OpenBSD pledge updates, FreeBSD Foundation’s Cyber Resilience Act project, ZFS Fast Dedup and more.

Releases

No releases.

BSDSec

OpenBSD Errata: February 27, 2026 (tmppath pledge_sysctl): OpenBSD released errata patches for vulnerabilities related to the pledge system call’s tmppath restriction and sysctl handling, affecting versions 7.7 and 7.8. The updates resolve issues that could potentially bypass intended security restrictions or expose system information improperly. Binary patches are available for amd64, arm64, and i386 architectures via the syspatch utility, while source code patches are provided on the official OpenBSD errata pages for manual application.

FreeBSD Security Advisory FreeBSD-SA-26:05.route: A stack buffer overflow in FreeBSD’s routing socket interface (route(4)) allows unprivileged users to crash the kernel by sending crafted RTM_GET requests that trigger a 127-byte overflow in the rtsock_msg_buffer() function. The flaw corrupts a stack canary, causing an immediate kernel panic upon function return, mitigating further exploitation. While no workaround exists, patches have been released for all supported FreeBSD versions (13.5, 14.3/14.4, and 15.0) as of February 24, 2026. The vulnerability (CVE-2026-3038) was discovered by Adam Crosser of Praetorian Labs, with potential for privilege escalation if combined with other kernel flaws that bypass canary protections. Updates are available via pkg, freebsd-update, or manual patching.

FreeBSD Security Advisory FreeBSD-SA-26:04.jail: A security flaw in FreeBSD’s jail subsystem (CVE-2025-15576) allows processes in separate jails to bypass chroot restrictions by exchanging directory file descriptors over Unix domain sockets. The vulnerability arises when sibling jails share a nullfs-mounted directory, enabling a jailed process to receive descriptors for directories outside its intended filesystem tree. This effectively grants full filesystem access, breaking the isolation guarantees of the jail mechanism. The issue affects FreeBSD 14.3 and 13.5, with patches released in February 2026, though administrators must still ensure unprivileged users cannot pass descriptors to jailed processes. Exploitation requires control over processes in at least two jails sharing a nullfs mount.

As always, it’s worth following BSDSec. RSS feed available.

News

OpenBSD removes tmppath from pledge(2) in -current: A long-standing conflict between OpenBSD’s pledge(2) and unveil(2) security mechanisms has been resolved by removing the tmppath promise from pledge(2). The change, implemented by Theo de Raadt, addresses historical limitations where tmppath could not be expanded for broader use, leading to the creation of unveil(2) as an alternative. All base system and third-party port usages of tmppath have been migrated to unveil(2) with paths like /tmp combined with pledge restrictions such as rpath wpath cpath. The modification is now available in snapshots, with developers encouraging testing to identify any undetected issues, as tmppath will now return EINVAL when invoked.

BSD Now 652 covers OpenZFS monitoring and GhostBSD’s shift to XLibre: This episode of BSD Now explores key updates in the BSD ecosystem, including a guide on OpenZFS monitoring that outlines critical metrics like pool health, performance bottlenecks, and capacity planning. The release of helloSystem 0.8 is highlighted, showcasing its macOS-inspired FreeBSD-based desktop environment with improved usability and application support. GhostBSD’s transition to XLibre as its default display server is discussed, addressing compatibility and future development goals, while a new Bhyve Prometheus exporter for FreeBSD virtualization metrics is introduced. Additionally, the show notes a decades-old security flaw in GNU LibC, recently patched after 30 years, alongside updates like NetBSD 11.0 RC1 and advancements in FreeBSD’s LLDB debugger. The episode wraps with community contributions, financial reports from GhostBSD, and a call for OmniOS/Illumos support in WebZFS.

OpenBSD’s vmd(8) converts virtio SCSI device to subprocess: Dave Voutila has further refined OpenBSD’s vmd(8) by migrating the virtio SCSI device—used primarily as a CD-ROM drive—to a subprocess model, following earlier conversions of block and network devices. This change continues the shift toward a multi-process architecture, leaving only the entropy (viornd) and vmmci devices running in-process with virtual CPUs. The modification aligns with ongoing efforts to improve isolation and modularity within the virtual machine daemon. The commit was approved by Mark Larkin (mlarkin@) and builds on work first reported in 2023. The OpenBSD CVS log provides technical details of the implementation.

FreeBSD Foundation launches Cyber Resilience Act Readiness project: The FreeBSD Foundation has initiated a 2026 Cyber Resilience Act (CRA) Readiness project to prepare for the EU’s new cybersecurity legislation, which imposes strict security requirements on commercial software manufacturers. While open source projects like FreeBSD have limited legal responsibilities under the CRA, they may face operational challenges as downstream manufacturers conduct due diligence and vulnerability reporting. The project includes six workstreams: enhancing security and vulnerability handling, developing an authoritative SBOM toolchain, creating public documentation, establishing community legislative engagement channels, maintaining a transparent project repository, and ongoing communications. The Foundation aims to ensure compliance, protect the project from disruption, and position FreeBSD to benefit from potential manufacturer partnerships while shielding contributors from legal liability.

Tutorials

Uplift Privileges on FreeBSD: This article explores various methods for elevating user privileges on FreeBSD systems, focusing on tools like mdo(1), doas(1), sudo(8), and a custom lightweight solution called doso(1). It begins by explaining the necessity of the wheel group for administrative access and then details the setup and usage of each tool. mdo(1) leverages FreeBSD’s Mandatory Access Control (MAC) framework, while doas(1)—a minimalist alternative to sudo(8)—offers simplicity and security with fewer lines of code. The article also briefly mentions sudo-rs(8), a Rust-based rewrite of sudo(8), and other privilege-escalation tools like pfexec(8) and run0(1) from Solaris and Linux, respectively. The author emphasizes the trade-offs between complexity and security, advocating for simpler solutions where possible.

ZFS Fast Dedup implementation in Proxmox VE 9.x: OpenZFS 2.3 introduces Fast Dedup in Proxmox VE 9.x, offering a controlled deduplication model through DDT quotas, prefetch, and prune operations to prevent unbounded memory growth. The feature requires enabling feature@fast_dedup on pools and setting a dedup_table_quota to limit DDT size, ensuring predictable performance by reserving ARC memory and optionally using dedicated flash storage. Workload selection is critical, with high deduplication potential in VM templates, VDI environments, and backups, while databases and encrypted data are unsuitable. Operational tools like zpool prefetch and zpool ddtprune help manage DDT performance post-reboot and adapt to changing workloads, with monitoring of DDT size, ARC hit ratios, and deduplication efficiency essential for validation.

Configuring dual keyboard layouts in OpenBSD: The article details a method for managing French (AZERTY) and US (ANSI) keyboard layouts simultaneously on OpenBSD across both console and Xorg environments. In the console, the wsconsctl utility assigns distinct layouts to the built-in ThinkPad keyboard (FR) and an external USB keyboard (US) via configuration in /etc/wsconsctl.conf, though this only applies outside of X11. For Xorg sessions, a unified multi-layout setup is implemented using a custom 99-keyboards.conf file, enabling layout switching with <Win> + <space> and supporting variants like “us/euro” for currency symbols and “us/alt-intl” for accented characters. The solution ensures compatibility with xenodm and Xfce’s layout switcher, while also noting alternatives like command-line application via setxkbmap. The approach is cross-compatible with FreeBSD and Slackware Linux, building on earlier experiments from 2020 and 2021.

Did we miss anything?

This newsletter is made from your content on DiscoverBSD and BSDSec. Submit the stuff we missed so it can appear next time.

Do you have an OSS BSD-related project that you would like to showcase in BSD Weekly? Reply to sender and we can showcase you as a sponsor of an issue (for free).

Do you know anyone who would like this newsletter? Consider forwarding and tell them to subscribe.

Thanks for reading and see you next week! Stay safe!