-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-EN-26:17.rpcsec_tls Errata Notice
The FreeBSD Project
Topic: Socket refcount underflow in the NFS server
Category: core
Module: rpcsec_tls
Announced: 2026-06-30
Affects: FreeBSD 15.0 and later
Corrected: 2026-06-22 13:26:26 UTC (stable/15, 15.1-STABLE)
2026-06-30 17:21:51 UTC (releng/15.1, 15.1-RELEASE-p1)
2026-06-30 17:21:19 UTC (releng/15.0, 15.0-RELEASE-p11)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
.
I. Background
The kernel RPC subsystem implements Transport Layer Security (TLS) for
NFS. TLS handshakes are performed by the userspace daemon
rpc.tlsservd(8) via an upcall mechanism: the kernel inserts a pending
socket into a lookup tree, invokes the daemon, and removes the socket
once the handshake completes or fails.
II. Problem Description
When the kernel inserted a socket into the upcall tree, it did not
acquire its own reference on the socket. If the TLS handshake upcall
subsequently failed, the error-handling path closed the socket to
clean up the tree entry, but this effectively released the transport
layer's reference rather than one owned by the upcall tree.
III. Impact
A server-side TLS handshake failure, for example because rpc.tlsservd(8)
is not running, can cause a socket reference count underflow in the NFS
server. This results in a kernel panic.
IV. Workaround
No workaround is available. Systems that are not running an
NFS server are not affected.
V. Solution
Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date, and reboot the
system.
Perform one of the following:
1) To update your system installed from base system packages:
Systems running a 15.0-RELEASE or later version of FreeBSD on the amd64 or
arm64 platforms, which were installed using base system packages, can be
updated via the pkg(8) utility:
# pkg upgrade -r FreeBSD-base
# shutdown -r now
2) To update your system installed from binary distribution sets:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms
which were not installed using base system packages can be updated via the
freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r now
3) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/EN-26:17/rpcsec_tls.patch
# fetch https://security.FreeBSD.org/patches/EN-26:17/rpcsec_tls.patch.asc
# gpg --verify rpcsec_tls.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch -E -p0 < /path/to/patch
c) Recompile your kernel as described in
and reboot the
system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ f3b14134dec1 stable/15-n284051
releng/15.1/ c04ca8bd36f7 releng/15.1-n283564
releng/15.0/ 7b3373d4eb5f releng/15.0-n281066
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat
Or visit the following URL, replacing NNNNNN with the hash:
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
The latest revision of this advisory is available at
-----BEGIN PGP SIGNATURE-----
iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmpEEi4bFIAAAAAABAAO
bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv6iMP+wfOwos1/WMyrtvqWs7a
u3kbN4H3ricGyNAP4SE1dEWAiFOkG17CaSBgvJMFHm4dOqtoCzSuHrwx6zOzCwbr
xSQE4LKcfimt/hh59cF1Q0701Hwk7kkf8h/hTIgF0gGr3OW+OtdguNj+p3Qx6zMG
0wZxTM5+dTquAwlmi3YUwR5+WOu9/rUoqk88m6HlddqoyGWdbhIR6X2YLD4c1zV9
ErPckBTcBt2anBZYYwzPhmbnRE4IFfESFPvpkqPaxzga4mbQ2RZRUit2eCFwb+WD
rDhImlpcPLvJm9slvEfJw4y4pjQjIRWuKT0VBv9oobU86+3l2NPnMwU24lL6X0y3
XEljVwjQ7ODgyGySS9FDoLzGSwnjQ+LnpNWy6yn+GV9a4v7Dp8PBduF+bLSdusrl
8zWU9EGYOv9svF8Z8Wd7uQWsAvHgXoyb2GxRhV7jj4M/BG4+49OSvW0p1u0ZwyXt
2CUiZV59MBaVddzk3Lu5iHmvVkbyNYvChGulea1j3QBn9FyrHWZ6EZ6lSXT9k5gv
RF4sT/tnx2xf/mBz2wz2yfBviprkfQwoGhBJ7txiPFsrvLIwcW+pegrRYcJ9Bx21
GagSCWTKp7MBP1TX6L8JWiVj283m0PV48fH3Cztoa5cj5zr97USNWiCJhdDxQH52
3RRPzqVEk2s3HPdMGoz5zwus
=LLkf
-----END PGP SIGNATURE-----