Date: July 13, 2026
Period: Monday, July 6 – Sunday, July 12, 2026
Security: 13 Advisories Released June 30
The biggest security news of the past two weeks landed on June 30, when FreeBSD published 13 security advisories (SA-26:37 through SA-26:49) addressing multiple critical vulnerabilities. Key highlights:
- SA-26:40.zfs – OpenZFS Vulnerabilities (CVE-2026-49429, CVE-2026-49430): Input controls truncate 64-bit buffer sizes to 32-bit integers during memory allocation but use the original 64-bit size for memory writes. This size mismatch triggers kernel heap overflows. Systems using ZFS delegation features are at highest risk.
- SA-26:41.libalias – Buffer Overflow in RTSP Handler (CVE-2026-49420): The libalias RTSP handler writes rewritten packets into a fixed-length stack buffer without checking whether the data actually fits. A remote attacker could use crafted RTSP traffic to take over a NAT gateway.
- SA-26:43.tcp – Use-After-Free in TCP RACK Stack (CVE-2026-49422): The option handler drops a connection lock to copy user data from userspace, then reacquires it but fails to reload a stale pointer. Rapidly switching stacks during this window leaves a dangling memory reference.
- SA-26:44.posixshm – POSIX Largepage Object Vulnerabilities: The system frees underlying memory pages when
sendfileis used with a specific flag, while active mappings still reference the freed memory. Local attackers can access freed kernel memory. - SA-26:46.ktls – Remote DOS via Uninitialized Memory in KTLS Receive: Another KTLS vulnerability (following CVE-2026-45257, which enabled local root access). The receive path accesses uninitialized memory, which can cause a crash.
- SA-26:48.compat32 – Heap Disclosure in compat32 kevent() Handler: The 32-bit compatibility kevent handler can expose uninitialized kernel memory to user processes.
- SA-26:49.iconv – Multiple Vulnerabilities in iconv(3)
All advisories affect FreeBSD 14.x and 15.x. Administrators should update their systems promptly. Systems not loading specific modules are partially unaffected; workarounds include disabling libalias, unloading the TCP RACK module, and restricting unprivileged ZFS access.
In the Source Tree: Developer Commits This Week
On the main branch (FreeBSD 16-CURRENT), several notable commits landed:
- pf: revert netlink commands back to enum (Gleb Smirnoff): The pf netlink interface was refactored; commands were changed from macros back to an enum format for better maintainability.
- libc/resolv: Refactor the option parser (Dag-Erling Smørgrav): The resolver option parser was overhauled, dead code removed, and style cleaned up.
- libsysdecode: Teach mktables to handle enums (Dag-Erling Smørgrav): The table generation tool can now process enum values.
- inotify.2: Fix formatting and lint (Mark Johnston): The inotify manpage received formatting fixes.
- pdfork.2: grammar (Konstantin Belousov): A small but clean documentation improvement.
- D56976: Fix heap disclosure in compat7 kern.proc.filedesc sysctl (emaste): A Phabricator review closing a memory leak bug in compatibility code.
In the ports tree: – www/deno: Improve port (VVD, delphij): The Deno port received dependency fixes, PREFIX/LOCALBASE cleanup, and three patch correctness bugs were fixed.
Blog Posts and Community Contributions
“Moving to FreeBSD from Linux” (Kuon, July 2)
A long-time Mac OS and later Linux user (10 years of Arch Linux with Sway/Wayland) describes their switch to FreeBSD as a daily driver. After a Linux kernel update broke their keyboard, they installed FreeBSD and have been happy for 6 months. Missing pieces: OBS browser source and AnyDesk/RustDesk (workaround: VM). Their verdict: “It works.” and the community has been very welcoming.
“Why FreeBSD Appears to Eat Your RAM (and Why It Doesn’t Matter)” (SourceFeed, July 4)
An excellent technical deep-dive into FreeBSD memory management. It explains why btop and fastfetch report wildly different memory usage on the same system (btop treats wired memory as “used,” fastfetch counts inactive+cache as “free”). The article covers page queues (Active, Inactive, Laundry, Wired, Free) and ZFS ARC — and why nearly free memory on a healthy FreeBSD system trends toward zero (by design).
“Upgrading FreeBSD 15.0 to 15.1: The Official Paths” (Larvitz Blog)
A detailed guide for upgrading from 15.0-RELEASE to 15.1-RELEASE via both official paths: freebsd-update (distribution-set) and pkg (packaged-base). Particularly useful: the pkg which /usr/bin/uname distinction, the boot-loader update sequence, and the note about the June 30 errata. Updated on July 2 with the correct boot-loader procedure.
“GitLab on FreeBSD” (Vuink, July 9)
A guide to installing and setting up a GitLab server on FreeBSD. Compares GitLab with Gitea as on-premises alternatives to GitHub. Includes notes on Nginx, ZFS, and GELI-encrypted VMs.
“Review: FreeBSD 15.1 with an install-time desktop” (Tux Machines, July 6)
A review of the new desktop installation option in FreeBSD 15.1, which lets you set up KDE directly during installation. FreeBSD 15.1 also received improved WiFi support (Linux 7.0 WLAN drivers) and a boot-time scheduler switch.
“FreeBSD Foundationals: The Boot Process” (Larvitz Blog)
Third installment of a FreeBSD fundamentals series: from the loader through kernel boot to boot environments. Ideal for newcomers wanting to understand how FreeBSD starts up.
Interview: FreeBSD Core Team Contributor 2026 (freebsd-howto.com)
An in-depth two-hour interview with Marcus Hellberg, kernel engineer and core team member. Topics include the 14.x consolidation cycle, the WITHOUTASLR removal (ASLR is now non-optional), OpenZFS synchronization practices, and the jails roadmap. Notable quote on the ASLR debate: *”Removing WITHOUTASLR was a statement: this is not optional anymore.”* On the future of jails: standardized image formats and better orchestration tooling are on the wish list.
FreeBSD 15.1: Post-Release
FreeBSD 15.1-RELEASE was announced on June 16, 2026. In the weeks following, upgrade guides and first-hand reports dominated the community. Key new features in 15.1:
- WiFi drivers from Linux 7.0 (iwlwifi and others)
- Boot-time CPU scheduler switch (no longer compile-time only)
- KDE desktop installation option in the installer
- Improved laptop support (suspend/resume, better WiFi)
- C23 compiler support in the standard toolchain
Support timeline: 15.1 is supported until March 31, 2027. 15.0 reaches EOL on September 30, 2026.
Valuable News – July 7, 2026 (vermaden)
The weekly “Valuable News” roundup from vermaden covers: FreeBSD boot process fundamentals, running pkgbasify on FreeBSD 15.1, upgrading from 15.0 to 15.1, and more community topics.
Outlook
With 13 critical security vulnerabilities patched at the end of June, the most urgent task for all FreeBSD administrators is: update your systems. The 15.0 EOL is approaching (September 30), making an upgrade to 15.1 strongly recommended. Community discussions around desktop experience, memory monitoring, and jails orchestration show that FreeBSD continues to mature as both a workstation and server platform.