1. Forum
  2. MicroNet
  3. MIN COMP

  • FreeBSD Security Advisory ktls

    From digimaus@618:618/1 to All on Thu Jun 18 10:57:11 2026
    ============================================================================= FreeBSD-SA-26:26.ktls Security Advisory
    The FreeBSD Project

    Topic: Arbitrary file overwrite via the KTLS receive path

    Category: core
    Module: ktls
    Announced: 2026-06-09
    Credits: Bumsrakete
    Affects: All supported versions of FreeBSD
    Corrected: 2026-06-09 19:17:28 UTC (stable/15, 15.1-STABLE)
    2026-06-09 19:20:06 UTC (releng/15.1, 15.1-RC3-p1)
    2026-06-09 19:19:43 UTC (releng/15.0, 15.0-RELEASE-p10)
    2026-06-09 19:17:46 UTC (stable/14, 14.4-STABLE)
    2026-06-09 19:19:05 UTC (releng/14.4, 14.4-RELEASE-p6)
    2026-06-09 19:18:35 UTC (releng/14.3, 14.3-RELEASE-p15)
    CVE Name: CVE-2026-45257

    For general information regarding FreeBSD Security Advisories,
    including descriptions of the fields above, security branches, and the following sections, please visit <URL:https://security.FreeBSD.org/>.

    0. Revision History

    v1.0 -- Initial revision
    v1.1 -- Update workaround section

    I. Background

    Kernel TLS (KTLS) moves Transport Layer Security (TLS) record processing
    into the kernel, allowing applications to encrypt and decrypt socket data without copying it to and from userspace and to serve TLS data with sendfile(2). When a connection uses software KTLS on the receive path,
    the kernel decrypts each incoming TLS record in place within the socket
    buffer.

    II. Problem Description

    The KTLS receive path decrypted each record in place, assuming that the
    mbufs holding received data were anonymous and safe to modify. This
    assumption does not hold for data placed on a socket by sendfile(2),
    which can reference file-backed memory directly through non-anonymous
    M_EXTPG pages or EXT_SFBUF mbufs. When the sender transmits such data
    over a loopback connection without enabling KTLS on the transmit side,
    the file-backed mbufs reach the receiver's decryption path unchanged. Decrypting a record in place then overwrites the backing file's page
    cache instead of a private copy of the data.

    III. Impact

    An unprivileged local user who can read a file can overwrite its
    contents with data of their choosing by sending the file over a loopback connection on which they have enabled KTLS receive. The write modifies
    the page cache directly, so it bypasses file flags such as schg and is
    written back to disk. By overwriting a setuid binary or other trusted
    file, a local user can escalate privileges, potentially gaining full
    control of the affected system.

    IV. Workaround

    Set sysctl kern.ipc.tls.enable=0 to disable KTLS entirely.

    V. Solution

    Upgrade your vulnerable system to a supported FreeBSD stable or
    release / security branch (releng) dated after the correction date,
    and reboot the system.

    Perform one of the following:

    1) To update your vulnerable system installed from base system packages:

    Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated
    via the pkg(8) utility:

    # pkg upgrade -r FreeBSD-base
    # shutdown -r +10min "Rebooting for a security update"

    2) To update your vulnerable system installed from binary distribution sets:

    Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility:

    # freebsd-update fetch
    # freebsd-update install
    # shutdown -r +10min "Rebooting for a security update"

    3) To update your vulnerable system via a source code patch:

    The following patches have been verified to apply to the applicable
    FreeBSD release branches.

    a) Download the relevant patch from the location below, and verify the
    detached PGP signature using your PGP utility.

    # fetch https://security.FreeBSD.org/patches/SA-26:26/ktls.patch
    # fetch https://security.FreeBSD.org/patches/SA-26:26/ktls.patch.asc
    # gpg --verify ktls.patch.asc

    b) Apply the patch. Execute the following commands as root:

    # cd /usr/src
    # patch < /path/to/patch

    c) Recompile your kernel as described in <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
    system.

    VI. Correction details

    This issue is corrected as of the corresponding Git commit hash in the following stable and release branches:

    Branch/path Hash Revision
    - ------------------------------------------------------------------------- stable/15/ a51345704403 stable/15-n283882 releng/15.1/ 48c1c5e3c348 releng/15.1-n283550 releng/15.0/ 540a315cdb46 releng/15.0-n281052 stable/14/ 333bdd7e9427 stable/14-n274311 releng/14.4/ d43259dd66b3 releng/14.4-n273714 releng/14.3/ af3398862ac0 releng/14.3-n271514
    - -------------------------------------------------------------------------

    Run the following command to see which files were modified by a
    particular commit:

    # git show --stat <commit hash>

    Or visit the following URL, replacing NNNNNN with the hash:

    <URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

    To determine the commit count in a working tree (for comparison against
    nNNNNNN in the table above), run:

    # git rev-list --count --first-parent HEAD

    VII. References

    <URL:https://www.cve.org/CVERecord?id=CVE-2026-45257>

    The latest revision of this advisory is available at <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:26.ktls.asc>

    -- Sean


    --- MultiMail/Win
    * Origin: Outpost BBS * Johnson City, TN (618:618/1)