-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-26:26.ktls Security Advisory
The FreeBSD Project
Topic: Arbitrary file overwrite via the KTLS receive path
Category: core
Module: ktls
Announced: 2026-06-09
Credits: Bumsrakete
Affects: All supported versions of FreeBSD
Corrected: 2026-06-09 19:17:28 UTC (stable/15, 15.1-STABLE)
2026-06-09 19:20:06 UTC (releng/15.1, 15.1-RC3-p1)
2026-06-09 19:19:43 UTC (releng/15.0, 15.0-RELEASE-p10)
2026-06-09 19:17:46 UTC (stable/14, 14.4-STABLE)
2026-06-09 19:19:05 UTC (releng/14.4, 14.4-RELEASE-p6)
2026-06-09 19:18:35 UTC (releng/14.3, 14.3-RELEASE-p15)
CVE Name: CVE-2026-45257
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
Kernel TLS (KTLS) moves Transport Layer Security (TLS) record processing
into the kernel, allowing applications to encrypt and decrypt socket data
without copying it to and from userspace and to serve TLS data with
sendfile(2). When a connection uses software KTLS on the receive path,
the kernel decrypts each incoming TLS record in place within the socket
buffer.
II. Problem Description
The KTLS receive path decrypted each record in place, assuming that the
mbufs holding received data were anonymous and safe to modify. This
assumption does not hold for data placed on a socket by sendfile(2),
which can reference file-backed memory directly through non-anonymous
M_EXTPG pages or EXT_SFBUF mbufs. When the sender transmits such data
over a loopback connection without enabling KTLS on the transmit side,
the file-backed mbufs reach the receiver's decryption path unchanged.
Decrypting a record in place then overwrites the backing file's page
cache instead of a private copy of the data.
III. Impact
An unprivileged local user who can read a file can overwrite its
contents with data of their choosing by sending the file over a loopback
connection on which they have enabled KTLS receive. The write modifies
the page cache directly, so it bypasses file flags such as schg and is
written back to disk. By overwriting a setuid binary or other trusted
file, a local user can escalate privileges, potentially gaining full
control of the affected system.
IV. Workaround
No workaround is available.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot the system.
Perform one of the following:
1) To update your vulnerable system installed from base system packages:
Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64
platforms, which were installed using base system packages, can be updated
via the pkg(8) utility:
# pkg upgrade -r FreeBSD-base
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system installed from binary distribution sets:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms
which were not installed using base system packages can be updated via the
freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-26:26/ktls.patch
# fetch https://security.FreeBSD.org/patches/SA-26:26/ktls.patch.asc
# gpg --verify ktls.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
and reboot the
system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ a51345704403 stable/15-n283882
releng/15.1/ 48c1c5e3c348 releng/15.1-n283550
releng/15.0/ 540a315cdb46 releng/15.0-n281052
stable/14/ 333bdd7e9427 stable/14-n274311
releng/14.4/ d43259dd66b3 releng/14.4-n273714
releng/14.3/ af3398862ac0 releng/14.3-n271514
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat
Or visit the following URL, replacing NNNNNN with the hash:
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
The latest revision of this advisory is available at
-----BEGIN PGP SIGNATURE-----
iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmooiUwbFIAAAAAABAAO
bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv6hQP/3x8lGHZpLeT8PjB5NMF
xCfwzKQlu5vlkOqSv+9uEGsh3FQa9gHE/68SwZYa01waeFbTSKpBvrf1X4kRKGnE
r3z8DSAPnVqSRzp4k0PNTxPLtF09FfWiMEBA+PIedL91WkG24gQ63k3fORVjkSvs
a/uY1DQnmypV2mdV/S/hWmrtVCmi5itZKsVedZFoZHZ04GKwIObMoqXgtbUxdfhJ
XvjSCqGgvpsUPVpE72nKYAbbL81w344tNOGtjoC07utitkLoHtMlYqMTfXCv0dY7
Oo3RZ408afAl1CalUdZ64KXJWqjCZt3FWxtn4ugZkewLc3cDyO5Y2ZUDMAb71P/V
Sdq6+GRIC5wMOmd2C2Wb4C72FODhh4o4+n/E7qeIojT5jozWNFAFN0ugzNcqzuM9
b8ekwLWK9MbtjZWF1A0OhsLqQoYuBcwX4RymVJCfpEnlPEDwaf0fv/Sx/OyU9MBx
zbT/Thqa9cB++4U6Obodcj55mXM9p23b9OpEnSD5FKlhxXPxCYW5gc2mK4k+yoKd
5ZCzzcdzbMoNgqyHnvrBgFGMsPggXJxaidsRFtVSb9E1GWQUweyN9hR10Gr8wX5j
QL18EHe3Lcgg2Z+mi8NQ8lrqPoGpTIjZ8enEYHLrILe/p8JMjNU5fe+YqQTE0tyD
pWQqqx8AYbHJsnCDELTeqt96
=lD4w
-----END PGP SIGNATURE-----