-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-25:19.zfs Errata Notice
The FreeBSD Project
Topic: Unprivileged kernel NULL pointer dereference
Category: contrib
Module: openzfs
Announced: 2025-12-16
Credits: Collin Funk
Affects: FreeBSD 15.0
Corrected: 2025-12-15 14:16:12 UTC (stable/15, 15.0-STABLE)
2025-12-16 23:42:59 UTC (releng/15.0, 15.0-RELEASE-p1)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
.
I. Background
ZFS is an advanced and scalable file system that is commonly used on FreeBSD.
II. Problem Description
Invoking the fsync(2) system call on a named pipe will trigger a NULL pointer
dereference in the kernel, causing a system panic.
III. Impact
A malicious, unprivileged user may be able to panic the system.
Software which attempts to fsync a named pipe may inadvertently panic the
system.
IV. Workaround
No workaround is available. Systems not using ZFS are unaffected.
V. Solution
Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date, and reboot.
Perform one of the following:
1) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms
can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r now
2) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-25:19/zfs.patch
# fetch https://security.FreeBSD.org/patches/EN-25:19/zfs.patch.asc
# gpg --verify zfs.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
and reboot the
system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ d988a0c1fc4c stable/15-n281511
releng/15.0/ ff6b9c7c1c34 releng/15.0-n280996
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat
Or visit the following URL, replacing NNNNNN with the hash:
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
The latest revision of this advisory is available at
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmlB+bIACgkQbljekB8A
Gu8e+hAA1P5avUtCSkV+8EtFRP06yMwe/Lq79Q/pKZPPznhweJYx2tiEey7qfUEA
7QT8aE8EgOCaaVs159Jn5c3RmQUeV9k+CKWxGbMuThfQJTX/ytmVdQX9tbTyfet1
o6zZmvRViWR+GpArtCDrjapV5luvvW4DqFN0wBhqAN4PK4GUG/77kbWeeRGGNcNF
2hzjrqUsi7vQ4CrhYYJH01PKIOW7V4HySzodPKSD24/LxILRY/XAA5y3n1gLeZ/i
G8JWIjX3bhKrmyHlL+bOCPcUpJEC3CD//CtisGQX0UsOrRbR6nZrDVpIXGnrW9kM
qUZvwjd731sTmab/ZyKcqoJ5cOwe1fBHgB/uK7H8DLzUCijiUS2+m+X5U6ncggFW
qsFpdW2rEUWDoc1n1qkFpIbkQqXZKiEaX5C1MFcQvRv/5nkXszHMVSKuhuamC6xc
Or7GXnxSVsTLS0H5ASg5aY65KsiJdDJI/4I6VSv7BIzJrZGXA/eH0G5+lAyU7rfd
vZ67vtT+Gvz2Hof8oFwUL/6ID2v/RLKG9+wIx5m2HB6DsdxqB/UCpAVV5yh2FIt9
OUODbFKIGQMtBL1pUhqxAIOzbJfAxcZfR11+2MuQWIkEXVMHWu86mRjxrQd33c10
HET/1kMnGTZBbi77QM9eQvLqxfXRhRslquITHWz6XE+QN4hu44o=
=o0ys
-----END PGP SIGNATURE-----