This week brought two critical security advisories (both discovered with AI-assisted fuzzing), a bumper Q1 status report with 45 entries, and the official start of the 15.1 release cycle. If you’re still on FreeBSD 13.5, the clock is ticking.
Two Security Advisories, One Day
On April 21, the FreeBSD Security Team released two advisories — both credited to Nicholas Carlini using Claude (Anthropic). AI-assisted fuzzing finding two independent kernel bugs is noteworthy and signals a shift in how vulnerability research is done.
SA-26:10.tty — Use-After-Free in TIOCNOTTY Handler (CVE-2026-5398, CVSS 8.4 HIGH)
The TIOCNOTTY ioctl lets a process detach from its controlling terminal. The implementation failed to clear a back-pointer from the terminal structure to the calling process’s session. When the process subsequently exits, the terminal structure retains a dangling pointer to freed memory — which a malicious process can exploit to escalate to root.
All supported FreeBSD versions are affected (13.5, 14.3, 14.4, 15.0). No workaround exists. Patch and reboot.
SA-26:11.amd64 — Missing Large Page Handling in pmap_pkru_update_range() (CVE-2026-6386)
The pmap_pkru_update_range() function updates page table entries when applying Memory Protection Keys (PKRU) to an address range. It didn’t account for 1GB large page mappings created via shm_create_largepage(). Instead of recognizing a page directory entry as a large page, it treated it as a pointer to another page table page.
The result: an unprivileged user can trick the kernel into treating userspace memory as a page table, overwriting memory they shouldn’t have access to. Affects all supported versions on amd64. No workaround.
Takeaway: If you run amd64 systems, patch immediately. Both bugs are locally exploitable, and SA-26:10 leads directly to root. The AI-assisted discovery method is a clear signal: defenders need to adopt these tools as fast as attackers already have.
Q1 2026 Status Report: 45 Entries
The Q1 2026 Status Report landed on April 22 with 45 entries — the first under a newly enforced editorial schedule. Highlights:
Alpha-Omega Beach Cleaning
The FreeBSD Foundation continues its Beach Cleaning project, funded by the Linux Foundation’s Alpha-Omega initiative. The goal: proactively find and fix security vulnerabilities in third-party base system software. The repository includes build infrastructure and fuzzing setups for components like libxml2, SQLite, and other base system dependencies. The connection to this week’s two SAs is obvious — structured fuzzing pays off.
Cyber Resilience Act (CRA) Readiness
The EU’s Cyber Resilience Act is law, and FreeBSD must prepare. The Foundation launched a dedicated CRA Readiness project with monthly updates. Core questions: Which SBOM requirements apply? How is vulnerability management documented? Anyone deploying FreeBSD in EU-compliant products should follow this closely.
Laptop Testing & Integration
The Laptop Integration Testing Project introduced a Python application that automates FreeBSD compatibility testing on laptops. The Foundation is asking the community to submit hardware probes to build a public compatibility matrix. Other laptop progress:
- S0ix (Modern Standby): Suspend/Resume support for modern laptops
- Hibernate (Suspend-to-Disk): Under active development
- CPPC: AMD CPPC support for Zen 2+ processors (out-of-tree module available)
- Intel FRED: Konstantin Belousov (kib) submitted initial patches for Intel’s Flexible Return and Event Delivery — CPUID, MSR, and CR4 bits are in main, full FRED support is under review
Sylvea v0.2.3
The management tool Sylvea reached v0.2.3 with enhanced jail and VM support. A lightweight GUI for Bhyve, Jails, ZFS, and networking — an interesting alternative to web-based tools like TrueNAS.
HPC Initiative
FreeBSD is getting ports for Slurm, OpenMPI, and UCX — high-performance computing is landing on the platform. Niche, but strategically important.
Cloud
FreeBSD on EC2 with updated AMIs, plus a new STACKIT Cloud integration (a European cloud provider in the IAD group).
Ports Updates
- KDE Plasma 6.6.3
- OpenJDK 21/25
- Wazuh 4.14.3 (Security Monitoring)
FreeBSD 15.1: Code Slush Reached
The 15.1 release cycle hit Code Slush on April 17 — commits to the stable/15 branch no longer require explicit approval, but new features should be avoided. The remaining schedule:
| Milestone | Date |
|---|---|
| releng/15.1 branch | May 1, 2026 |
| BETA1 | May 1, 2026 |
| BETA2 | May 8, 2026 |
| BETA3 | May 15, 2026 |
| RC1 | May 22, 2026 |
| RELEASE | June 2, 2026 |
FreeBSD 15.0 reaches end-of-life on September 30, 2026. Stable/15 will be supported through December 2029.
FreeBSD 13.5: EOL on April 30
Anyone still running FreeBSD 13.5 has less than a week to upgrade. Support ends April 30 — no more security patches after that. The Release Engineering Team has already stopped weekly snapshot builds for stable/13.
Migration to 14.4 or 15.0 is now urgent. Especially given SA-26:10 and SA-26:11, running an EOL version would be negligent.
ZFS: Snapshot Automount Deadlock Fixed
Hamza (ixhamza) contributed two significant ZFS fixes:
- Snapshot automount deadlock during concurrent
zfs recv— When a snapshot is automounted whilezfs recvis running, the system could deadlock. The fix reorganizes the locking order. - AVL tree panic from snapshot automount race — A race condition during parallel snapshot mounts could trigger an AVL tree panic. Solved by switching to AVL lookup instead of linear scan.
Additionally, a memory leak in zfsctl_snapshot_mount was fixed — the options structure wasn’t being properly freed.
For anyone running zfs recv in production (and you should be if you do replication), these fixes matter. The deadlock was hitting real users, as open issue #18073 confirms.
BastilleBSD Hiring Plans
BastilleBSD announced plans to hire a part-time FreeBSD/Bastille sysadmin (~20 hrs/week), targeting EMEA/APAC time zones. The role involves working with Bastille’s creator on a cybersecurity startup, with an expected start in mid-to-late 2026. A sign that the FreeBSD jail management ecosystem is professionalizing.
TopBar: Wayland Desktop Environment
TopBar was featured on DiscoverBSD — a customizable desktop environment built with Quickshell and QML for Wayland compositors like MangoWM and Hyprland. It integrates a status bar, app launcher, lock screen, and wallpaper manager into a single cohesive system. For FreeBSD laptop users exploring Wayland, this is worth watching.
ZFS Performance Without New Hardware
A DiscoverBSD article rounded up ZFS performance tips that don’t require hardware investment:
- Tune recordsize to workload (16K for databases, 1M–4M for storage)
- Enable LZ4 compression — often reduces I/O overhead rather than increasing it
- Pool topology: Replace wide RAIDz configs with mirrored VDEVs for more parallelism
- Disable prefetch for random-access workloads (databases)
Nothing new for ZFS veterans, but a solid reference for newcomers.
What This Week Means
Two critical SAs in one week, both discovered via AI-assisted fuzzing — that’s a wake-up call. The tools are getting better, and attackers will use them too. The Q1 status report shows a healthy project: laptop support is growing, HPC is arriving, CRA preparation is professional. And with the code slush for 15.1, the next release is approaching.
If you’re on 13.5: upgrade now. If you’re on 15.0 or 14.4: patch now. Anything else is negligent.