FreeBSD security fixes for libnv, dhclient, and pf vulnerabilities, NetBSD GSoC 2026 projects announced, and ZFS Fast Dedup storage optimization insights and more.

Releases

No releases.

BSDSec

FreeBSD Errata Notice FreeBSD-EN-26:12.freebsd-update: FreeBSD Errata Notice FreeBSD-EN-26:12 addresses a source code inconsistency between the freebsd-update utility, errata/security advisories, and the authoritative Git repository. The issue arose due to manual patch management, where freebsd-update occasionally distributed outdated or incomplete patches compared to Git, such as an incorrect version of the SA-26:11.amd64 patch. Systems using pkgbase or built directly from Git were unaffected, as they pull from the authoritative source. The fix modifies freebsd-update to retrieve source directly from Git, ensuring alignment across all update methods. Affected systems should apply updates via freebsd-update, source patches, or rebuild from Git to resolve discrepancies in test files and ancillary tooling.

FreeBSD Errata Notice FreeBSD-EN-26:11.dhclient: FreeBSD Errata Notice FreeBSD-EN-26:11.dhclient addresses an issue where a previous security patch for dhclient(8) introduced overly strict validation of the boot file DHCP option, causing valid leases—particularly those with Windows-style paths—to be incorrectly rejected. The problem stems from validation logic that was intended to prevent unescaped values in lease files but became too restrictive. All supported FreeBSD versions, including the newly end-of-life 13.5 branch, received corrections via updates to stable and release branches dated April–May 2026. No workaround exists, but affected systems can be fixed by upgrading through pkg, freebsd-update, or source patches.

FreeBSD Security Advisory FreeBSD-SA-26:17.libnv: A heap overflow vulnerability was discovered in FreeBSD’s libnv library, which handles name-value pair storage and inter-process communication. The flaw stems from improper validation of incoming message headers, allowing malicious programs to write outside allocated heap memory boundaries. Exploitation could lead to system crashes, kernel panics, or potential privilege escalation by unprivileged users. The issue affects all supported FreeBSD versions and was patched on April 29, 2026, across branches 13.5, 14.3/14.4, and 15.0. No workaround exists, requiring users to update via package managers, binary distributions, or source patches, with specific instructions provided for each method. The vulnerability is tracked as CVE-2026-35547.

FreeBSD Security Advisory FreeBSD-SA-26:16.libnv: FreeBSD Security Advisory FreeBSD-SA-26:16.libnv details a stack overflow flaw in the libnv library, which handles name-value pair storage and inter-process communication. The issue arises when libnv uses the select(2) system call without validating whether the provided socket descriptor exceeds the FD_SETSIZE limit of 1024, potentially leading to stack corruption. An attacker could exploit this by forcing a libnv-based application to allocate large file descriptors, enabling privilege escalation if the target is setuid-root. The vulnerability, assigned CVE-2026-39457, affects all supported FreeBSD versions and was patched on April 29, 2026, across multiple release branches. No workaround exists, requiring users to apply binary or source patches followed by a system reboot.

FreeBSD Security Advisory FreeBSD-SA-26:15.dhclient: A heap buffer overflow flaw in FreeBSD’s dhclient (CVE-2026-42512) allows attackers on the same broadcast domain to crash the DHCP client or potentially execute arbitrary code via maliciously crafted packets. The vulnerability stems from incorrect memory allocation when expanding environment variable arrays passed to dhclient-script during DHCP offer processing. All supported FreeBSD versions are affected, with patches released for branches 13.5, 14.3/14.4, and 15.0. While no workaround exists, network administrators can mitigate risk by implementing DHCP snooping to block rogue servers. Updates are available through pkg, freebsd-update, or manual source patches, with corrected commits documented in the advisory.

FreeBSD Security Advisory FreeBSD-SA-26:14.pf: FreeBSD Security Advisory FreeBSD-SA-26:14.pf addresses a stack overflow flaw in the pf packet filter when processing maliciously crafted SCTP packets. The vulnerability arises from incorrect packet validation that permits unbounded recursion while parsing SCTP chunk parameters, potentially causing a system panic. All supported FreeBSD versions are affected, and no workaround exists beyond disabling pf entirely. Corrections were issued on April 29, 2026, across multiple branches (15.0, 14.4, 14.3, and 13.5), with patches and upgrade instructions provided for base system packages, binary distributions, and source code. The advisory assigns CVE-2026-7164 to this issue and emphasizes that only systems with pf enabled are vulnerable.

FreeBSD Security Advisory FreeBSD-SA-26:12.dhclient: A critical vulnerability in FreeBSD’s dhclient allows remote code execution via unescaped double-quotes in the BOOTP file field of DHCP responses. When a system running dhclient processes a malicious lease file—such as after a reboot—the injected directives are executed with root privileges. The flaw, discovered by Joshua Rogers of AISLE Research Team, affects all supported FreeBSD versions and requires no user interaction, though exploitation depends on the attacker controlling a rogue DHCP server on the same broadcast domain. Patches and updated packages were released on April 29, 2026, with no known workarounds beyond disabling dhclient or implementing DHCP snooping on network switches. Systems not using dhclient are unaffected.

FreeBSD Errata Notice FreeBSD-EN-26:08.pf: The FreeBSD Project issued an errata notice for a flaw in the pf packet filter affecting FreeBSD 15.0, where automatic table creation led to incorrect duplicate rule detection. The issue caused pf to silently drop rules with matching hashes, potentially resulting in a kernel ruleset that did not match the configured ruleset. This could lead to unexpected behavior in firewall configurations. The problem was corrected in stable/15 and releng/15.0 branches, with patches available for manual application. Workarounds include disabling ruleset optimization or manually creating tables to avoid automatic generation.

FreeBSD Errata Notice FreeBSD-EN-26:10.amd64: FreeBSD-EN-26:10.amd64 details a bug in Translation Lookaside Buffer (TLB) invalidation on AMD systems using the INVLPGB instruction, which may fail to invalidate 4K memory pages when required. The issue arises because FreeBSD’s implementation incorrectly relies on a bit in the INVLPGB operand to invalidate 2M entries, while the hardware ignores this bit and uses the underlying page size instead. This can lead to kernel memory corruption, often causing system panics, particularly in workloads involving heavy use of kqueue(2) or large file descriptor tables. The errata affects FreeBSD 14.3 and later versions on AMD64 platforms, with corrections applied to stable/15, releng/15.0, stable/14, releng/14.4, and releng/14.3 branches. A workaround involves disabling INVLPGB via the vm.pmap.invlpgb_works=0 setting in /boot/loader.conf, while permanent fixes require upgrading to patched releases or applying source patches.

FreeBSD Errata Notice FreeBSD-EN-26:09.tzdata: The FreeBSD Project released an errata notice addressing updates to the IANA Time Zone Database (zoneinfo) across all supported versions of FreeBSD. The changes reflect political adjustments to time zone boundaries, UTC offsets, and daylight-saving rules, which could cause incorrect system time displays if left unpatched. Affected systems include FreeBSD 13.5, 14.3, 14.4, and 15.0, with corrections applied between March and April 2026. Administrators can mitigate the issue by updating via pkg upgrade, freebsd-update, or manual patching, though third-party software like PHP or Python may require separate updates. The notice references IANA’s 2026a and 2026b database revisions for further technical details.

As always, it’s worth following BSDSec. RSS feed available.

News

NetBSD joins Google Summer of Code 2026 with five new projects: The NetBSD Foundation has announced its participation in Google Summer of Code 2026 with five selected projects covering network security, desktop environments, storage, compatibility testing, and wireless drivers. Contributors will work on improving the racoon2 IKE daemon, porting the Enlightenment desktop, enhancing RAIDframe, testing Linux syscall compatibility, and migrating a Wi-Fi driver to NetBSD’s updated stack. The community bonding period runs from May 1 to May 24, during which participants will collaborate with mentors to finalize project goals. This initiative continues NetBSD’s tradition of engaging with open-source developers through mentored programs.

NetBSD GSoC 2025 introduces Linux-like namespaces for improved sandboxing: A Google Summer of Code 2025 project implemented early-stage Linux-like namespace support in NetBSD to enable process isolation, focusing on UTS (hostname/domain) and mount namespaces. The work leverages NetBSD’s kauth and secmodel frameworks to manage namespace lifecycle and isolation, with UTS namespace fully functional and mount namespace partially implemented. Challenges included semantic differences between Linux and NetBSD (e.g., unmount behavior) and the need for deep VFS modifications, while future plans target PID and user namespaces for full process isolation. The project initially aimed to support bubblewrap via compat_linux but pivoted to native kernel implementation, with code available on GitHub under the gsoc-bubblewrap branch. Mentors and the NetBSD community provided guidance, though the effort highlighted the complexity of adapting Linux concepts to NetBSD’s architecture.

NetBSD developer shares GSoC 2025 Mentor Summit experience in Munich: Leonardo Taccari documented his attendance at the Google Summer of Code (GSoC) 2025 Mentor Summit in Munich, marking his first in-person participation after nearly a decade of involvement with NetBSD’s GSoC projects. The three-day event brought together 185 mentors from 133 organizations, featuring unconference-style sessions, lightning talks, and networking opportunities. Key discussions included AI’s role in open source (noting NetBSD’s policy against LLM-generated code due to copyright risks), improving diversity in FOSS communities, and strategies for combating spammy GSoC proposals. Taccari highlighted social events like the chocolate room (showcasing global sweets) and a scavenger hunt, alongside technical sessions on supply chain security (SBOM, CPE) and vintage computing. He also recounted travel experiences, from scenic train rides through the Alps to local Munich breweries and a stop in Bolzano. The summit reinforced GSoC’s mission to onboard new contributors while fostering collaboration among mentors, with Taccari emphasizing the value of face-to-face interactions in strengthening open-source communities.

Tutorials

Fast Dedup Economics in ZFS Storage: ZFS deduplication has evolved significantly with the Fast Dedup feature, making it a viable alternative to simply adding more disks for storage expansion. Historically, deduplication in ZFS was avoided due to performance penalties and high RAM requirements for maintaining the Deduplication Table (DDT). Modern OpenZFS implementations, however, have mitigated these issues through asynchronous metadata updates, improved caching, and the use of fast NVMe devices for DDT storage, reducing the need for excessive RAM. This allows deduplication to efficiently collapse redundant data across datasets, particularly in environments like virtual machine storage, backup repositories, and container registries where duplication is high. While deduplication introduces tradeoffs such as potential read fragmentation and metadata overhead, its economic benefits—such as deferring hardware expansion and optimizing existing capacity—often outweigh these concerns, especially when duplication ratios exceed 3:1. The decision to implement deduplication depends on workload characteristics, hardware design, and the balance between storage savings and performance impact.

Did we miss anything?

This newsletter is made from your content on DiscoverBSD and BSDSec. Submit the stuff we missed so it can appear next time.

Do you have an OSS BSD-related project that you would like to showcase in BSD Weekly? Reply to sender and we can showcase you as a sponsor of an issue (for free).

Do you know anyone who would like this newsletter? Consider forwarding and tell them to subscribe.

Thanks for reading and see you next week! Stay safe!