FreeBSD security fixes for libcap_net, bsdinstall Wi-Fi RCE, libcasper privilege escalation and more.
Releases
No releases.
BSDSec
FreeBSD Security Advisory FreeBSD-SA-26:24.cap_net: FreeBSD-SA-26:24.cap_net addresses a vulnerability in the libcap_net service, part of the Capsicum capability framework, where omitted keys in updated permission limits were incorrectly treated as “allow any” instead of being rejected. This flaw could allow sandboxed applications to expand their network permissions beyond originally defined restrictions, violating Capsicum’s security model. The issue affects all supported FreeBSD versions and was discovered by Joshua Rogers of AISLE Research Team. Corrections were applied to branches stable/15, releng/15.0, stable/14, releng/14.4, and releng/14.3, with no known workarounds available. Updates can be applied via pkg, freebsd-update, or source patches, followed by a system reboot.
FreeBSD Security Advisory FreeBSD-SA-26:23.bsdinstall: A critical vulnerability in FreeBSD’s bsdinstall and bsdconfig utilities allows remote code execution during Wi-Fi network scans. The flaw stems from improper shell handling of Wi-Fi network names, enabling attackers to execute arbitrary commands as root by broadcasting a maliciously crafted access point name within range. The issue affects all supported FreeBSD versions and requires no user interaction beyond initiating a Wi-Fi scan, though actual network selection is unnecessary for exploitation. Patches have been released for FreeBSD 14.3, 14.4, and 15.0 branches, with workarounds recommending manual Wi-Fi configuration until updates can be applied. The vulnerability is tracked as CVE-2026-45255 and was discovered by researcher Austin Ralls.
FreeBSD Security Advisory FreeBSD-SA-26:22.libcasper: The issue arises because libcasper fails to verify that socket descriptors fit within the 1024-descriptor limit of the select(2) system call, potentially allowing an attacker to trigger a stack overflow. If exploited in a setuid root application, this flaw could enable local privilege escalation. The advisory confirms that all supported FreeBSD versions are affected and provides patches, workarounds (none available), and upgrade instructions for mitigation. Corrections were applied across stable and release branches, including FreeBSD 14.3, 14.4, and 15.0.
FreeBSD Security Advisory FreeBSD-SA-26:21.ptrace: The vulnerability stems from insufficient parameter validation in the PT_SC_REMOTE operation, which allows a debugger to execute arbitrary system calls in a target process. This flaw enables unprivileged local users to escalate privileges and potentially gain full control of the system. The issue was independently reported by researchers from Tsinghua University and Calif.io, with patches released for FreeBSD 15.0, 14.4, and 14.3 branches. No workaround exists, requiring users to upgrade to patched versions and reboot. The vulnerability is tracked as CVE-2026-45253.
FreeBSD Security Advisory FreeBSD-SA-26:20.fusefs: The flaw arises when the kernel processes extended attribute lists returned by a userspace FUSE daemon without verifying proper NUL-termination, potentially allowing a malicious daemon to read up to 253 bytes of kernel heap memory or inject up to 250 bytes into unallocated heap space. Systems are only vulnerable if the fusefs module is loaded and either a privileged daemon or an unprivileged user with vfs.usermount=1 is active. The issue, credited to Joshua Rogers of AISLE Research Team and assigned CVE-2026-45252, affects all supported FreeBSD versions and has been patched in stable/15, releng/15.0, stable/14, releng/14.4, and releng/14.3 branches as of May 20, 2026. Updates are available via pkg, freebsd-update, or source patches, with a system reboot required for mitigation.
FreeBSD Security Advisory FreeBSD-SA-26:19.file: The issue arises when a file descriptor is closed while a thread remains blocked in a poll(2) or select(2) call, leading to potential memory access after the underlying object has been freed. This vulnerability, identified by multiple independent researchers, can be exploited by unprivileged local users to gain superuser privileges. The advisory provides no workaround but outlines patching instructions via package updates, binary distributions, or source code patches for affected systems. Corrections have been applied to FreeBSD 15.x and 14.x branches, with specific commit hashes and timestamps documented for verification.
FreeBSD Security Advisory FreeBSD-SA-26:18.setcred: A stack buffer overflow in FreeBSD’s setcred(2) system call was disclosed, affecting all supported versions of FreeBSD. The flaw arises because the user-supplied list of supplementary groups is copied into a fixed-size kernel stack buffer without prior length validation, allowing an unprivileged local user to trigger an overflow. Successful exploitation could enable arbitrary kernel-level code execution, potentially granting elevated privileges. The issue was independently reported by multiple researchers and has been patched in FreeBSD 15.0, 14.4, and 14.3 branches, with corrections dated between January and May 2026. No workaround exists, requiring users to upgrade and reboot their systems to mitigate the risk.
FreeBSD Errata Notice FreeBSD-EN-26:13.freebsd-update: FreeBSD-EN-26:13 addresses a flaw in the freebsd-update utility where it incorrectly treats the certificate bundle /etc/ssl/cert.pem as a configuration file during upgrades. When moving from FreeBSD 15.0 to 15.1, this causes unnecessary merge conflicts in Base64-encoded ASN.1 data, while upgrades from older releases to 15.0 or 15.1 may trigger non-fatal error messages. The issue arises because the bundle, used for TLS certificate validation, is regenerated post-upgrade, making manual merging redundant. Corrections were applied across supported branches (stable/15, releng/15.0, stable/14, etc.) as of May 2026, with patches available for source-based updates. Users encountering conflicts can resolve them by accepting the unmerged file, as the bundle will be rebuilt automatically.
As always, it’s worth following BSDSec. RSS feed available.
News
Valuable News – 2026/05/25: The Valuable News weekly roundup for May 25, 2026, curates notable updates across UNIX, BSD, and Linux ecosystems. Highlights include OpenBSD 7.9’s release with support for up to 255 CPU cores and WiFi 6, FreeBSD 15.1-RC1’s availability with AI-discovered security fixes, and a forked KDE Plasma login manager by SonicDE that supports X11 and systemd-free environments. Additional topics cover FreeBSD’s mdo(1) privilege delegation, HAProxy optimizations for Fedimeteo, and a dual-node FreeBSD NAS cluster setup for $210.
BSD Now 664: No one misses SPARC: This episode covers the historical 1993 announcement confirming NetBSD and FreeBSD would remain separate projects rather than merge, alongside an analysis of SPARC architecture’s decline and why it faded into obscurity. Additional topics include a call for community testing of GhostBSD 26.2, a guide for setting up redundant DHCP and DNS services using OpenBSD and FreeBSD, and reflections on universities developing in-house technology. The episode also features user feedback and a sponsored segment on Tarsnap’s secure backup solutions, rounding out discussions on BSD-related tools, utilities, and open-source developments.
Virtual OS Museum offers 1,700+ pre-installed operating systems: The Virtual OS Museum is a curated collection of over 1,700 pre-installed operating systems and standalone applications spanning from 1948 to the present day, packaged within a single Linux virtual machine compatible with QEMU, VirtualBox, and UTM. It includes a custom launcher with snapshot functionality to revert broken installations, along with one-click launchers for Windows and Linux, eliminating the need for manual emulator configuration. The collection covers early mainframes, minicomputers, workstations, home computers, personal computer OSes, mobile/embedded systems, and obscure research platforms, with many installations pre-loaded with period-appropriate software. Both full (offline) and lite (downloads-on-demand) versions are available, with automatic updates supported for both. The project aims to make computing history accessible by providing ready-to-run environments that preserve the user experience of historical systems.
Tutorials
Manual Plex upgrade on FreeBSD: When the latest Plex Media Server release is unavailable via FreeBSD’s pkg manager, a manual upgrade can be performed using the official .tar.bz2 archive. The process involves downloading the archive from Plex’s website, stopping the Plex service, extracting the files over the existing installation directory, and restarting the service. The same steps apply to both Plex Pass and standard versions, with minor adjustments to directory and service names. In rare cases, a second restart may be required if Plex fails to start properly. This method mirrors the pkg upgrade process and can be used until the new version becomes available through official channels.
Migrating a decade-old Ubuntu 16.04 blog to FreeBSD on Hetzner: After running a blog on an outdated Ubuntu 16.04 VPS for ten years, the author migrated it to a FreeBSD-based Hetzner server for improved security, cost efficiency, and performance. The new setup leverages FreeBSD Jails managed by Bastille for isolation, Caddy as a reverse proxy for automatic SSL handling, and ZFS for snapshots and data integrity. Benchmarking using hey and wrk from Vultr VPS instances across four continents showed the FreeBSD server handling up to 11x more requests per second with significantly lower latency compared to the old Ubuntu setup. The migration also reduced costs by over 50% while providing better hardware specs, including double the CPU and memory, though the author acknowledges that much of the performance gain likely stems from the new server’s four CPU cores versus the old single-core setup.
Configuring CUPS for HP printers on OpenBSD: The article details the process of setting up an HP OfficeJet printer on OpenBSD using CUPS and HPLIP after switching to the OS full-time. Despite installing the necessary packages and enabling Avahi, the printer initially failed to connect due to a DNS resolution issue with its mDNS address. The solution involved manually adding the printer’s local IP and mDNS name to the /etc/hosts file, allowing CUPS to properly communicate with the printer. While the workaround succeeded, the author notes that mDNS resolution (via Avahi) did not function as expected, unlike in Linux, where the printer is automatically detected. The article concludes with a functional printer setup but leaves the underlying mDNS issue unresolved.
Tethering a Pocket PC PDA to OpenBSD for internet access: This guide details how to enable tethered internet access for a Pocket PC PDA using OpenBSD, focusing on the HP iPaq H3600 series. The process involves hardware modifications, including soldering a DB9 connector to the PDA’s cradle for RS232 serial communication, as USB tethering is not supported. The software setup requires configuring OpenBSD’s pppd with a custom chat script to handle ActiveSync handshaking and setting up IP forwarding via pf for internet sharing. The article also covers troubleshooting steps, such as verifying serial connections with cu and ensuring proper IP address assignments to avoid conflicts. The solution provides a functional workaround for legacy devices lacking modern connectivity options, demonstrating OpenBSD’s flexibility in supporting older hardware.
Did we miss anything?
This newsletter is made from your content on DiscoverBSD and BSDSec. Submit the stuff we missed so it can appear next time.
Do you have an OSS BSD-related project that you would like to showcase in BSD Weekly? Reply to sender and we can showcase you as a sponsor of an issue (for free).
Do you know anyone who would like this newsletter? Consider forwarding and tell them to subscribe.
Thanks for reading and see you next week! Stay safe!
