-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-26:10.amd64 Errata Notice
The FreeBSD Project
Topic: TLB invalidation bug on AMD systems with INVLPGB
Category: core
Module: vm
Announced: 2026-04-29
Affects: FreeBSD 14.3 and later
Corrected: 2026-04-23 13:48:45 UTC (stable/15, 15.0-STABLE)
2026-04-29 14:48:26 UTC (releng/15.0, 15.0-RELEASE-p7)
2026-04-23 13:49:23 UTC (stable/14, 14.4-STABLE)
2026-04-29 14:49:39 UTC (releng/14.4, 14.4-RELEASE-p3)
2026-04-29 14:49:19 UTC (releng/14.3, 14.3-RELEASE-p12)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
.
I. Background
On multi-core systems, TLB invalidation operations must notify other cores,
as each core maintains a local TLB. On amd64 systems this has historically
been implemented using interprocessor interrupts. Recent AMD CPUs provide
a new instruction, invlpgb, which allows a core to broadcast TLB invalidations
to other cores without need to explicitly raise interrupts. The FreeBSD kernel
makes use of this instruction when available.
II. Problem Description
The FreeBSD implementation of ranged TLB invalidation took advantage of a bit
in an invlpgb operand to invalidate consecutive 2M entries, instead of
invalidating purely in increments of 4K pages. The hardware invlpgb
implementation uses the underlying page size to invalidate regardless of the
status of this bit, which may leave a series of 4K mappings intact that should
have been invalidated.
III. Impact
Failing to invalidate pages when it required may result in apparent kernel
memory corruption, typically resulting in a kernel panic. Workloads involving
heavy use of kqueue(2) and/or large file descriptor tables seem to trigger
the problem somewhat readily.
IV. Workaround
Intel and non-x86 systems are not affected.
AMD systems that support INVLPGB (reported during the kernel boot process in
"AMD Extended Feature Extensions ID EBX") may set vm.pmap.invlpgb_works=0 in
/boot/loader.conf to work around this issue by disabling the use of invlpgb.
V. Solution
Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date, and reboot the system.
Perform one of the following:
1) To update your system installed from base system packages:
Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64
platforms, which were installed using base system packages, can be updated
via the pkg(8) utility:
# pkg upgrade -r FreeBSD-base
# shutdown -r +10min "Rebooting for a security update"
2) To update your system installed from binary distribution sets:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
or the i386 platform on FreeBSD 13, which were not installed using base
system packages, can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
3) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-26:10/amd64.patch
# fetch https://security.FreeBSD.org/patches/EN-26:10/amd64.patch.asc
# gpg --verify amd64.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
and reboot the
system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ 280cfe2264d7 stable/15-n283199
releng/15.0/ 182c59658218 releng/15.0-n281027
stable/14/ ff11ae166cd9 stable/14-n274021
releng/14.4/ b00785205990 releng/14.4-n273689
releng/14.3/ 3b1365cb816e releng/14.3-n271489
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat
Or visit the following URL, replacing NNNNNN with the hash:
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
The latest revision of this advisory is available at
-----BEGIN PGP SIGNATURE-----
iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmnySRcbFIAAAAAABAAO
bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv4zAP/3/9no397tY5+uMITwzb
d8RklxyJatGAYnqSQrJCjxm4er+CUijdCb6jUrg2L2hKt8c3KOQctSY5ko2agkZ2
41ghOeIOU6N9+aiNN4wlqCbgufUXjtBWBBEgOvJHyU1QnSazKDZmGAwWfiTz8Uh7
QtuRHV/I8LDKpd6UtVC6S6lsKSiDrmMQ6CmDSMiMDEpJO8cM1rKejU/gGSTaiwak
25SvR6z1rgJwh5VFKnT5a7G9Gw3oV04+zWQRoYOotiblg1qUgLAjMxogrIvFQKbR
fQElldSwQl7ErlFjYCBrvDbXzGqlsDDab05ay4361VD92QWQ4o64X5KHR+Rb0yYt
RWfPxfCNA1fNMDjkY1y9ROjGERuNdhJzGl5o2m6TXJl/rUX+BZrWZLTC/68CMy/B
DHrKPMLRD6rOS6AupNK1UfKoRPqha9tdwdofOOD4qr6PQ0UecLyUrUQljlK6QUYm
yUQQzC0eun6SdQihPaHGEXK0oe7MqWJvt7s82DE6EKKR8FJ2aqWfMT7qjV3Y3E7e
TJzJGDsbLoZYtPl8u6OQM2gaxAf5CqSCxU7PvyOsu5/gf89CsakdC6OUBkXh/pAS
wCLDDyqffmgwOi1hE9ACgUOVASRyrITZwP1sqyAVJF8yY3YhxGHImaFrdAJ/yU4Q
xp9Ok7v2qSxueDnMc9C16AFt
=pWDj
-----END PGP SIGNATURE-----