Author: admin

A third release candidate for FreeBSD 15.1, critical x86 bootloader bugs, a flood of AI-discovered vulnerabilities, and the Frankfurt hackathon recap – this week was packed for FreeBSD.

FreeBSD 15.1-RC3 Released – Release Pushed to Mid-June

The week’s headline event: Colin Percival announced FreeBSD 15.1-RC3 on June 6. A third release candidate was needed because a critical bug in the x86 bootloader/kernel handoff was discovered that could cause systems to hang during boot – most commonly, but not exclusively, when Intel microcode updates are being loaded.

The announcement explicitly warns: when upgrading to RC3, you must install the updated EFI bootloader. The originally planned early-June release date has slipped to mid-June.

RC2 (May 31) had already re-introduced PadLock RNG support for VIA/Zhaoxin processors and integrated security fixes from SA-26:19 through SA-26:24. RC3 builds on that with the critical bootloader fix.

Available images include amd64, powerpc64(le), armv7, aarch64 (including RPI, PINE64, ROCK64), and riscv64, plus VM images (QCOW2, VHD, VMDK, raw), OCI container images, and Amazon EC2 AMI images.

Security Advisories – AI-Driven Vulnerability Discovery Makes Its Mark

The wave of security advisories published in late May (SA-26:18 through SA-26:24) continues to dominate discussions. Notably, most of these vulnerabilities were discovered through AI-driven security research:

SA-26:18.setcred – Stack Buffer Overflow via setcred(2)

A stack buffer overflow in the new setcred(2) system call that could lead to local privilege escalation (CVE-2026-45250).

SA-26:19.file – Kernel Use-After-Free via File Descriptor Syscalls

Discovered by Calif.io. A use-after-free in the kernel through file descriptor system calls.

SA-26:20.fusefs – Heap Overflow in FUSE_LISTXATTR

Discovered by the AISLE Research Team. A heap overflow in the FUSE file system code.

SA-26:21.ptrace – Missing Validation in ptrace(PTSCREMOTE)

Found by researchers using GLM-5.1 from Z.ai. Unprivileged local users could escalate privileges to root.

SA-26:22.libcasper – select(2) FD Set Overflow → Stack Overflow

Also from the AISLE Research Team. A file descriptor set overflow in select(2) led to a stack overflow. CVE-2026-39457 and CVE-2026-39461 were assigned.

SA-26:23.bsdinstall – RCE via Wi-Fi Access Point Scans

A suitably crafted network name (SSID) could cause command execution via sub-shell during Wi-Fi scans in bsdinstall and bsdconfig.

SA-26:24.capnet – Incorrect libcapnet Permission List Manipulation

Incorrect manipulation of permission lists in libcap_net could extend a process’s permissions.

Earlier Advisory from April: SA-26:14.pf – pf Stack Overflow via SCTP

Published April 29 but relevant context for the current wave: invalid SCTP packets could trigger unbounded recursion in pf, resulting in a stack overflow and kernel panic (CVE-2026-7164).

AISLE: Three setuid-root Stack Buffer Overflows Uncovered

On May 25, the AISLE Research Team published a detailed blog post on discovering three separate stack buffer overflows in FreeBSD, all reachable through the same basic attack vector:

1. ping6: The setuid-root binary lost a safety check that the closely related ping program retained. A local user could open many file descriptors and then execute /sbin/ping6, forcing later descriptors above 1023 and reaching unchecked FD_SET() calls.
2. libnv: The same FD_SET overflow in the NV encoding library.
3. libcasper: Ironically, the bug also hit FreeBSD’s Capsicum/Casper sandboxing infrastructure, which exists specifically to contain untrusted operations.

Particularly interesting: the ping6 bug had been fixed in closely related code back in 2002, but the corresponding guard was removed during a refactoring and never restored.

Blog Posts and Articles

“An AI audit of FreeBSD” (blog.calif.io, May 28)

Calif.io published a comprehensive retrospective on their AI-driven audit campaign against FreeBSD. Result: 15 kernel bugs, including 3 Remote Code Execution (RCE), 5 Local Privilege Escalation (LPE), and 1 bhyve escape.

“CVE-2026-7270: How I Get Root on FreeBSD with a Shell Script” (blog.calif.io, May 7)

Another Calif.io article demonstrating how a single shell script was enough to gain root access on a FreeBSD system.

AISLE: “AISLE matches Anthropic Mythos on FreeBSD zero-days” (May 6)

AISLE reports independently reproducing three of the eight FreeBSD security advisories from April 2026 that were also found by Nicholas Carlini at Anthropic (Claude Mythos).

AISLE: “AISLE Finds 21-Year-Old FreeBSD RCE Hidden in dhclient” (May 7)

CVE-2026-42511: A 21-year-old remote code execution vulnerability in dhclient, where the BOOTP file field was not properly escaped, allowing injection of arbitrary dhclient.conf directives.

Frankfurt Area FreeBSD Hackathon Recap (FreeBSD Foundation, June 2)

The FreeBSD Foundation published a recap of the first regional hackathon in the Frankfurt area (April 24–26). Results: 120 closed bug reports, successful implementation of SBOM (Software Bill of Materials) functionality, and a German translation of Sylve.

“FreeBSD May 2026 Security Batch – An Operator’s Triage Guide” (maxiujun.com)

A practical triage guide for admins: of the seven simultaneously published advisories, two are kernel-side and trivially exploitable by any local user – patch those first.

Mailing List Discussions

mtree(1) POLA Violation

Gleb Smirnoff flagged on the freebsd-current list that the recent mtree(1) import from NetBSD constitutes a POLA (Principle of Least Astonishment) violation: checksum behavior has changed. Jose Luis Duran and Xin LI discussed potential corrections; a differential (D56013) was submitted to add missing entries.

15.1 Release Planning

Mailing list activity shows the typical end-of-cycle intensity: RC1, RC2, and RC3 were each announced on freebsd-stable. The delay from additional release candidates has drawn mixed reactions – understanding of the security fixes, but also impatience for the final release.

Looking Ahead

• BSDCan 2026 and the FreeBSD Developer Summit take place June 17–18 in Ottawa, Canada.
• FreeBSD 15.1-RELEASE is expected mid-June, assuming no further critical issues surface.
• AI-driven security research (Calif.io, AISLE, Anthropic Mythos) has established itself as a serious force – expect more findings.

This was one of the most security-intensive weeks in recent FreeBSD history. Between AI-discovered vulnerabilities, a new release candidate, and the Foundation’s Executive Director daily-driving FreeBSD on a laptop, there was plenty to talk about.

FreeBSD 15.1-RC1 Released

On May 29, Colin Percival released the first release candidate for FreeBSD 15.1. RC1 includes a batch of security fixes (more below), improvements to the fwget firmware tool, and various small kernel bug fixes and man page updates.

The 15.1-RELEASE is planned for June, assuming no further surprises. The release cycle has been fairly smooth so far: BETA1 dropped on May 2, and RC1 is the latest milestone.

Download: https://download.freebsd.org/releases/ISO-IMAGES/15.1/

Security Advisories: The May 2026 Batch

On May 20, FreeBSD published seven security advisories in a single day — enough to make even seasoned operators sweat. Xiujun Ma published an excellent triage guide that I recommend every admin read.

The two most critical:

SA-26:18.setcred — Kernel-Level RCE

The setcred(2) system call copies a user-supplied list of supplementary groups into a fixed-size kernel stack buffer without checking the length. The result: a kernel stack overflow that enables arbitrary kernel-level code execution. Any local user can trigger this, no special configuration required, all supported FreeBSD versions affected. Patch immediately.

SA-26:21.ptrace — Local Privilege Escalation (CVE-2026-45253)

Insufficient parameter validation in the PT_SC_REMOTE ptrace operation allows unprivileged local users to execute arbitrary system calls inside a target process. Local → root. On multi-user boxes and jail hosts, this is also a same-day patch.

The remaining five advisories:

AI-Discovered Vulnerabilities: Calif.io and AISLE

This is the big story of the week: AI systems are now actively finding FreeBSD kernel bugs.

Calif.io — “An AI Audit of FreeBSD”

Security research firm Calif.io published a detailed blog postdescribing their AI-driven audit of the FreeBSD kernel. Within a few weeks, the AI found:

• 5 local privilege escalations
• 1 bhyve guest-to-host escape
• A handful of memory disclosures and DoS bugs

In total, 15 kernel bugs, all reported to the FreeBSD security team. Notably, Calif.io coordinated with the FreeBSD team, focused on their priorities, and only reported high/critical bugs — no CVE-chasing, just targeted help.

One of the published exploits is setcred (CVE-2026-45250): a single-character sizeof confusion in kern_setcred_copyin_supp_groups that turns into a stack overflow and then a local root shell. Only FreeBSD 14.4 is exploitable, despite the same source bug being present in 14.3 and 15.0.

AISLE — Autonomous Vulnerability Discovery

The AISLE Research Team also made waves. On May 25, they published a report on three stack buffer overflows in ping6, libnv, and libcasper — all reachable through the same fundamental mechanism: FD_SET() with file descriptors above 1023.

The ping6 bug is particularly notable: the binary runs setuid-root, meaning any local user can trigger the vulnerable path in a process with effective UID 0. Ironically, FreeBSD had already fixed this exact bug class in closely related code back in 2002 — the guard in ping6 disappeared during a later refactoring and never returned.

AISLE also discovered a 21-year-old RCE in dhclient (CVE-2026-42511) and reported that their autonomous system independently found three of the eight April security advisories — matching Anthropic’s “Claude Mythos” on capability.

Deb Goodkin Daily-Drives FreeBSD on a Framework Laptop

Deb Goodkin, the FreeBSD Foundation’s Executive Director since 2005, spoke at the Open Source Summit + ELC NA 2026 in Minneapolis about her experience daily-driving FreeBSD on a Framework Laptop. Until recently, she hadn’t been running FreeBSD as her daily OS because it “felt like a mountain.”

Her takeaways:

• Touchscreen worked out of the box
• KDE desktop ran stable
• Peripherals like a wireless mouse worked without issues
• Zoom eventually worked after some troubleshooting
• Webcam required manual setup
• Microsoft Teams only partially functional

This aligns with the Foundation’s ongoing Laptop Integration Testing Project, which aims to close the graphics and Wi-Fi driver gap with Linux in 2026.

NVIDIA Driver Update

The NVIDIA graphics driver in FreeBSD ports was updated to version 595.71.05. Anyone running NVIDIA hardware on FreeBSD should plan to update the port.

Mailing List Discussions

• Boot issues: Multiple reports of boot-time problems and hangs with 15.1 installations, particularly in diskless operation. Discussions on freebsd-stable and freebsd-current are ongoing.
• 15.1-BETA1 pkgbase fingerprint issue: Graham Perrin reported a problem with base package fingerprints in 15.1-BETA1, which Colin Percival has acknowledged.

OpenBSD 7.9 (Neighbor Note)

OpenBSD 7.9 was released on May 30 — with support for up to 255 CPU cores and WiFi 6. Not directly FreeBSD, but worth noting for anyone following the BSD ecosystem.

Week in Review

The big takeaway: AI-driven security research is no longer a theoretical concept — it’s actively finding kernel bugs in FreeBSD. At the same time, the cooperation between Calif.io/AISLE and the FreeBSD team shows what constructive engagement looks like: short reports, suggested patches, direct communication rather than CVE-count chasing.

FreeBSD 15.1-RELEASE is approaching and will include all of these fixes. If you operate multi-user systems, patch SA-26:18.setcred and SA-26:21.ptrace immediately — the rest of the advisories can wait until this week.

This past week was one of the most eventful for FreeBSD in recent memory: six security advisories dropped simultaneously, FreeBSD 15.1 hit release candidate status, and the FreeBSD Foundation’s executive director went public about daily-driving FreeBSD on a laptop.

FreeBSD 15.1-RC1 Released

On May 22, Colin Percival announced FreeBSD 15.1-RC1 — the first and likely only release candidate before the planned final release in early June. RC1 is available for amd64, powerpc64, powerpc64le, armv7, aarch64 (including RPI, PINE64, PINEBOOK, ROCK64, ROCKPRO64), and riscv64.

Changes since Beta 3 include:

• The six new security advisories SA-26:18 through SA-26:24(see below)
• Improvements to fwget(8) for automatically identifying necessary firmware for more Wi-Fi cards
• EC2 “small” instances no longer run firstboot_pkgs by default
• freebsd-update no longer prompts to merge changes to /etc/ssl/cert.pem
• Various kernel bug fixes and man page updates

The full set of installation images, VM images (QCOW2, VHD, VMDK, raw), OCI container images, and EC2 AMI images are available on the usual download mirrors.

Security Advisory Blitz: Six Advisories at Once

On May 20, the FreeBSD Security Team released six security advisories simultaneously — several of which were discovered through AI-driven vulnerability research.

SA-26:18.setcred — Stack Buffer Overflow (CVE-2026-45250, Critical)

The most severe vulnerability of the week. A sizeof type error in kern_setcred_copyin_supp_groups()(sys/kern/kern_prot.c) causes a kernel stack buffer overflow in the setcred(2) system call. The bug: sizeof(*groups) evaluates to 8 bytes (pointer size) instead of the intended 4 bytes (sizeof(gid_t)). An unprivileged local user can exploit this to escalate to root — even on systems with SMAP/SMEP enabled. The vulnerability was disclosed by Przemyslaw Frasunek under the name “FatGid” and affects FreeBSD 14.3, 14.4, and 15.0.

Fixed in: 14.3-RELEASE-p14, 14.4-RELEASE-p5, 15.0-RELEASE-p9. FreeBSD 13.x and earlier are unaffected (the setcred(2)syscall doesn’t exist there).

SA-26:19.file — Kernel Use-After-Free

A file descriptor system call flaw can lead to a kernel use-after-free condition. Discovered by Calif.io (AI-driven vulnerability discovery).

SA-26:20.fusefs — Heap Overflow in FUSE_LISTXATTR

The kernel processes extended attribute lists from userspace FUSE daemons without verifying proper NUL termination, potentially allowing a malicious FUSE daemon to trigger a heap overflow. Discovered by the AISLE Research Team (autonomous vulnerability discovery).

SA-26:21.ptrace — Missing Validation in ptrace(PTSCREMOTE)

Missing input validation allows unprivileged local users to escalate privileges to root. Discovered using GLM-5.1 by Z.ai.

SA-26:22.libcasper — select(2) File Descriptor Set Overflow Causes Stack Overflow

An overflow of the file descriptor set in select(2) within libcasper leads to a stack overflow. Discovered by the AISLE Research Team.

SA-26:23.bsdinstall — Remote Code Execution via Installer Wi-Fi Scans

A specially crafted network name (SSID) can trigger arbitrary command execution via sub-shell during Wi-Fi access point scanning in bsdinstall and bsdconfig. Practically relevant when installing in Wi-Fi environments.

SA-26:24.cap_net — Incorrect Permission List Manipulation

Faulty manipulation of limitation lists in libcap_net can extend a process’s permissions beyond what was intended. Discovered by the AISLE Research Team.

Takeaway: What’s notable is that several of these vulnerabilities were discovered through AI-based tools (Calif.io, GLM-5.1, AISLE Research Team). This marks a turning point in OS security auditing — AI-driven discovery is now producing real, exploitable findings.

FreeBSD 15.1 Beta 3 (May 17)

The third beta of FreeBSD 15.1, released the previous weekend, brought important updates:

• OpenZFS 2.4.2 was integrated (bug fixes and improvements)
• Cloud images now run pkg upgrade on first boot to apply security updates
• Kerberos was updated
• Scripted bsdinstall installations now use pkgbase
• The planned KDE desktop installation option was deferred to FreeBSD 15.2, as the script still needs adaptation for new NVIDIA drivers and removal of obsolete components

FreeBSD Foundation ED Daily-Drives FreeBSD on Laptop

Deb Goodkin, Executive Director of the FreeBSD Foundation since 2005, presented at the Open Source Summit North America (OSS 2026) in Minneapolis about her experience daily-driving FreeBSD on a Framework Laptop. Previously, every attempt to run FreeBSD on laptops “felt like a mountain” — time-consuming and ultimately getting stuck. With the KDE desktop, the touchscreen “just worked,” as did peripherals like a wireless mouse. Challenges remained: Zoom required effort to get working, the webcam needed manual steps to enable, and Microsoft Teams only partially worked. An encouraging sign, but also an honest assessment of the remaining gaps in desktop support.

Community and Blog Posts

Per-Jail Package Repository Selection (Ian Wagner)

Ian Wagner published a helpful blog post on configuring different package repositories per jail under FreeBSD. Using AppJail for declarative jail management, the post demonstrates how to switch specific jails to the latest ports branch when newer packages are needed while others remain on quarterly.

FreeBSD Resource Monitoring, Accounting, and Troubleshooting (Larvitz Blog)

A thorough guide on resource monitoring and troubleshooting on FreeBSD systems — from “the server feels slow” to concrete diagnostic tools and techniques.

Ubuntu 16.04 to FreeBSD Migration

A blog that ran on Ubuntu 16.04 for 10 years reported on its migration to FreeBSD, motivated by Ubuntu 16.04’s end-of-life and the promise of long-term stability.

Valuable News — May 18 (vermaden)

The weekly link roundup from vermaden offers its usual comprehensive overview of BSD and UNIX-related articles.

Mailing List Discussions

pkgbase Upgrade from 15.0 to 15.1

Discussions around the pkgbase upgrade path from 15.0-RELEASE to 15.1-BETA2 reveal that the transition to the new default installation method isn’t entirely smooth yet. Issues with kernel modules (kmods) and the pkgbase-quarterly repos were extensively discussed.

Boot-Time Bugs on freebsd-stable

Garrett Wollman reported issues with booting his server fleet, sparking a discussion about boot-time behavior and error handling.

Diskless Systems on 15.1

Daniel Braniss and Bjoern Zeeb discussed problems with diskless setups under FreeBSD 15.1 that can cause hangs during boot.

Looking Ahead

If all goes according to plan, FreeBSD 15.1-RELEASE is expected around June 2, 2026. The KDE desktop installation option has been deferred to FreeBSD 15.2 (expected December 2026). Until then, manual installation via pkg remains the recommended approach for a KDE desktop on FreeBSD.

Published May 11, 2026

The past week has been one of the most eventful in the FreeBSD project in quite some time: two beta releases, a massive security advisory bundle, eye-catching AI-driven vulnerability discoveries, and a new blog post on the pkgbase upgrade path. Here’s the rundown.

FreeBSD 15.1: Beta 1 and Beta 2 Released

The release cycle for FreeBSD 15.1 is gaining momentum. After Colin Percival announced 15.1-BETA1 on May 2, 15.1-BETA2 followed on May 8 — the weekly cadence is holding.

Changes in Beta 2 (vs. Beta 1)

• Zstd updated to 1.5.7 — latest upstream compression support
• less updated to v692
• bsdinstall now consistently uses pkg.FreeBSD.org for package bootstrap operations
• nuageinit only parses user_data as YAML when necessary
• rtadvd(8) now honors pltime and vltime in interface declarations
• Various userland bug fixes: ifconfig(8), lockf(1), stat(1), tail(1), certctl(8)
• Kernel bug fixes: nullfs, so_splice, vt(4)
• Miscellaneous manual page and test fixes

Available Architectures

Images are available for amd64, powerpc64, powerpc64le, armv7, aarch64 (including RPI, PINE64, ROCK64 variants), and riscv64. Additionally, VM disk images (QCOW2, VHD, VMDK, Raw), OCI container images (static, dynamic, runtime, notoolchain, toolchain), and Amazon EC2 AMIs are provided.

Schedule

• Beta 3 expected next week
• Release Candidate the week after
• 15.1-RELEASE on June 2, 2026 — if all goes according to plan

Critical Security Vulnerabilities — 8 Advisories on April 29

On April 29, FreeBSD published a large batch of security advisories that were widely discussed this week:

Additionally, EN-26:11 was published on May 1: an errata notice correcting overly strict dhclient lease validation behavior — a side effect of the security fixes.

The 21-Year-Old dhclient RCE (CVE-2026-42511)

Particularly notable: the vulnerability in dhclient (SA-26:12) had existed in the code for over 20 years. The BOOTP file field was written to the lease file without escaping embedded double-quotes, enabling injection of arbitrary dhclient.conf directives — and thus remote code execution after a system restart.

AI-Driven Vulnerability Research: AISLE vs. Anthropic Mythos

On May 7, AISLE published a blog post that made waves: their multi-model system had discovered three critical vulnerabilities in FreeBSD — independently of and in parallel with the findings made by Anthropic’s “Claude Mythos.”

AISLE’s findings:

1. The 21-year-old dhclient RCE (CVE-2026-42511)
2. A remotely triggerable heap buffer overflow in dhclient
3. A stack buffer overflow in ping6 (local privilege escalation)

All three were discovered on April 13, reported on April 14, and patched on April 29.

The debate AISLE’s findings sparked is noteworthy: AI-powered security systems can be very effective even with smaller, cheaper models — a well-designed system beats pure scaling through larger models. AISLE references their research showing that security capability is “jagged”: small models can outperform larger ones at many security-relevant tasks.

FreeBSD Foundation: “Cleaning Up Critical Infrastructure”

On April 20 (still widely discussed this week), the FreeBSD Foundation published a detailed blog post about the Alpha-Omega Beach Cleaning Project. Key points:

• OpenSSL 3.5 LTS was integrated in time for FreeBSD 15.0 — avoiding an unsupported fork of OpenSSL 3.0 (EOL September 2026) for over four years
• A machine-readable inventory of the base system was created: over 1,000 components in a YAML-based database, including 73 third-party imports
• SBOM generation via SPDX 2 and SPDX 3 formats
• CODEOWNERS-style reports for better maintainership tracking
• Preparation for importing pkg into the base system as part of the pkgbase transition

Vermaden: PKGBASE Minor Upgrades with ZFS Boot Environments

On May 10, well-known FreeBSD blogger Vermaden published a practical guide for minor upgrades (e.g., 15.0 to 15.1) using PKGBASE and ZFS Boot Environments. Since PKGBASE is still marked as experimental and freebsd-update(8) is no longer available for minor releases, he demonstrates two methods:

1. Classic method: Create a new ZFS BE, chroot, configure pkg.repo, run pkg upgrade -r FreeBSD-base
2. Alternative method: Use pkg --chroot and ABI/OSVERSION overrides without manual devfs mounting

Both methods allow a safe rollback via ZFS Boot Environments if the upgrade causes issues.

Q1 2026 Status Report: 45 Entries

The FreeBSD Status Report for the first quarter of 2026 was published on April 23 — with a record 45 entries. Highlights:

• Cyber Resilience Act (CRA) Readiness Project — preparing for EU regulation
• amd64 FRED support — new CPU flexibility features
• LinuxKPI 802.11 and Native Wireless Update — WiFi driver progress
• Suspend/Resume and Hibernate improvements
• Sylve — a unified system management platform for FreeBSD
• daemonless — native FreeBSD OCI containers without a daemon
• KDE on FreeBSD — Plasma 6 and Wayland progress
• FreeBSD on EC2 and STACKIT Cloud Integration
• bhyve: Full CPUID Control, Management GUI

Looking Ahead

With Beta 3 coming next week and the Release Candidate after that, FreeBSD 15.1-RELEASE on June 2 is fast approaching. Anyone running supported versions should urgently apply the April 29 security advisories — especially the critical dhclient RCE. And for those testing pkgbase, Vermaden’s guide provides a solid starting point.

Links:

• FreeBSD 15.1-BETA2 Announcement
• FreeBSD Security Advisories
• AISLE: 3 Critical Vulnerabilities in FreeBSD
• AISLE: CVE-2026-42511
• FreeBSD Foundation: Beach Cleaning Project
• Vermaden: PKGBASE Minor Upgrades
• FreeBSD Q1 2026 Status Report
• FreeBSD 15.1 Release Notes (Work in Progress)

This week brought two critical security advisories (both discovered with AI-assisted fuzzing), a bumper Q1 status report with 45 entries, and the official start of the 15.1 release cycle. If you’re still on FreeBSD 13.5, the clock is ticking.

Two Security Advisories, One Day

On April 21, the FreeBSD Security Team released two advisories — both credited to Nicholas Carlini using Claude (Anthropic). AI-assisted fuzzing finding two independent kernel bugs is noteworthy and signals a shift in how vulnerability research is done.

SA-26:10.tty — Use-After-Free in TIOCNOTTY Handler (CVE-2026-5398, CVSS 8.4 HIGH)

The TIOCNOTTY ioctl lets a process detach from its controlling terminal. The implementation failed to clear a back-pointer from the terminal structure to the calling process’s session. When the process subsequently exits, the terminal structure retains a dangling pointer to freed memory — which a malicious process can exploit to escalate to root.

All supported FreeBSD versions are affected (13.5, 14.3, 14.4, 15.0). No workaround exists. Patch and reboot.

SA-26:11.amd64 — Missing Large Page Handling in pmap_pkru_update_range() (CVE-2026-6386)

The pmap_pkru_update_range() function updates page table entries when applying Memory Protection Keys (PKRU) to an address range. It didn’t account for 1GB large page mappings created via shm_create_largepage(). Instead of recognizing a page directory entry as a large page, it treated it as a pointer to another page table page.

The result: an unprivileged user can trick the kernel into treating userspace memory as a page table, overwriting memory they shouldn’t have access to. Affects all supported versions on amd64. No workaround.

Takeaway: If you run amd64 systems, patch immediately. Both bugs are locally exploitable, and SA-26:10 leads directly to root. The AI-assisted discovery method is a clear signal: defenders need to adopt these tools as fast as attackers already have.

Q1 2026 Status Report: 45 Entries

The Q1 2026 Status Report landed on April 22 with 45 entries — the first under a newly enforced editorial schedule. Highlights:

Alpha-Omega Beach Cleaning

The FreeBSD Foundation continues its Beach Cleaning project, funded by the Linux Foundation’s Alpha-Omega initiative. The goal: proactively find and fix security vulnerabilities in third-party base system software. The repository includes build infrastructure and fuzzing setups for components like libxml2, SQLite, and other base system dependencies. The connection to this week’s two SAs is obvious — structured fuzzing pays off.

Cyber Resilience Act (CRA) Readiness

The EU’s Cyber Resilience Act is law, and FreeBSD must prepare. The Foundation launched a dedicated CRA Readiness project with monthly updates. Core questions: Which SBOM requirements apply? How is vulnerability management documented? Anyone deploying FreeBSD in EU-compliant products should follow this closely.

Laptop Testing & Integration

The Laptop Integration Testing Project introduced a Python application that automates FreeBSD compatibility testing on laptops. The Foundation is asking the community to submit hardware probes to build a public compatibility matrix. Other laptop progress:

• S0ix (Modern Standby): Suspend/Resume support for modern laptops
• Hibernate (Suspend-to-Disk): Under active development
• CPPC: AMD CPPC support for Zen 2+ processors (out-of-tree module available)
• Intel FRED: Konstantin Belousov (kib) submitted initial patches for Intel’s Flexible Return and Event Delivery — CPUID, MSR, and CR4 bits are in main, full FRED support is under review

Sylvea v0.2.3

The management tool Sylvea reached v0.2.3 with enhanced jail and VM support. A lightweight GUI for Bhyve, Jails, ZFS, and networking — an interesting alternative to web-based tools like TrueNAS.

HPC Initiative

FreeBSD is getting ports for Slurm, OpenMPI, and UCX — high-performance computing is landing on the platform. Niche, but strategically important.

Cloud

FreeBSD on EC2 with updated AMIs, plus a new STACKIT Cloud integration (a European cloud provider in the IAD group).

Ports Updates

• KDE Plasma 6.6.3
• OpenJDK 21/25
• Wazuh 4.14.3 (Security Monitoring)

FreeBSD 15.1: Code Slush Reached

The 15.1 release cycle hit Code Slush on April 17 — commits to the stable/15 branch no longer require explicit approval, but new features should be avoided. The remaining schedule:

FreeBSD 15.0 reaches end-of-life on September 30, 2026. Stable/15 will be supported through December 2029.

FreeBSD 13.5: EOL on April 30

Anyone still running FreeBSD 13.5 has less than a week to upgrade. Support ends April 30 — no more security patches after that. The Release Engineering Team has already stopped weekly snapshot builds for stable/13.

Migration to 14.4 or 15.0 is now urgent. Especially given SA-26:10 and SA-26:11, running an EOL version would be negligent.

ZFS: Snapshot Automount Deadlock Fixed

Hamza (ixhamza) contributed two significant ZFS fixes:

1. Snapshot automount deadlock during concurrent zfs recv — When a snapshot is automounted while zfs recv is running, the system could deadlock. The fix reorganizes the locking order.
2. AVL tree panic from snapshot automount race — A race condition during parallel snapshot mounts could trigger an AVL tree panic. Solved by switching to AVL lookup instead of linear scan.

Additionally, a memory leak in zfsctl_snapshot_mount was fixed — the options structure wasn’t being properly freed.

For anyone running zfs recv in production (and you should be if you do replication), these fixes matter. The deadlock was hitting real users, as open issue #18073 confirms.

BastilleBSD Hiring Plans

BastilleBSD announced plans to hire a part-time FreeBSD/Bastille sysadmin (~20 hrs/week), targeting EMEA/APAC time zones. The role involves working with Bastille’s creator on a cybersecurity startup, with an expected start in mid-to-late 2026. A sign that the FreeBSD jail management ecosystem is professionalizing.

TopBar: Wayland Desktop Environment

TopBar was featured on DiscoverBSD — a customizable desktop environment built with Quickshell and QML for Wayland compositors like MangoWM and Hyprland. It integrates a status bar, app launcher, lock screen, and wallpaper manager into a single cohesive system. For FreeBSD laptop users exploring Wayland, this is worth watching.

ZFS Performance Without New Hardware

A DiscoverBSD article rounded up ZFS performance tips that don’t require hardware investment:

• Tune recordsize to workload (16K for databases, 1M–4M for storage)
• Enable LZ4 compression — often reduces I/O overhead rather than increasing it
• Pool topology: Replace wide RAIDz configs with mirrored VDEVs for more parallelism
• Disable prefetch for random-access workloads (databases)

Nothing new for ZFS veterans, but a solid reference for newcomers.

What This Week Means

Two critical SAs in one week, both discovered via AI-assisted fuzzing — that’s a wake-up call. The tools are getting better, and attackers will use them too. The Q1 status report shows a healthy project: laptop support is growing, HPC is arriving, CRA preparation is professional. And with the code slush for 15.1, the next release is approaching.

If you’re on 13.5: upgrade now. If you’re on 15.0 or 14.4: patch now. Anything else is negligent.

A summary of the most important developments, security advisories, and discussions in the FreeBSD ecosystem over the past week.

Release Engineering: 15.1 Approaches Code Slush

On April 17, the stable/15 code slush began in preparation for FreeBSD 15.1. The full schedule, published by Release Engineering Lead Colin Percival back in January, looks like this:

Percival noted in January that 15.1 might be “a relatively bumpy minor release” given the experience with 15.0, particularly due to additional pkgbase changes. Meanwhile, stable/13 reaches its End-of-Life at the end of April — weekly snapshot builds for that branch will cease.

Security: SA-26:08 — Critical Stack Overflow in rpcsec_gss

Perhaps the most notable security development of recent weeks is FreeBSD Security Advisory SA-26:08, which describes a stack overflow in svc_rpc_gss_validate(). The vulnerability allows remote code execution and affects all supported FreeBSD versions. Patches are available for 15.0-RELEASE-p5 and the 14.x series.

What makes this advisory remarkable: the vulnerability was discovered and exploited by Nicholas Carlini using Claude AI (Anthropic) — an early example of AI-assisted security research uncovering real kernel vulnerabilities. The fix commit by Mark Johnston (143293c) addresses the buffer overflow in the GSS validation routine.

Q1 2026 Status Reports Published

The FreeBSD status reports for the first quarter of 2026 are now online. The Release Engineering Team update documents the successful 14.4-RELEASE publication in March and the ongoing planning for 15.1.

Laptop Project: Community Testing Call

The FreeBSD Foundation published a Call for Testing for the Laptop Integration Testing Project on April 6. Following the Year-One Update in February, the team has been building testing infrastructure since January. Community members can now test their laptops:

pkg install python hw-probe
git clone https://github.com/FreeBSDFoundation/freebsd-laptop-testing
cd freebsd-laptop-testing
make

The testing tool automatically probes laptop hardware and creates anonymized reports that can be submitted via Pull Request. Results feed into a public compatibility matrix at freebsdfoundation.github.io/freebsd-laptop-testing.

OpenZFS: Native relatime Property

On April 1, OpenZFS gained a native relatime property (commit 1685849 by @amotin). Relatime (relative atime) only updates a file’s access time when it is older than its modification or status change time, significantly reducing unnecessary write operations — especially beneficial for SSDs and caches. Previously only configurable via mount options, relatime can now be set natively per dataset.

Ports: GNU ld Checks Removed

Brooks Davis committed a tree-wide cleanup (d87609e) on April 13, removing all checks for whether the base linker is GNU ld. Since FreeBSD adopted lld (the LLVM linker) as default, these checks have been obsolete. The commit affects Makefiles across the entire ports tree.

Mailing Lists

IPv6-Only RA: Proposal to Adopt RFC 8925

Pouria Mousavizadeh Tehrani proposed on freebsd-current to remove the experimental implementation of the IETF draft DRAFT_IETF_6MAN_IPV6ONLY_FLAG and adopt RFC 8925 (IPv6-Only preference via DHCP option) instead. The backstory is interesting: Bjoern Zeeb originally proposed marking networks as IPv6-only via an RA flag. The draft was abandoned because RAs can be trivially forged — an attacker could maliciously disable IPv4 networks. Google later submitted the same idea as a DHCP option, which became RFC 8925. Pouria is seeking feedback on removing the draft-specific code paths from the kernel and userland.

Kqueue Panic: knlist Assertions Added

A kernel panic — “knote was already on knlist” — was reported on freebsd-current after build main-n284826. Kyle Evans (kevans91) responded by adding assertions in knlist_add() and knlist_remove_kq() (commit 306c904) to catch such error states earlier and more reliably. The related bug report (Bug 293382) describes deadlocks and crashes around closefp_impl, suggesting the issue involves file descriptor closure and kqueue registration interaction.