-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-26:31.arm64 Security Advisory
The FreeBSD Project
Topic: Arm CPU errata may bypass page table permission changes
Category: core
Module: arm64
Announced: 2026-06-09
Affects: All supported versions of FreeBSD
Corrected: 2026-06-09 19:17:34 UTC (stable/15, 15.1-STABLE)
2026-06-09 19:20:12 UTC (releng/15.1, 15.1-RC3-p1)
2026-06-09 19:19:50 UTC (releng/15.0, 15.0-RELEASE-p10)
2026-06-09 19:17:51 UTC (stable/14, 14.4-STABLE)
2026-06-09 19:19:12 UTC (releng/14.4, 14.4-RELEASE-p6)
2026-06-09 19:18:41 UTC (releng/14.3, 14.3-RELEASE-p15)
CVE Name: CVE-2025-10263
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
Page tables control the translation of virtual addresses to physical
addresses and the access permissions on those addresses. On Arm CPUs, when
page table permissions are updated, a TLB Invalidate (TLBI) instruction
followed by a Data Synchronization Barrier (DSB) must be issued to ensure
subsequent accesses observe the new permissions.
II. Problem Description
Some Arm CPUs have errata where the ordering of stores and the TLBI+DSB
sequence may be incorrect. If one CPU stores to a virtual address while
another CPU invalidates the translation for that address, the second CPU's
TLBI+DSB may complete before the first CPU's store has been globally
observed.
III. Impact
This erratum may allow software to write to a previously writable location
after the page table is modified to forbid writes to that location.
Consequently this may allow software to write to memory owned by a higher
exception level, possibly allowing software to escalate privilege to that
higher exception level.
IV. Workaround
No workaround is available. The following ARM CPU models are affected:
C1-Premium
C1-Ultra
Cortex-A76
Cortex-A76AE
Cortex-A77
Cortex-A78
Cortex-A78AE
Cortex-A78C
Cortex-A710
Cortex-X1
Cortex-X1C
Cortex-X2
Cortex-X3
Cortex-X4
Cortex-X925
Neoverse-N1
Neoverse-N2
Neoverse-V1
Neoverse-V2
Neoverse-V3
Neoverse-V3AE
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot the system.
Perform one of the following:
1) To update your vulnerable system installed from base system packages:
Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64
platforms, which were installed using base system packages, can be updated
via the pkg(8) utility:
# pkg upgrade -r FreeBSD-base
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system installed from binary distribution sets:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms
which were not installed using base system packages can be updated via the
freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 15.x]
# fetch https://security.FreeBSD.org/patches/SA-26:31/arm64-15.patch
# fetch https://security.FreeBSD.org/patches/SA-26:31/arm64-15.patch.asc
# gpg --verify arm64-15.patch.asc
[FreeBSD 14.4]
# fetch https://security.FreeBSD.org/patches/SA-26:31/arm64-14.4.patch
# fetch https://security.FreeBSD.org/patches/SA-26:31/arm64-14.4.patch.asc
# gpg --verify arm64-14.4.patch.asc
[FreeBSD 14.3]
# fetch https://security.FreeBSD.org/patches/SA-26:31/arm64-14.3.patch
# fetch https://security.FreeBSD.org/patches/SA-26:31/arm64-14.3.patch.asc
# gpg --verify arm64-14.3.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
and reboot the
system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ 9d9d6c6e6081 stable/15-n283887
releng/15.1/ 81435fc0882c releng/15.1-n283556
releng/15.0/ a53619675cdc releng/15.0-n281058
stable/14/ e99aa8682dba stable/14-n274316
releng/14.4/ 889e306ded21 releng/14.4-n273720
releng/14.3/ 61d0cea4c00f releng/14.3-n271520
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat
Or visit the following URL, replacing NNNNNN with the hash:
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
The latest revision of this advisory is available at
-----BEGIN PGP SIGNATURE-----
iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmooiWIbFIAAAAAABAAO
bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv4nwP/3M5KElYqojhl044KzbV
UyoCXW3MoTm+aXnjlkf2f6+00EHtEkmboe3fYGwsUGFOp9uk0iNgDCE1jMmAhDY7
AJSegcxbUVhCcZwxfaUkIDRtv3iYt4vkN59se62/QrgA/2UiyBRWMJLYvLN4ZF0C
7xuwJVyJjHq65Z1jU4noaXQ/UqaCQgPJBmZ2XL+OMfJtdHZdproN3vL/7BLXaPwv
wuiZSc/agrBQgnbv4IFlNWc/LtXo+Hh3/vSSw3U2GUnNHARLxb62Kj2vaMz9HWP3
ObykAXru4hpLXdRndf+dsqHCow6slbb89Iqzn93axbmvhxvuOdNNkNkS0Yfj+B9Y
kMuDMqTR8Q+wXFY5JlTsTGGH8paDdyYWeZUHsI+2HqgYWS8CMQJwal2hErT4TG82
gU0xIIpZKHc09FMsw+z/TjNZO0aLQbbZAN45qpqdvZoQ174jX/ZVtkIGEOSQXyQA
YT4O/yozBjNABBTYtCTVwdnJjM6L4sva2mKbtGnCTS/3tC2dVgEhsgE2zwzHtGPv
lAtJwTbqyLBOP+aUFh2w0OaNwy0c5bB88AxyS/EKcliHtyAveedbXYFjLLVIMhLY
tpodoCSwrM6PgkddWy6+YVCbcoD6JfS1U5T2IH0EJXPSQvV8SPbs3LRY4F7O5zDi
x+jJy5JL/2hjps/C/581Iq5y
=SmlG
-----END PGP SIGNATURE-----