batch, a new AI-assisted vulnerability project, and the end-of-life announcement for 14.3 — plenty to digest.

FreeBSD 15.1-RELEASE Is Here

The big headline: on June 16, the Release Engineering Team published FreeBSD 15.1-RELEASE. A critical x86 bootloader bug had delayed it by two weeks, but the second release from the stable/15 branch is now available.

Key changes in 15.1

WiFi drivers updated to Linux 6.7/7.0 level: The LinuxKPI-based wireless drivers (iwlwifi and others) have been brought up to the Linux kernel 7.0 level, delivering significantly better compatibility with modern WiFi hardware — especially Intel chipsets and select MediaTek/Realtek devices.

C23 support progresses: The compiler and standard library have made further strides toward full C23 compliance.

Graphics drivers upgraded to Linux 6.12 (LTS): The FreeBSD Foundation announced that the drm-kmod port now includes the Linux 6.12 graphics driver, an LTS kernel with planned maintenance through 2036 (CIP program). This brings better compatibility with current AMD Radeon and Intel GPUs and improved Wayland support. Available for FreeBSD 15.1 onward.

Other notable changes in 15.1:

  • OpenPAM moved to a separate FreeBSD-pam package (pkgbase)
  • Zstandard/zstd(1) moved to a separate FreeBSD-zstd package
  • installworld/installkernel blocked on pkgbase systems to prevent database inconsistencies
  • Default shell for root and the freebsd user in release images changed from csh(1) to sh(1)
  • find(1) gains -xattr and -xattrname primaries for searching by extended attributes (sponsored by Klara Systems)
  • newfs(8) now prevents simultaneous GEOM journaling and soft updates; new -u flag to disable soft updates
  • bectl(8) new -E flag to create empty boot environments without cloning
  • zfs clone supports -u to prevent automatic mounting of new datasets
  • ipfs(8) disabled by default; kernel support now optional
  • New keyboard layouts: us.intl.acc.kbd and Lenovo laptop keymap for vt(4)
  • diff3(1) merge mode now GNU-compatible
  • pwd(1) defaults to -L (logical), following POSIX semantics

Release info: freebsd.org/releases/15.1R

Nine Security Advisories at Once

On June 9 — before the release — the Security Team published nine advisories simultaneously, several rated core with critical impact:

AdvisoryComponentCategoryTopic
SA-26:25.thrkernel (thr)coreMissing permission check in thr_kill2(2)
SA-26:26.ktlskernel (ktls)coreArbitrary file overwrite via KTLS receive path
SA-26:27.soundkernel (sound)coreMultiple vulnerabilities in sound(4) mmap path
SA-26:29.ip6_multicastkernel (ip6_multi)coreUse-after-free in IPV6_MSFILTER
SA-26:30.linuxkernel (linux)coreFlaw in Linuxulator execution of setugid binaries
SA-26:31.arm64kernel (arm64)coreARM CPU errata bypasses page table permission changes
SA-26:32.elfkernel (elf)coreASLR bypass for setuid executables via procctl(2)
SA-26:34.vtkernel (vt)coreInteger overflow in vt(4) CONS_HISTORY ioctl
SA-26:35.opensslopensslcontribMultiple OpenSSL vulnerabilities
SA-26:36.ldnsldnscontribInsufficient response validation in ldns stub resolver

All advisories are patched in 15.1-RELEASE. Users on older versions should update immediately.

AI-Assisted Vulnerability Discovery Project Launched

On June 15, the FreeBSD Foundation announced the AI-assisted Vulnerability Discovery Project, funded by a $250,000 grant from the Linux Foundation’s Alpha Omega initiative (backed by Anthropic, AWS, GitHub, Google, Microsoft, and OpenAI).

Key points:

  • Focus initially on the kernel, then userland and ports
  • AI used for discovery and analysis only; all patches are manually crafted
  • Netflix, NetApp, and Verisign supporting testing and validation
  • The project responds to the flood of AI-generated vulnerability reports overwhelming the volunteer security team

Coinciding with this, Praetorian published a detailed blog post about their own AI-powered research: using Claude Code (Opus 4.6), they found eight FreeBSD kernel vulnerabilities in just days, including CVE-2026-3038 (a stack overflow in the route subsystem, already patched in SA-26:05.route). The other seven are still being processed. The post walks through their methodology — from source analysis to crash reproduction to exploit development with jail escape.

FreeBSD 14.3 Reaches End-of-Life

On June 20, the Security Team announced that FreeBSD 14.3 reaches end-of-life on June 30, 2026 — no more security patches after that. Users should upgrade to 14.4 or 15.1. The stable/14 branch will remain maintained until November 2028.


Blog Posts and Community

pkgbasify — converting to packaged base elegantly: Dag-Erling Smørgrav (blog.des.no) describes his approach to converting FreeBSD 15.1 systems from distribution sets to pkgbase with a single pkg install command. He critiques the Foundation’s official pkgbasify script and offers a more direct alternative. If you’ve been meaning to try pkgbase, this is a practical guide.

Native inotify in FreeBSD: Klara Systems published a deep dive into the limitations of EVFILT_VNODE/kqueue for file monitoring and why FreeBSD needs a native inotify implementation. The existing libinotify userspace wrapper suffers from race conditions and scalability issues — the article explains the technical details and proposes solutions.

ZFS Vendor Import: Chris Longros reports that his ZFS commits have been upstreamed into the FreeBSD tree — a small but important milestone for ongoing ZFS maintenance.

In the Source Tree

Selected commits from the past week:

  • FORTIFY_SOURCE overrides: Kevans implements per-file FORTIFY_SOURCE overrides in the build system — a step toward more robust buffer checks in the base system
  • rename(2): Kostik Belousov prevents renaming the root vnode of a mounted filesystem (security fix)
  • renameat(2): Signal check added in retry loops
  • NFS va_flags fix: Correction for the case where va_flags are being cleared
  • lsof: Fix for building on 16-CURRENT (malloc.h conflict)
  • APEI: More information provided on fatal hardware errors

Summary

This week was dominated by the FreeBSD 15.1 release — one that noticeably improves laptop and desktop viability (WiFi, graphics, better suspend/resume). At the same time, the flood of security advisories and the new AI vulnerability project underscore how much the threat landscape is shifting: AI tools are drastically lowering the barrier to vulnerability discovery, and FreeBSD is responding in kind. Anyone still on 14.3 needs to act by June 30 at the latest.