The FreeBSD Project published multiple FreeBSD security advisories today. These warnings expose critical flaws in OpenZFS, libalias, TCP RACK, and POSIX shared memory. Consequently, attackers could gain remote code execution or escalate local privileges.
Why It Matters
Therefore, servers running vulnerable FreeBSD versions face severe risks. A remote attacker could take full control of a NAT gateway. They achieve this using crafted RTSP traffic. Additionally, local users can escalate their privileges to root access. These exploits compromise data integrity and system availability. System administrators must prioritize these patches. Unpatched systems offer an open door to attackers. Network address translation services are especially vulnerable. Thus, a successful breach could expose entire internal networks.
How the Attack Works
Four distinct mechanisms cause these vulnerabilities. First, the libalias RTSP handler suffers a buffer overflow. This bug is tracked as CVE-2026-49420. Specifically, the handler writes rewritten packets into a fixed-length stack buffer. It fails to check if the data actually fits.
Second, OpenZFS contains several serious flaws. Two notable ones are CVE-2026-49429 and CVE-2026-49430. Certain input controls truncate 64-bit buffer sizes. They reduce these sizes to 32-bit integers during memory allocation. However, they use the original 64-bit size for memory writing. Consequently, this size mismatch triggers kernel heap overflows.
TCP and Memory Issues
Third, the TCP RACK stack contains a use-after-free bug. This flaw is known as CVE-2026-49422. Initially, the option handler drops a connection lock. It does this to copy user data from userspace. Then, it reacquires the lock but fails to reload a specific pointer. Subsequently, switching stacks rapidly during this window leaves a stale memory pointer.
Finally, POSIX largepage objects handle memory poorly. The system frees underlying memory pages incorrectly. This happens when using the sendfile command with a specific flag. Meanwhile, active mappings still point to the freed memory. Therefore, local attackers can access this freed kernel memory.
Exploitation Status
Currently, no active exploitation in the wild is confirmed. Furthermore, public proof-of-concept exploits do not exist yet. Affected install counts remain unknown at this time.
Affected Versions
These flaws impact all supported versions of the operating system. Specifically, the vulnerable branches include the 15.x and 14.x release series. Systems without the specific modules loaded remain safe. Systems using ZFS delegation features face the highest risk for the storage bugs.
Patch or Mitigation Steps
Administrators should upgrade systems to a patched release branch immediately. The FreeBSD team released source code patches and binary updates. You can view the full details on the official FreeBSD security advisories page. If patching libalias is impossible, remove the media library from your configuration. Restart the NAT daemon to apply changes. Also, ensure the optional TCP module remains unloaded. Disabling this module fully mitigates the TCP flaw. Finally, removing unprivileged ZFS access acts as a temporary mitigation.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.