-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-26:17.rpcsec_tls Errata Notice The FreeBSD Project Topic: Socket refcount underflow in the NFS server Category: core Module: rpcsec_tls Announced: 2026-06-30 Affects: FreeBSD 15.0 and later Corrected: 2026-06-22 13:26:26 UTC (stable/15, 15.1-STABLE) 2026-06-30 17:21:51 UTC (releng/15.1, 15.1-RELEASE-p1) 2026-06-30 17:21:19 UTC (releng/15.0, 15.0-RELEASE-p11) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The kernel RPC subsystem implements Transport Layer Security (TLS) for NFS. TLS handshakes are performed by the userspace daemon rpc.tlsservd(8) via an upcall mechanism: the kernel inserts a pending socket into a lookup tree, invokes the daemon, and removes the socket once the handshake completes or fails. II. Problem Description When the kernel inserted a socket into the upcall tree, it did not acquire its own reference on the socket. If the TLS handshake upcall subsequently failed, the error-handling path closed the socket to clean up the tree entry, but this effectively released the transport layer's reference rather than one owned by the upcall tree. III. Impact A server-side TLS handshake failure, for example because rpc.tlsservd(8) is not running, can cause a socket reference count underflow in the NFS server. This results in a kernel panic. IV. Workaround No workaround is available. Systems that are not running an NFS server are not affected. V. Solution Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your system installed from base system packages: Systems running a 15.0-RELEASE or later version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r now 2) To update your system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r now 3) To update your system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/EN-26:17/rpcsec_tls.patch # fetch https://security.FreeBSD.org/patches/EN-26:17/rpcsec_tls.patch.asc # gpg --verify rpcsec_tls.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch -E -p0 < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ f3b14134dec1 stable/15-n284051 releng/15.1/ c04ca8bd36f7 releng/15.1-n283564 releng/15.0/ 7b3373d4eb5f releng/15.0-n281066 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmpEEi4bFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv6iMP+wfOwos1/WMyrtvqWs7a u3kbN4H3ricGyNAP4SE1dEWAiFOkG17CaSBgvJMFHm4dOqtoCzSuHrwx6zOzCwbr xSQE4LKcfimt/hh59cF1Q0701Hwk7kkf8h/hTIgF0gGr3OW+OtdguNj+p3Qx6zMG 0wZxTM5+dTquAwlmi3YUwR5+WOu9/rUoqk88m6HlddqoyGWdbhIR6X2YLD4c1zV9 ErPckBTcBt2anBZYYwzPhmbnRE4IFfESFPvpkqPaxzga4mbQ2RZRUit2eCFwb+WD rDhImlpcPLvJm9slvEfJw4y4pjQjIRWuKT0VBv9oobU86+3l2NPnMwU24lL6X0y3 XEljVwjQ7ODgyGySS9FDoLzGSwnjQ+LnpNWy6yn+GV9a4v7Dp8PBduF+bLSdusrl 8zWU9EGYOv9svF8Z8Wd7uQWsAvHgXoyb2GxRhV7jj4M/BG4+49OSvW0p1u0ZwyXt 2CUiZV59MBaVddzk3Lu5iHmvVkbyNYvChGulea1j3QBn9FyrHWZ6EZ6lSXT9k5gv RF4sT/tnx2xf/mBz2wz2yfBviprkfQwoGhBJ7txiPFsrvLIwcW+pegrRYcJ9Bx21 GagSCWTKp7MBP1TX6L8JWiVj283m0PV48fH3Cztoa5cj5zr97USNWiCJhdDxQH52 3RRPzqVEk2s3HPdMGoz5zwus =LLkf -----END PGP SIGNATURE-----