-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:40.zfs Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in OpenZFS Category: contrib Module: openzfs Announced: 2026-06-30 Credits: Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai Credits: Emmanuel Genier at Quarkslab Affects: All supported versions of FreeBSD. Corrected: 2026-06-17 07:21:06 UTC (stable/15, 15.1-STABLE) 2026-06-30 17:21:56 UTC (releng/15.1, 15.1-RELEASE-p1) 2026-06-30 17:21:23 UTC (releng/15.0, 15.0-RELEASE-p11) 2026-06-30 17:19:48 UTC (stable/14, 14.4-STABLE) 2026-06-30 17:20:56 UTC (releng/14.4, 14.4-RELEASE-p7) 2026-06-30 17:20:29 UTC (releng/14.3, 14.3-RELEASE-p16) CVE Name: CVE-2026-49429, CVE-2026-49430, CVE-2026-49431 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background ZFS is an advanced and scalable file system originally developed by Sun Microsystems for its Solaris operating system. ZFS was integrated as part of FreeBSD starting with FreeBSD 7.0. ZFS delegation allows the system administrator to grant unprivileged users the ability to perform specific administrative operations, such as creating snapshots or managing properties, on a per-dataset basis. This is configured using the zfs-allow(8) command. II. Problem Description The ZFS_IOC_USERSPACE_MANY ioctl, used by zfs-userspace(8), truncated a 64-bit output buffer size to a 32-bit integer for the kernel allocation, but used the original 64-bit size as the buffer limit when writing records. The ZFS_IOC_RECV_NEW ioctl, in the heal receive path, similarly truncated a 64-bit payload size to a 32-bit integer for allocation, then used the original 64-bit size as the length for a byteswap operation. The ZFS_IOC_SET_PROP ioctl, used by zfs-set(8), incorrectly validated the calling user such that an unprivileged user is able to set metadata on a dataset indicating that the dataset has received properties from a zfs-recv(8) stream. III. Impact A local user with the "userused" delegated ZFS permission can trigger a kernel heap overflow via the ZFS_IOC_USERSPACE_MANY ioctl, potentially escalating privileges. [CVE-2026-49429] A local user with the "receive" delegated ZFS permission can trigger kernel memory corruption via ZFS_IOC_RECV_NEW by sending a crafted receive stream in heal mode. [CVE-2026-49430] Any local user can set the internal ZFS metadata flag "$hasrecvd" on datasets via ZFS_IOC_SET_PROP. [CVE-2026-49431] IV. Workaround Systems that do not use ZFS are not affected. The first two bugs are only triggerable by the root user or by a user with delegated permissions. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE or later version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.x] # fetch https://security.FreeBSD.org/patches/SA-26:40/zfs-15.patch # fetch https://security.FreeBSD.org/patches/SA-26:40/zfs-15.patch.asc # gpg --verify zfs-15.patch.asc [FreeBSD 14.x] # fetch https://security.FreeBSD.org/patches/SA-26:40/zfs-14.patch # fetch https://security.FreeBSD.org/patches/SA-26:40/zfs-14.patch.asc # gpg --verify zfs-14.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch -E -p0 < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 25c6e6ed725d stable/15-n284009 releng/15.1/ 7eeab0afea4d releng/15.1-n283568 releng/15.0/ 2318d229b76a releng/15.0-n281070 stable/14/ 6419ed0df139 stable/14-n274448 releng/14.4/ 62f64d81b50e releng/14.4-n273730 releng/14.3/ 6503d56e7c63 releng/14.3-n271530 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmpEEjwbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvutcQANSzEdc9r+T+8QZd4M+q 1amnRPldgOo0RVKuIXRxJUisZFXA4/vI03deRulMtVLhqo4OcaDowTs973Y967Ue yiQwKNY+CpXrJ9gp2dnyx5aN3LnxEtaRRzdfh0ZiRqeDbuV4kjPK2T2tU4iU3Cl3 2F6pfnY+0vK95pj0QGi6GrQSLA05/RHDUhmzQ9Of/HR75wz7q29cgKufUOE21l40 lqeoeuhDVwOOx9L9dFASJFTSj1g8FjWHH07DKO0lFVr0z7WyfwuekPnLmcJ1+30N 4EWDLdCA40rgcuugvQMK5/RRPkqBOUOX+xIzS6gNN86uW9SqDcNQAztbcEwPKtie fcAmRHZrHmCf4Xscbv7G2eRilopaZNxrLnLiDBu3ZPBHlK3ljP5ACRgmMWxJ12T3 hle+tp/JVNEKcAj74/Cg/WdsPPSXbaf8G3T051FRHEbBVwkZaqZBqfjdVvmfnr5Z tMAsfFUZkzBXOTw4/7lpuHNIY2ddcn+WWK7MIFv2oKh7NhmS/3bma5KglGhQNvrK iF7OFkGHZaMBZj+a07qSUvGzAGMlXsNhULruYPGWaA2TsMQMiJR5eT1DA/nRMwA2 MJ/r7gliPrPzAid5CIbVk8JvgPHwv3/z3VYbrqVbRGhorbBD8F1MkXEqGs94hNuK L3Gd4s12Y0FYaUnHaOSBqgL6 =OdNc -----END PGP SIGNATURE-----