FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-03-27 18:04:16 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
0844632f-5e78-11e6-a6c3-14dae9d210b8FreeBSD -- integer overflow in IP_MSFILTER

Problem Description:

An integer overflow in computing the size of a temporary buffer can result in a buffer which is too small for the requested operation.

Impact:

An unprivileged process can read or write pages of memory which belong to the kernel. These may lead to exposure of sensitive information or allow privilege escalation.


Discovery 2013-08-22
Entry 2016-08-09
FreeBSD-kernel
ge 9.1 lt 9.1_6

ge 8.4 lt 8.4_3

ge 8.3 lt 8.3_10

CVE-2013-3077
SA-13:09.ip_multicast
0a5cf6d8-600a-11e6-a6c3-14dae9d210b8FreeBSD -- SCTP SCTP_SS_VALUE kernel memory corruption and disclosure

Problem Description:

Due to insufficient validation of the SCTP stream ID, which serves as an array index, a local unprivileged attacker can read or write 16-bits of kernel memory.

Impact:

An unprivileged process can read or modify 16-bits of memory which belongs to the kernel. This may lead to exposure of sensitive information or allow privilege escalation.


Discovery 2015-01-27
Entry 2016-08-11
FreeBSD-kernel
ge 10.1 lt 10.1_5

ge 10.0 lt 10.0_17

ge 9.3 lt 9.3_9

ge 8.4 lt 8.4_23

CVE-2014-8612
SA-15:02.kmem
0aad3ce5-600a-11e6-a6c3-14dae9d210b8FreeBSD -- SCTP stream reset vulnerability

Problem Description:

The input validation of received SCTP RE_CONFIG chunks is insufficient, and can result in a NULL pointer deference later.

Impact:

A remote attacker who can send a malformed SCTP packet to a FreeBSD system that serves SCTP can cause a kernel panic, resulting in a Denial of Service.


Discovery 2015-01-27
Entry 2016-08-11
FreeBSD-kernel
ge 10.1 lt 10.1_5

ge 10.0 lt 10.0_17

ge 9.3 lt 9.3_9

ge 8.4 lt 8.4_23

CVE-2014-8613
SA-15:03.sctp
0afe8b29-600a-11e6-a6c3-14dae9d210b8FreeBSD -- Integer overflow in IGMP protocol

Problem Description:

An integer overflow in computing the size of IGMPv3 data buffer can result in a buffer which is too small for the requested operation.

Impact:

An attacker who can send specifically crafted IGMP packets could cause a denial of service situation by causing the kernel to crash.


Discovery 2015-02-25
Entry 2016-08-11
FreeBSD-kernel
ge 10.1 lt 10.1_9

ge 9.3 lt 9.3_13

ge 8.4 lt 8.4_27

CVE-2015-1414
SA-15:04.igmp
0bb55a18-600a-11e6-a6c3-14dae9d210b8FreeBSD -- Denial of Service with IPv6 Router Advertisements

Problem Description:

The Neighbor Discover Protocol allows a local router to advertise a suggested Current Hop Limit value of a link, which will replace Current Hop Limit on an interface connected to the link on the FreeBSD system.

Impact:

When the Current Hop Limit (similar to IPv4's TTL) is small, IPv6 packets may get dropped before they reached their destinations.

By sending specifically crafted Router Advertisement packets, an attacker on the local network can cause the FreeBSD system to lose the ability to communicate with another IPv6 node on a different network.


Discovery 2015-04-07
Entry 2016-08-11
FreeBSD-kernel
ge 10.1 lt 10.1_9

ge 9.3 lt 9.3_13

ge 8.4 lt 8.4_27

CVE-2015-2923
SA-15:09.ipv6
0bfcae0b-947f-11ea-92ab-00163e433440FreeBSD -- Insufficient cryptodev MAC key length check

Problem Description:

Requests to create cryptography sessions using a MAC did not validate the user-supplied MAC key length. The cryptodev module allocates a buffer whose size is this user-suppled length.

Impact:

An unprivileged process can trigger a kernel panic.


Discovery 2020-01-20
Entry 2020-05-12
FreeBSD-kernel
ge 12.1 lt 12.1_5

CVE-2019-15879
SA-20:15.cryptodev
0c064c43-600a-11e6-a6c3-14dae9d210b8FreeBSD -- Resource exhaustion due to sessions stuck in LAST_ACK state

Problem Description:

TCP connections transitioning to the LAST_ACK state can become permanently stuck due to mishandling of protocol state in certain situations, which in turn can lead to accumulated consumption and eventual exhaustion of system resources, such as mbufs and sockets.

Impact:

An attacker who can repeatedly establish TCP connections to a victim system (for instance, a Web server) could create many TCP connections that are stuck in LAST_ACK state and cause resource exhaustion, resulting in a denial of service condition. This may also happen in normal operation where no intentional attack is conducted, but an attacker who can send specifically crafted packets can trigger this more reliably.


Discovery 2015-07-21
Entry 2016-08-11
FreeBSD-kernel
ge 10.1 lt 10.1_15

ge 9.3 lt 9.3_20

ge 8.4 lt 8.4_34

CVE-2015-5358
SA-15:13.tcp
0cb9d5bb-600a-11e6-a6c3-14dae9d210b8FreeBSD -- Resource exhaustion in TCP reassembly

Problem Description:

There is a mistake with the introduction of VNET, which converted the global limit on the number of segments that could belong to reassembly queues into a per-VNET limit. Because mbufs are allocated from a global pool, in the presence of a sufficient number of VNETs, the total number of mbufs attached to reassembly queues can grow to the total number of mbufs in the system, at which point all network traffic would cease.

Impact:

An attacker who can establish concurrent TCP connections across a sufficient number of VNETs and manipulate the inbound packet streams such that the maximum number of mbufs are enqueued on each reassembly queue can cause mbuf cluster exhaustion on the target system, resulting in a Denial of Service condition.

As the default per-VNET limit on the number of segments that can belong to reassembly queues is 1/16 of the total number of mbuf clusters in the system, only systems that have 16 or more VNET instances are vulnerable.


Discovery 2015-07-28
Entry 2016-08-11
FreeBSD-kernel
ge 10.1 lt 10.1_16

ge 9.3 lt 9.3_21

ge 8.4 lt 8.4_35

CVE-2015-1417
SA-15:15.tcp
0cc7e547-6a0a-11ea-92ab-00163e433440FreeBSD -- Incorrect user-controlled pointer use in epair

Problem Description:

Incorrect use of a potentially user-controlled pointer in the kernel allowed vnet jailed users to panic the system and potentially execute aribitrary code in the kernel.

Impact:

Users with root level access (or the PRIV_NET_IFCREATE privilege) can panic the system, or potentially escape the jail or execute arbitrary code with kernel priviliges.


Discovery 2020-03-19
Entry 2020-03-19
FreeBSD-kernel
ge 12.1 lt 12.1_3

ge 11.3 lt 11.3_7

CVE-2020-7452
SA-20:07.epair
0d3f99f7-b30c-11e9-a87f-a4badb2f4699FreeBSD -- File description reference count leak

Problem Description:

If a process attempts to transmit rights over a UNIX-domain socket and an error causes the attempt to fail, references acquired on the rights are not released and are leaked. This bug can be used to cause the reference counter to wrap around and free the corresponding file structure.

Impact:

A local user can exploit the bug to gain root privileges or escape from a jail.


Discovery 2019-07-24
Entry 2019-07-30
FreeBSD-kernel
ge 12.0 lt 12.0_8

ge 11.2 lt 11.2_12

ge 11.3 lt 11.3_1

CVE-2019-5607
SA-19:17.fd
0dfa5dde-600a-11e6-a6c3-14dae9d210b8FreeBSD -- Local privilege escalation in IRET handler

Problem Description:

If the kernel-mode IRET instruction generates an #SS or #NP exception, but the exception handler does not properly ensure that the right GS register base for kernel is reloaded, the userland GS segment may be used in the context of the kernel exception handler.

Impact:

By causing an IRET with #SS or #NP exceptions, a local attacker can cause the kernel to use an arbitrary GS base, which may allow escalated privileges or panic the system.


Discovery 2015-08-25
Entry 2016-08-11
FreeBSD-kernel
ge 10.1 lt 10.1_19

ge 9.3 lt 9.3_24

CVE-2015-5675
SA-15:21.amd64
0e06013e-6a06-11ea-92ab-00163e433440FreeBSD -- TCP IPv6 SYN cache kernel information disclosure

Problem Description:

When a TCP server transmits or retransmits a TCP SYN-ACK segment over IPv6, the Traffic Class field is not initialized. This also applies to challenge ACK segments, which are sent in response to received RST segments during the TCP connection setup phase.

Impact:

For each TCP SYN-ACK (or challenge TCP-ACK) segment sent over IPv6, one byte of kernel memory is transmitted over the network.


Discovery 2020-03-19
Entry 2020-03-19
FreeBSD-kernel
ge 12.1 lt 12.1_3

ge 11.3 lt 11.3_7

CVE-2020-7451
SA-20:04.tcp
13d37672-9791-11eb-b87a-901b0ef719abFreeBSD -- Memory disclosure by stale virtual memory mapping

Problem Description:

A particular case of memory sharing is mishandled in the virtual memory system. It is possible and legal to establish a relationship where multiple descendant processes share a mapping which shadows memory of an ancestor process. In this scenario, when one process modifies memory through such a mapping, the copy-on-write logic fails to invalidate other mappings of the source page. These stale mappings may remain even after the mapped pages have been reused for another purpose.

Impact:

An unprivileged local user process can maintain a mapping of a page after it is freed, allowing that process to read private data belonging to other processes or the kernel.


Discovery 2021-04-06
Entry 2021-04-07
FreeBSD-kernel
ge 12.2 lt 12.2_6

ge 11.4 lt 11.4_9

CVE-2021-29626
SA-21:08.vm
14a3b376-b30a-11e9-a87f-a4badb2f4699FreeBSD -- Privilege escalation in cd(4) driver

Problem Description:

To implement one particular ioctl, the Linux emulation code used a special interface present in the cd(4) driver which allows it to copy subchannel information directly to a kernel address. This interface was erroneously made accessible to userland, allowing users with read access to a cd(4) device to arbitrarily overwrite kernel memory when some media is present in the device.

Impact:

A user in the operator group can make use of this interface to gain root privileges on a system with a cd(4) device when some media is present in the device.


Discovery 2019-07-02
Entry 2019-07-30
FreeBSD-kernel
ge 12.0 lt 12.0_7

ge 11.2 lt 11.2_11

CVE-2019-5602
SA-19:11.cd_ioctl
2310b814-a652-11e8-805b-a4badb2f4699FreeBSD -- L1 Terminal Fault (L1TF) Kernel Information Disclosure

Problem Description:

On certain Intel 64-bit x86 systems there is a period of time during terminal fault handling where the CPU may use speculative execution to try to load data. The CPU may speculatively access the level 1 data cache (L1D). Data which would otherwise be protected may then be determined by using side channel methods.

This issue affects bhyve on FreeBSD/amd64 systems.

Impact:

An attacker executing user code, or kernel code inside of a virtual machine, may be able to read secret data from the kernel or from another virtual machine.


Discovery 2018-08-14
Entry 2018-08-22
FreeBSD-kernel
ge 11.2 lt 11.2_2

ge 11.1 lt 11.1_13

CVE-2018-3620
CVE-2018-3646
SA-18:09.l1tf
253486f5-947d-11ea-92ab-00163e433440FreeBSD -- Improper checking in SCTP-AUTH shared key update

Problem Description:

The SCTP layer does improper checking when an application tries to update a shared key. Therefore an unprivileged local user can trigger a use-after- free situation, for example by specific sequences of updating shared keys and closing the SCTP association.

Impact:

Triggering the use-after-free situation may result in unintended kernel behaviour including a kernel panic.


Discovery 2019-09-19
Entry 2020-05-12
FreeBSD-kernel
ge 11.3 lt 11.3_9

CVE-2019-15878
SA-20:14.sctp
27d39055-b61b-11ec-9ebc-1c697aa5a594FreeBSD -- Potential jail escape vulnerabilities in netmap

Problem Description:

The total size of the user-provided nmreq to nmreq_copyin() was first computed and then trusted during the copyin. This time-of-check to time-of-use bug could lead to kernel memory corruption. [CVE-2022-23084]

A user-provided integer option was passed to nmreq_copyin() without checking if it would overflow. This insufficient bounds checking could lead to kernel memory corruption. [CVE-2022-23085]

Impact:

On systems configured to include netmap in their devfs_ruleset, a privileged process running in a jail can affect the host environment.


Discovery 2022-04-06
Entry 2022-04-07
FreeBSD-kernel
ge 13.0 lt 13.0_11

ge 12.3 lt 12.3_5

CVE-2022-23084
CVE-2022-23085
SA-22:04.netmap
2c5b9cd7-f7e6-11ea-88f8-901b0ef719abFreeBSD -- bhyve privilege escalation via VMCS access

Problem Description:

AMD and Intel CPUs support hardware virtualization using specialized data structures that control various aspects of guest operation. These are the Virtual Machine Control Structure (VMCS) on Intel CPUs, and the Virtual Machine Control Block (VMCB) on AMD CPUs. Insufficient access controls allow root users, including those running in a jail, to change these data structures.

Impact:

An attacker with host root access (including to a jailed bhyve instance) can use this vulnerability to achieve kernel code execution.


Discovery 2020-09-15
Entry 2020-09-16
FreeBSD-kernel
ge 12.1 lt 12.1_10

ge 11.4 lt 11.4_4

ge 11.3 lt 11.3_14

CVE-2020-24718
SA-20:28.bhyve_vmcs
30ce591c-947b-11ea-92ab-00163e433440FreeBSD -- Insufficient packet length validation in libalias

Problem Description:

libalias(3) packet handlers do not properly validate the packet length before accessing the protocol headers. As a result, if a libalias(3) module does not properly validate the packet length before accessing the protocol header, it is possible for an out of bound read or write condition to occur.

Impact:

A malicious attacker could send specially constructed packets that exploit the lack of validation allowing the attacker to read or write memory either from the kernel (for the in-kernel NAT implementation) or from the process space for natd (for the userspace implementation).


Discovery 2020-05-12
Entry 2020-05-12
FreeBSD-kernel
ge 12.1 lt 12.1_5

ge 11.4 lt 11.4_1

ge 11.3 lt 11.3_9

CVE-2020-7454
SA-20:12.libalias
31ad2f10-7711-11eb-b87a-901b0ef719abFreeBSD -- jail_remove(2) fails to kill all jailed processes

Problem Description:

Due to a race condition in the jail_remove(2) implementation, it may fail to kill some of the processes.

Impact:

A process running inside a jail can avoid being killed during jail termination. If a jail is subsequently started with the same root path, a lingering jailed process may be able to exploit the window during which a devfs filesystem is mounted but the jail's devfs ruleset has not been applied, to access device nodes which are ordinarily inaccessible. If the process is privileged, it may be able to escape the jail and gain full access to the system.


Discovery 2021-02-24
Entry 2021-02-25
FreeBSD-kernel
ge 12.2 lt 12.2_4

ge 11.4 lt 11.4_8

CVE-2020-25581
SA-21:04.jail_remove
32c92a75-aa71-11ea-92ab-00163e433440FreeBSD -- USB HID descriptor parsing error

Problem Description:

If the push/pop level of the USB HID state is not restored within the processing of the same HID item, an invalid memory location may be used for subsequent HID item processing.

Impact:

An attacker with physical access to a USB port may be able to use a specially crafted USB device to gain kernel or user-space code execution.


Discovery 2020-06-03
Entry 2020-06-09
FreeBSD-kernel
ge 12.1 lt 12.1_6

ge 11.3 lt 11.3_10

CVE-2020-7456
SA-20:17.usb
33edcc56-83f2-11ea-92ab-00163e433440FreeBSD -- ipfw invalid mbuf handling

Problem Description:

Incomplete packet data validation may result in accessing out-of-bounds memory (CVE-2019-5614) or may access memory after it has been freed (CVE-2019-15874).

Impact:

Access to out of bounds or freed mbuf data can lead to a kernel panic or other unpredictable results.


Discovery 2020-04-21
Entry 2020-04-21
FreeBSD-kernel
ge 12.1 lt 12.1_4

ge 11.3 lt 11.3_8

CVE-2019-5614
CVE-2019-15874
SA-20:10.ipfw
34a3f9b5-dab3-11e7-b5af-a4badb2f4699FreeBSD -- Kernel data leak via ptrace(PT_LWPINFO)

Problem Description:

Not all information in the struct ptrace_lwpinfo is relevant for the state of any thread, and the kernel does not fill the irrelevant bytes or short strings. Since the structure filled by the kernel is allocated on the kernel stack and copied to userspace, a leak of information of the kernel stack of the thread is possible from the debugger.

Impact:

Some bytes from the kernel stack of the thread using ptrace(PT_LWPINFO) call can be observed in userspace.


Discovery 2017-11-15
Entry 2017-12-06
FreeBSD-kernel
ge 11.1 lt 11.1_4

ge 11.0 lt 11.0_15

ge 10.4 lt 10.4_3

ge 10.3 lt 10.3_24

CVE-2017-1086
SA-17:08.ptrace
359e1548-a652-11e8-805b-a4badb2f4699FreeBSD -- Resource exhaustion in IP fragment reassembly

Problem Description:

A researcher has notified us of a DoS attack applicable to another operating system. While FreeBSD may not be vulnerable to that exact attack, we have identified several places where inadequate DoS protection could allow an attacker to consume system resources.

It is not necessary that the attacker be able to establish two-way communication to carry out these attacks. These attacks impact both IPv4 and IPv6 fragment reassembly.

Impact:

In the worst case, an attacker could send a stream of crafted fragments with a low packet rate which would consume a substantial amount of CPU.

Other attack vectors allow an attacker to send a stream of crafted fragments which could consume a large amount of CPU or all available mbuf clusters on the system.

These attacks could temporarily render a system unreachable through network interfaces or temporarily render a system unresponsive. The effects of the attack should clear within 60 seconds after the attack stops.


Discovery 2018-08-14
Entry 2018-08-22
FreeBSD-kernel
ge 11.2 lt 11.2_2

ge 11.1 lt 11.1_13

CVE-2018-6923
SA-18:10.ip
3c10ccdf-6a09-11ea-92ab-00163e433440FreeBSD -- Insufficient oce(4) ioctl(2) privilege checking

Problem Description:

The driver-specific ioctl(2) command handlers in oce(4) failed to check whether the caller has sufficient privileges to perform the corresponding operation.

Impact:

The oce(4) handler permits unprivileged users to send passthrough commands to device firmware.


Discovery 2020-03-19
Entry 2020-03-19
FreeBSD-kernel
ge 12.1 lt 12.1_3

ge 11.3 lt 11.3_7

CVE-2019-15876
SA-20:05.if_oce_ioctl
3c2eea8c-99bf-11e8-8bee-a4badb2f4699FreeBSD -- Resource exhaustion in TCP reassembly

Problem Description:

One of the data structures that holds TCP segments uses an inefficient algorithm to reassemble the data. This causes the CPU time spent on segment processing to grow linearly with the number of segments in the reassembly queue.

Impact:

An attacker who has the ability to send TCP traffic to a victim system can degrade the victim system's network performance and/or consume excessive CPU by exploiting the inefficiency of TCP reassembly handling, with relatively small bandwidth cost.


Discovery 2018-08-06
Entry 2018-08-06
FreeBSD-kernel
ge 11.2 lt 11.2_1

ge 11.1 lt 11.1_12

ge 10.4 lt 10.4_10

CVE-2018-6922
SA-18:08.tcp
3d02520d-b309-11e9-a87f-a4badb2f4699FreeBSD -- IPv6 fragment reassembly panic in pf(4)

Problem Description:

A bug in the pf(4) IPv6 fragment reassembly logic incorrectly uses the last extension header offset from the last received packet instead of from the first packet.

Impact:

Malicious IPv6 packets with different IPv6 extensions could cause a kernel panic or potentially a filtering rule bypass.


Discovery 2019-05-14
Entry 2019-07-30
FreeBSD-kernel
ge 12.0 lt 12.0_4

ge 11.2 lt 11.2_10

CVE-2019-5597
SA-19:05.pf
41d2f3e6-f680-11e9-a87f-a4badb2f4699FreeBSD -- ICMPv6 / MLDv2 out-of-bounds memory access

Problem Description:

The ICMPv6 input path incorrectly handles cases where an MLDv2 listener query packet is internally fragmented across multiple mbufs.

Impact:

A remote attacker may be able to cause an out-of-bounds read or write that may cause the kernel to attempt to access an unmapped page and subsequently panic.


Discovery 2019-08-06
Entry 2019-10-24
FreeBSD-kernel
ge 12.0 lt 12.0_9

ge 11.3 lt 11.3_2

ge 11.2 lt 11.2_13

CVE-2019-5608
SA-19:19.mldv2
499b22a3-f680-11e9-a87f-a4badb2f4699FreeBSD -- Insufficient validation of guest-supplied data (e1000 device)

Problem Description:

The e1000 network adapters permit a variety of modifications to an Ethernet packet when it is being transmitted. These include the insertion of IP and TCP checksums, insertion of an Ethernet VLAN header, and TCP segmentation offload ("TSO"). The e1000 device model uses an on-stack buffer to generate the modified packet header when simulating these modifications on transmitted packets.

When TCP segmentation offload is requested for a transmitted packet, the e1000 device model used a guest-provided value to determine the size of the on-stack buffer without validation. The subsequent header generation could overflow an incorrectly sized buffer or indirect a pointer composed of stack garbage.

Impact:

A misbehaving bhyve guest could overwrite memory in the bhyve process on the host.


Discovery 2019-08-06
Entry 2019-10-24
FreeBSD-kernel
ge 12.0 lt 12.0_9

ge 11.3 lt 11.3_2

ge 11.2 lt 11.2_13

CVE-2019-5609
SA-19:21.bhyve
4d3d4f64-f680-11e9-a87f-a4badb2f4699FreeBSD -- IPv6 remote Denial-of-Service

Problem Description:

Due do a missing check in the code of m_pulldown(9) data returned may not be contiguous as requested by the caller.

Impact:

Extra checks in the IPv6 code catch the error condition and trigger a kernel panic leading to a remote DoS (denial-of-service) attack with certain Ethernet interfaces. At this point it is unknown if any other than the IPv6 code paths can trigger a similar condition.


Discovery 2019-08-20
Entry 2019-10-24
FreeBSD-kernel
ge 12.0 lt 12.0_10

ge 11.3 lt 11.3_3

ge 11.2 lt 11.2_14

CVE-2019-5611
SA-19:22.mbuf
4e07d94f-75a5-11e8-85d1-a4badb2f4699FreeBSD -- Lazy FPU State Restore Information Disclosure

Problem Description:

A subset of Intel processors can allow a local thread to infer data from another thread through a speculative execution side channel when Lazy FPU state restore is used.

Impact:

Any local thread can potentially read FPU state information from other threads running on the host. This could include cryptographic keys when the AES-NI CPU feature is present.


Discovery 2018-06-21
Entry 2018-06-21
FreeBSD-kernel
ge 11.1 lt 11.1_11

CVE-2018-3665
SA-18:07.lazyfpu
5027b62e-f680-11e9-a87f-a4badb2f4699FreeBSD -- kernel memory disclosure from /dev/midistat

Problem Description:

The kernel driver for /dev/midistat implements a handler for read(2). This handler is not thread-safe, and a multi-threaded program can exploit races in the handler to cause it to copy out kernel memory outside the boundaries of midistat's data buffer.

Impact:

The races allow a program to read kernel memory within a 4GB window centered at midistat's data buffer. The buffer is allocated each time the device is opened, so an attacker is not limited to a static 4GB region of memory.

On 32-bit platforms, an attempt to trigger the race may cause a page fault in kernel mode, leading to a panic.


Discovery 2019-08-20
Entry 2019-10-24
FreeBSD-kernel
ge 12.0 lt 12.0_10

ge 11.3 lt 11.3_3

ge 11.2 lt 11.2_14

CVE-2019-5612
SA-19:23.midi
51d1282d-420e-11e7-82c5-14dae9d210b8FreeBSD -- ipfilter(4) fragment handling panic

Problem Description:

ipfilter(4), capable of stateful packet inspection, using the "keep state" or "keep frags" rule options, will not only maintain the state of connections, such as TCP streams or UDP communication, it also maintains the state of fragmented packets. When a packet fragments are received they are cached in a hash table (and linked list). When a fragment is received it is compared with fragments already cached in the hash table for a match. If it does not match the new entry is used to create a new entry in the hash table. If on the other hand it does match, unfortunately the wrong entry is freed, the entry in the hash table. This results in use after free panic (and for a brief moment prior to the panic a memory leak due to the wrong entry being freed).

Impact:

Carefully feeding fragments that are allowed to pass by an ipfilter(4) firewall can be used to cause a panic followed by reboot loop denial of service attack.


Discovery 2017-04-27
Entry 2017-05-26
FreeBSD-kernel
ge 11.0 lt 11.0_10

ge 10.3 lt 10.3_19

CVE-2017-1081
SA-17:04.ipfilter
521ce804-52fd-11e8-9123-a4badb2f4699FreeBSD -- Mishandling of x86 debug exceptions

Problem Description:

The MOV SS and POP SS instructions inhibit debug exceptions until the instruction boundary following the next instruction. If that instruction is a system call or similar instruction that transfers control to the operating system, the debug exception will be handled in the kernel context instead of the user context.

Impact:

An authenticated local attacker may be able to read sensitive data in kernel memory, control low-level operating system functions, or may panic the system.


Discovery 2018-05-08
Entry 2018-05-08
FreeBSD-kernel
ge 11.1 lt 11.1_10

ge 10.4 lt 10.4_9

CVE-2018-8897
SA-18:06.debugreg
53b3474c-f680-11e9-a87f-a4badb2f4699FreeBSD -- Reference count overflow in mqueue filesystem 32-bit compat

Problem Description:

System calls operating on file descriptors obtain a reference to relevant struct file which due to a programming error was not always put back, which in turn could be used to overflow the counter of affected struct file.

Impact:

A local user can use this flaw to obtain access to files, directories, sockets, etc., opened by processes owned by other users. If obtained struct file represents a directory from outside of user's jail, it can be used to access files outside of the jail. If the user in question is a jailed root they can obtain root privileges on the host system.


Discovery 2019-08-20
Entry 2019-10-24
FreeBSD-kernel
ge 12.0 lt 12.0_10

ge 11.3 lt 11.3_3

ge 11.2 lt 11.2_14

CVE-2019-5603
SA-19:24.mqueuefs
5721ae65-b30a-11e9-a87f-a4badb2f4699FreeBSD -- pts(4) write-after-free

Problem Description:

The code which handles a close(2) of a descriptor created by posix_openpt(2) fails to undo the configuration which causes SIGIO to be raised. This bug can lead to a write-after-free of kernel memory.

Impact:

The bug permits malicious code to trigger a write-after-free, which may be used to gain root privileges or escape a jail.


Discovery 2019-07-24
Entry 2019-07-30
FreeBSD-kernel
ge 12.0 lt 12.0_8

ge 11.2 lt 11.2_12

ge 11.3 lt 11.3_1

CVE-2019-5606
SA-19:13.pts
5797c807-4279-11ea-b184-f8b156ac3ff9FreeBSD -- Missing IPsec anti-replay window check

Problem Description:

A missing check means that an attacker can reinject an old packet and it will be accepted and processed by the IPsec endpoint.

Impact:

The impact depends on the higher-level protocols in use over IPsec. For example, an attacker who can capture and inject packets could cause an action that was intentionally performed once to be repeated.


Discovery 2020-01-28
Entry 2020-01-29
FreeBSD-kernel
ge 12.0 lt 12.0_13

CVE-2019-5613
SA-20:02.ipsec
59c5f255-b309-11e9-a87f-a4badb2f4699FreeBSD -- ICMP/ICMP6 packet filter bypass in pf

Problem Description:

States in pf(4) let ICMP and ICMP6 packets pass if they have a packet in their payload matching an existing condition. pf(4) does not check if the outer ICMP or ICMP6 packet has the same destination IP as the source IP of the inner protocol packet.

Impact:

A maliciously crafted ICMP/ICMP6 packet could bypass the packet filter rules and be passed to a host that would otherwise be unavailable.


Discovery 2019-05-14
Entry 2019-07-30
FreeBSD-kernel
ge 12.0 lt 12.0_4

ge 11.2 lt 11.2_10

CVE-2019-5598
SA-19:06.pf
5b1463dd-dab3-11e7-b5af-a4badb2f4699FreeBSD -- POSIX shm allows jails to access global namespace

Problem Description:

Named paths are globally scoped, meaning a process located in one jail can read and modify the content of POSIX shared memory objects created by a process in another jail or the host system.

Impact:

A malicious user that has access to a jailed system is able to abuse shared memory by injecting malicious content in the shared memory region. This memory region might be executed by applications trusting the shared memory, like Squid.

This issue could lead to a Denial of Service or local privilege escalation.


Discovery 2017-11-15
Entry 2017-12-06
FreeBSD-kernel
ge 10.4 lt 10.4_3

ge 10.3 lt 10.3_24

CVE-2017-1087
SA-17:09.shm
5b8c6e1e-770f-11eb-b87a-901b0ef719abFreeBSD -- Xen grant mapping error handling issues

Problem Description:

Grant mapping operations often occur in batch hypercalls, where a number of operations are done in a single hypercall, the success or failure of each one reported to the backend driver, and the backend driver then loops over the results, performing follow-up actions based on the success or failure of each operation.

Unfortunately, when running in HVM/PVH mode, the FreeBSD backend drivers mishandle this: Some errors are ignored, effectively implying their success from the success of related batch elements. In other cases, errors resulting from one batch element lead to further batch elements not being inspected, and hence successful ones to not be possible to properly unmap upon error recovery.

Impact:

A malicious or buggy frontend driver may be able to cause resource leaks in the domain running the corresponding backend driver.


Discovery 2021-02-24
Entry 2021-02-25
FreeBSD-kernel
ge 12.2 lt 12.2_4

ge 11.4 lt 11.4_8

CVE-2021-26932
SA-21:06.xen
5d91370b-61fd-11eb-b87a-901b0ef719abFreeBSD -- Xen guests can triger backend Out Of Memory

Problem Description:

Some OSes (including Linux, FreeBSD, and NetBSD) are processing watch events using a single thread. If the events are received faster than the thread is able to handle, they will get queued.

As the queue is unbound, a guest may be able to trigger a OOM in the backend.


Discovery 2021-01-29
Entry 2021-01-29
FreeBSD-kernel
ge 12.2 lt 12.2_3

ge 12.1 lt 12.1_13

ge 11.4 lt 11.4_7

CVE-2020-29568
SA-21:02.xenoom
6025d173-4279-11ea-b184-f8b156ac3ff9FreeBSD -- kernel stack data disclosure

Problem Description:

Due to incorrect initialization of a stack data structure, up to 20 bytes of kernel data stored previously stored on the stack will be exposed to a crashing user process.

Impact:

Sensitive kernel data may be disclosed.


Discovery 2020-01-28
Entry 2020-01-29
FreeBSD-kernel
ge 12.1 lt 12.1_2

ge 12.0 lt 12.0_13

ge 11.3 lt 11.3_6

CVE-2019-15875
SA-20:03.thrmisc
683c714d-2d91-11e9-bf3e-a4badb2f4699FreeBSD -- System call kernel data register leak

Problem Description:

The callee-save registers are used by kernel and for some of them (%r8, %r10, and for non-PTI configurations, %r9) the content is not sanitized before return from syscalls, potentially leaking sensitive information.

Impact:

Typically an address of some kernel data structure used in the syscall implementation, is exposed.


Discovery 2019-02-05
Entry 2019-02-11
FreeBSD-kernel
ge 12.0 lt 12.0_3

ge 11.2 lt 11.2_9

CVE-2019-5595
SA-19:01.syscall
6a384960-6007-11e6-a6c3-14dae9d210b8FreeBSD -- Deadlock in the NFS server

Problem Description:

The kernel holds a lock over the source directory vnode while trying to convert the target directory file handle to a vnode, which needs to be returned with the lock held, too. This order may be in violation of normal lock order, which in conjunction with other threads that grab locks in the right order, constitutes a deadlock condition because no thread can proceed.

Impact:

An attacker on a trusted client could cause the NFS server become deadlocked, resulting in a denial of service.


Discovery 2014-04-08
Entry 2016-08-11
FreeBSD-kernel
ge 10.0 lt 10.0_1

ge 9.2 lt 9.2_4

ge 9.1 lt 9.1_11

ge 8.4 lt 8.4_8

ge 8.3 lt 8.3_15

CVE-2014-1453
SA-14:05.nfsserver
6b856e00-b30a-11e9-a87f-a4badb2f4699FreeBSD -- Kernel memory disclosure in freebsd32_ioctl

Problem Description:

Due to insufficient initialization of memory copied to userland in the components listed above small amounts of kernel memory may be disclosed to userland processes.

Impact:

A user who can invoke 32-bit FreeBSD ioctls may be able to read the contents of small portions of kernel memory.

Such memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way; for example, a terminal buffer might include a user-entered password.


Discovery 2019-07-24
Entry 2019-07-30
FreeBSD-kernel
ge 11.2 lt 11.2_12

ge 11.3 lt 11.3_1

CVE-2019-5605
SA-19:14.freebsd32
6b90acba-6a0a-11ea-92ab-00163e433440FreeBSD -- Kernel memory disclosure with nested jails

Problem Description:

A missing NUL-termination check for the jail_set(2) configration option "osrelease" may return more bytes when reading the jail configuration back with jail_get(2) than were originally set.

Impact:

For jails with a non-default setting of children.max > 0 ("nested jails") a superuser inside a jail can create a jail and may be able to read and take advantage of exposed kernel memory.


Discovery 2020-03-19
Entry 2020-03-19
FreeBSD-kernel
ge 12.1 lt 12.1_3

ge 11.3 lt 11.3_7

CVE-2020-7453
SA-20:08.jail
6d472244-6007-11e6-a6c3-14dae9d210b8FreeBSD -- TCP reassembly vulnerability

Problem Description:

FreeBSD may add a reassemble queue entry on the stack into the segment list when the reassembly queue reaches its limit. The memory from the stack is undefined after the function returns. Subsequent iterations of the reassembly function will attempt to access this entry.

Impact:

An attacker who can send a series of specifically crafted packets with a connection could cause a denial of service situation by causing the kernel to crash.

Additionally, because the undefined on stack memory may be overwritten by other kernel threads, while extremely difficult, it may be possible for an attacker to construct a carefully crafted attack to obtain portion of kernel memory via a connected socket. This may result in the disclosure of sensitive information such as login credentials, etc. before or even without crashing the system.


Discovery 2014-04-30
Entry 2016-08-11
FreeBSD-kernel
ge 8.4 lt 8.4_9

ge 8.3 lt 8.3_16

ge 9.2 lt 9.2_5

ge 9.1 lt 9.1_12

ge 10.0 lt 10.0_2

CVE-2014-3000
SA-14:08.tcp
6e04048b-6007-11e6-a6c3-14dae9d210b8FreeBSD -- ktrace kernel memory disclosure

Problem Description:

Due to an overlooked merge to -STABLE branches, the size for page fault kernel trace entries was set incorrectly.

Impact:

A user who can enable kernel process tracing could end up reading the contents of kernel memory.

Such memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way; for example, a terminal buffer might include a user-entered password.


Discovery 2014-06-03
Entry 2016-08-11
FreeBSD-kernel
ge 9.2 lt 9.2_7

ge 9.1 lt 9.1_14

ge 8.4 lt 8.4_11

CVE-2014-3873
SA-14:12.ktrace
703c4761-b61d-11ec-9ebc-1c697aa5a594FreeBSD -- mpr/mps/mpt driver ioctl heap out-of-bounds write

Problem Description:

Handlers for *_CFG_PAGE read / write ioctls in the mpr, mps, and mpt drivers allocated a buffer of a caller-specified size, but copied to it a fixed size header. Other heap content would be overwritten if the specified size was too small.

Impact:

Users with access to the mpr, mps or mpt device node may overwrite heap data, potentially resulting in privilege escalation. Note that the device node is only accessible to root and members of the operator group.


Discovery 2022-04-06
Entry 2022-04-07
FreeBSD-kernel
ge 13.0 lt 13.0_11

ge 12.3 lt 12.3_5

CVE-2022-23086
SA-22:06.ioctl
7240de58-6007-11e6-a6c3-14dae9d210b8FreeBSD -- Kernel memory disclosure in control messages and SCTP

Problem Description:

Buffer between control message header and data may not be completely initialized before being copied to userland. [CVE-2014-3952]

Three SCTP cmsgs, SCTP_SNDRCV, SCTP_EXTRCV and SCTP_RCVINFO, have implicit padding that may not be completely initialized before being copied to userland. In addition, three SCTP notifications, SCTP_PEER_ADDR_CHANGE, SCTP_REMOTE_ERROR and SCTP_AUTHENTICATION_EVENT, have padding in the returning data structure that may not be completely initialized before being copied to userland. [CVE-2014-3953]

Impact:

An unprivileged local process may be able to retrieve portion of kernel memory.

For the generic control message, the process may be able to retrieve a maximum of 4 bytes of kernel memory.

For SCTP, the process may be able to retrieve 2 bytes of kernel memory for all three control messages, plus 92 bytes for SCTP_SNDRCV and 76 bytes for SCTP_EXTRCV. If the local process is permitted to receive SCTP notification, a maximum of 112 bytes of kernel memory may be returned to userland.

This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way. For example, a terminal buffer might include a user-entered password.


Discovery 2014-07-08
Entry 2016-08-11
FreeBSD-kernel
ge 10.0 lt 10.0_7

ge 9.2 lt 9.2_10

ge 9.1 lt 9.1_17

ge 8.4 lt 8.4_14

CVE-2014-3952
CVE-2014-3953
SA-14:17.kmem
729c4a9f-6007-11e6-a6c3-14dae9d210b8FreeBSD -- Denial of Service in TCP packet processing

Problem Description:

When a segment with the SYN flag for an already existing connection arrives, the TCP stack tears down the connection, bypassing a check that the sequence number in the segment is in the expected window.

Impact:

An attacker who has the ability to spoof IP traffic can tear down a TCP connection by sending only 2 packets, if they know both TCP port numbers. In case one of the two port numbers is unknown, a successful attack requires less than 2**17 packets spoofed, which can be generated within less than a second on a decent connection to the Internet.


Discovery 2014-09-16
Entry 2016-08-11
FreeBSD-kernel
ge 10.0 lt 10.0_9

ge 9.3 lt 9.3_2

ge 9.2 lt 9.2_12

ge 9.1 lt 9.1_19

ge 8.4 lt 8.4_16

CVE-2004-0230
SA-14:19.tcp
73964eac-6007-11e6-a6c3-14dae9d210b8FreeBSD -- memory leak in sandboxed namei lookup

Problem Description:

The namei facility will leak a small amount of kernel memory every time a sandboxed process looks up a nonexistent path name.

Impact:

A remote attacker that can cause a sandboxed process (for instance, a web server) to look up a large number of nonexistent path names can cause memory exhaustion.


Discovery 2014-10-21
Entry 2016-08-11
FreeBSD-kernel
ge 10.0 lt 10.0_10

ge 9.3 lt 9.3_3

ge 9.2 lt 9.2_13

ge 9.1 lt 9.1_20

CVE-2014-3711
SA-14:22.namei
74389f22-6007-11e6-a6c3-14dae9d210b8FreeBSD -- Kernel stack disclosure in setlogin(2) / getlogin(2)

Problem Description:

When setlogin(2) is called while setting up a new login session, the login name is copied into an uninitialized stack buffer, which is then copied into a buffer of the same size in the session structure. The getlogin(2) system call returns the entire buffer rather than just the portion occupied by the login name associated with the session.

Impact:

An unprivileged user can access this memory by calling getlogin(2) and reading beyond the terminating NUL character of the resulting string. Up to 16 (FreeBSD 8) or 32 (FreeBSD 9 and 10) bytes of kernel memory may be leaked in this manner for each invocation of setlogin(2).

This memory may contain sensitive information, such as portions of the file cache or terminal buffers, which an attacker might leverage to obtain elevated privileges.


Discovery 2014-11-04
Entry 2016-08-11
FreeBSD-kernel
ge 10.0 lt 10.0_12

ge 9.3 lt 9.3_5

ge 9.2 lt 9.2_15

ge 9.1 lt 9.1_22

ge 8.4 lt 8.4_19

CVE-2014-8476
SA-14:25.setlogin
74bbde13-ec17-11ea-88f8-901b0ef719abFreeBSD -- IPv6 Hop-by-Hop options use-after-free bug

Problem Description:

Due to improper mbuf handling in the kernel, a use-after-free bug might be triggered by sending IPv6 Hop-by-Hop options over the loopback interface.

Impact:

Triggering the use-after-free situation may result in unintended kernel behaviour including a kernel panic.


Discovery 2020-09-02
Entry 2020-09-02
FreeBSD-kernel
ge 11.3 lt 11.3_13

CVE-2020-7462
SA-20:24.ipv6
74daa370-2797-11e8-95ec-a4badb2f4699FreeBSD -- Speculative Execution Vulnerabilities

Problem Description:

A number of issues relating to speculative execution were found last year and publicly announced January 3rd. Two of these, known as Meltdown and Spectre V2, are addressed here.

CVE-2017-5754 (Meltdown) - ------------------------

This issue relies on an affected CPU speculatively executing instructions beyond a faulting instruction. When this happens, changes to architectural state are not committed, but observable changes may be left in micro- architectural state (for example, cache). This may be used to infer privileged data.

CVE-2017-5715 (Spectre V2) - --------------------------

Spectre V2 uses branch target injection to speculatively execute kernel code at an address under the control of an attacker.

Impact:

An attacker may be able to read secret data from the kernel or from a process when executing untrusted code (for example, in a web browser).


Discovery 2018-03-14
Entry 2018-03-14
FreeBSD-kernel
ge 11.1 lt 11.1_8

CVE-2017-5715
CVE-2017-5754
SA-18:03.speculative_execution
759059ac-dab3-11e7-b5af-a4badb2f4699FreeBSD -- Information leak in kldstat(2)

Problem Description:

The kernel does not properly clear the memory of the kld_file_stat structure before filling the data. Since the structure filled by the kernel is allocated on the kernel stack and copied to userspace, a leak of information from the kernel stack is possible.

Impact:

Some bytes from the kernel stack can be observed in userspace.


Discovery 2017-11-15
Entry 2017-12-06
FreeBSD-kernel
ge 11.1 lt 11.1_4

ge 11.0 lt 11.0_15

ge 10.4 lt 10.4_3

ge 10.3 lt 10.3_24

CVE-2017-1088
SA-17:10.kldstat
77b877aa-ec18-11ea-88f8-901b0ef719abFreeBSD -- SCTP socket use-after-free bug

Problem Description:

Due to improper handling in the kernel, a use-after-free bug can be triggered by sending large user messages from multiple threads on the same socket.

Impact:

Triggering the use-after-free situation may result in unintended kernel behaviour including a kernel panic.


Discovery 2020-09-02
Entry 2020-09-02
FreeBSD-kernel
ge 12.1 lt 12.1_9

ge 11.4 lt 11.4_3

ge 11.3 lt 11.3_13

CVE-2020-7463
SA-20:25.sctp
78992249-947c-11ea-92ab-00163e433440FreeBSD -- Memory disclosure vulnerability in libalias

Problem Description:

The FTP packet handler in libalias incorrectly calculates some packet lengths. This may result in disclosing small amounts of memory from the kernel (for the in-kernel NAT implementation) or from the process space for natd (for the userspace implementation).

Impact:

A malicious attacker could send specially constructed packets that exploit the erroneous calculation allowing the attacker to disclose small amount of memory either from the kernel (for the in-kernel NAT implementation) or from the process space for natd (for the userspace implementation).


Discovery 2020-05-12
Entry 2020-05-12
FreeBSD-kernel
ge 12.1 lt 12.1_5

ge 11.4 lt 11.4_1

ge 11.3 lt 11.3_9

CVE-2020-7455
SA-20:13.libalias
78f06a6c-600a-11e6-a6c3-14dae9d210b8FreeBSD -- SCTP ICMPv6 error message vulnerability

Problem Description:

A lack of proper input checks in the ICMPv6 processing in the SCTP stack can lead to either a failed kernel assertion or to a NULL pointer dereference. In either case, a kernel panic will follow.

Impact:

A remote, unauthenticated attacker can reliably trigger a kernel panic in a vulnerable system running IPv6. Any kernel compiled with both IPv6 and SCTP support is vulnerable. There is no requirement to have an SCTP socket open.

IPv4 ICMP processing is not impacted by this vulnerability.


Discovery 2016-01-14
Entry 2016-08-11
FreeBSD-kernel
ge 10.2 lt 10.2_9

ge 10.1 lt 10.1_26

ge 9.3 lt 9.3_33

CVE-2016-1879
SA-16:01.sctp
793fb19c-600a-11e6-a6c3-14dae9d210b8FreeBSD -- Linux compatibility layer incorrect futex handling

Problem Description:

A programming error in the handling of Linux futex robust lists may result in incorrect memory locations being accessed.

Impact:

It is possible for a local attacker to read portions of kernel memory, which may result in a privilege escalation.


Discovery 2016-01-14
Entry 2016-08-11
FreeBSD-kernel
ge 10.2 lt 10.2_9

ge 10.1 lt 10.1_26

ge 9.3 lt 9.3_33

CVE-2016-1880
SA-16:03.linux
798f63e0-600a-11e6-a6c3-14dae9d210b8FreeBSD -- Linux compatibility layer setgroups(2) system call

Problem Description:

A programming error in the Linux compatibility layer setgroups(2) system call can lead to an unexpected results, such as overwriting random kernel memory contents.

Impact:

It is possible for a local attacker to overwrite portions of kernel memory, which may result in a privilege escalation or cause a system panic.


Discovery 2016-01-14
Entry 2016-08-11
FreeBSD-kernel
ge 10.2 lt 10.2_9

ge 10.1 lt 10.1_26

ge 9.3 lt 9.3_33

CVE-2016-1881
SA-16:04.linux
79dfc135-600a-11e6-a6c3-14dae9d210b8FreeBSD -- TCP MD5 signature denial of service

Problem Description:

A programming error in processing a TCP connection with both TCP_MD5SIG and TCP_NOOPT socket options may lead to kernel crash.

Impact:

A local attacker can crash the kernel, resulting in a denial-of-service.

A remote attack is theoretically possible, if server has a listening socket with TCP_NOOPT set, and server is either out of SYN cache entries, or SYN cache is disabled by configuration.


Discovery 2016-01-14
Entry 2016-08-11
FreeBSD-kernel
ge 10.2 lt 10.2_9

ge 10.1 lt 10.1_26

ge 9.3 lt 9.3_33

CVE-2016-1882
SA-16:05.tcp
7ac28df1-600a-11e6-a6c3-14dae9d210b8FreeBSD -- Linux compatibility layer issetugid(2) system call

Problem Description:

A programming error in the Linux compatibility layer could cause the issetugid(2) system call to return incorrect information.

Impact:

If an application relies on output of the issetugid(2) system call and that information is incorrect, this could lead to a privilege escalation.


Discovery 2016-01-27
Entry 2016-08-11
FreeBSD-kernel
ge 10.2 lt 10.2_11

ge 10.1 lt 10.1_28

ge 9.3 lt 9.3_35

CVE-2016-1883
SA-16:10.linux
7b6a11b5-600a-11e6-a6c3-14dae9d210b8FreeBSD -- Incorrect argument validation in sysarch(2)

Problem Description:

A special combination of sysarch(2) arguments, specify a request to uninstall a set of descriptors from the LDT. The start descriptor is cleared and the number of descriptors are provided. Due to lack of sufficient bounds checking during argument validity verification, unbound zero'ing of the process LDT and adjacent memory can be initiated from usermode.

Impact:

This vulnerability could cause the kernel to panic. In addition it is possible to perform a local Denial of Service against the system by unprivileged processes.


Discovery 2016-03-16
Entry 2016-08-11
Modified 2016-10-25
FreeBSD-kernel
ge 11.0 lt 11.0_2

ge 10.3 lt 10.3_11

ge 10.2 lt 10.2_24

ge 10.1 lt 10.1_41

ge 9.3 lt 9.3_49

CVE-2016-1885
SA-16:15.sysarch
7bbc0e8c-600a-11e6-a6c3-14dae9d210b8FreeBSD -- Buffer overflow in keyboard driver

Problem Description:

Incorrect signedness comparison in the ioctl(2) handler allows a malicious local user to overwrite a portion of the kernel memory.

Impact:

A local user may crash the kernel, read a portion of kernel memory and execute arbitrary code in kernel context. The result of executing an arbitrary kernel code is privilege escalation.


Discovery 2016-05-17
Entry 2016-08-11
FreeBSD-kernel
ge 10.3 lt 10.3_3

ge 10.2 lt 10.2_17

ge 10.1 lt 10.1_34

ge 9.3 lt 9.3_42

CVE-2016-1886
SA-16:18.atkbd
7c0bac69-600a-11e6-a6c3-14dae9d210b8FreeBSD -- Incorrect argument handling in sendmsg(2)

Problem Description:

Incorrect argument handling in the socket code allows malicious local user to overwrite large portion of the kernel memory.

Impact:

Malicious local user may crash kernel or execute arbitrary code in the kernel, potentially gaining superuser privileges.


Discovery 2016-05-17
Entry 2016-08-11
FreeBSD-kernel
ge 10.3 lt 10.3_3

ge 10.2 lt 10.2_17

ge 10.1 lt 10.1_34

CVE-2016-1887
SA-16:19.sendmsg
7c5d64dd-600a-11e6-a6c3-14dae9d210b8FreeBSD -- Kernel stack disclosure in Linux compatibility layer

Problem Description:

The implementation of the TIOCGSERIAL ioctl(2) does not clear the output struct before copying it out to userland.

The implementation of the Linux sysinfo() system call does not clear the output struct before copying it out to userland.

Impact:

An unprivileged user can read a portion of uninitialised kernel stack data, which may contain sensitive information, such as the stack guard, portions of the file cache or terminal buffers, which an attacker might leverage to obtain elevated privileges.


Discovery 2016-05-31
Entry 2016-08-11
FreeBSD-kernel
ge 10.3 lt 10.3_4

ge 10.2 lt 10.2_18

ge 10.1 lt 10.1_35

ge 9.3 lt 9.3_43

SA-16:20.linux
7cad4795-600a-11e6-a6c3-14dae9d210b8FreeBSD -- Kernel stack disclosure in 4.3BSD compatibility layer

Problem Description:

The implementation of historic stat(2) system call does not clear the output struct before copying it out to userland.

Impact:

An unprivileged user can read a portion of uninitialised kernel stack data, which may contain sensitive information, such as the stack guard, portions of the file cache or terminal buffers, which an attacker might leverage to obtain elevated privileges.


Discovery 2016-05-31
Entry 2016-08-11
FreeBSD-kernel
ge 10.3 lt 10.3_4

ge 10.2 lt 10.2_18

ge 10.1 lt 10.1_35

ge 9.3 lt 9.3_43

SA-16:21.43bsd
86c89abf-2d91-11e9-bf3e-a4badb2f4699FreeBSD -- File description reference count leak

Problem Description:

FreeBSD 12.0 attempts to handle the case where the receiving process does not provide a sufficiently large buffer for an incoming control message containing rights. In particular, to avoid leaking the corresponding descriptors into the receiving process' descriptor table, the kernel handles the truncation case by closing descriptors referenced by the discarded message.

The code which performs this operation failed to release a reference obtained on the file corresponding to a received right. This bug can be used to cause the reference counter to wrap around and free the file structure.

Impact:

A local user can exploit the bug to gain root privileges or escape from a jail.


Discovery 2019-02-05
Entry 2019-02-11
FreeBSD-kernel
ge 12.0 lt 12.0_3

CVE-2019-5596
SA-19:02.fd
8d20bd48-a4f3-11ec-90de-1c697aa5a594FreeBSD-kernel -- Multiple WiFi issues

Problem Description:

The paper "Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation" reported a number of security vulnerabilities in the 802.11 specification related to frame aggregation and fragmentation.

Additionally, FreeBSD 12.x missed length validation of SSIDs and Information Elements (IEs).

Impact:

As reported on the FragAttacks website, the "design flaws are hard to abuse because doing so requires user interaction or is only possible when using uncommon network settings." Under suitable conditions an attacker may be able to extract sensitive data or inject data.


Discovery 2022-03-15
Entry 2022-03-16
FreeBSD-kernel
ge 13.0 lt 13.0_8

ge 12.3 lt 12.3_3

ge 12.2 lt 12.2_14

CVE-2020-26147
CVE-2020-24588
CVE-2020-26144
SA-22:02.wifi
8db74c04-d794-11ea-88f8-901b0ef719abFreeBSD -- sendmsg(2) privilege escalation

Problem Description:

When handling a 32-bit sendmsg(2) call, the compat32 subsystem copies the control message to be transmitted (if any) into kernel memory, and adjusts alignment of control message headers. The code which performs this work contained a time-of-check to time-of-use (TOCTOU) vulnerability which allows a malicious userspace program to modify control message headers after they were validated by the kernel.

Impact:

The TOCTOU bug can be exploited by an unprivileged malicious userspace program to trigger privilege escalation.


Discovery 2020-08-05
Entry 2020-08-06
FreeBSD-kernel
ge 12.1 lt 12.1_8

ge 11.4 lt 11.4_2

ge 11.3 lt 11.3_12

CVE-2020-7460
SA-20:23.sendmsg
8eed0c5c-3482-11eb-b87a-901b0ef719abFreeBSD -- ICMPv6 use-after-free in error message handling

Problem Description:

When an ICMPv6 error message is received, the FreeBSD ICMPv6 stack may extract information from the message to hand to upper-layer protocols. As a part of this operation, it may parse IPv6 header options from a packet embedded in the ICMPv6 message.

The handler for a routing option caches a pointer into the packet buffer holding the ICMPv6 message. However, when processing subsequent options the packet buffer may be freed, rendering the cached pointer invalid. The network stack may later dereference the pointer, potentially triggering a use-after-free.

Impact:

A remote host may be able to trigger a read of freed kernel memory. This may trigger a kernel panic if the address had been unmapped.


Discovery 2020-12-01
Entry 2020-12-02
FreeBSD-kernel
ge 12.2 lt 12.2_1

ge 12.1 lt 12.1_11

ge 11.4 lt 11.4_5

CVE-2020-7469
SA-20:31.icmp6
9eb01384-d793-11ea-88f8-901b0ef719abFreeBSD -- Potential memory corruption in USB network device drivers

Problem Description:

A missing length validation code common to these three drivers means that a malicious USB device could write beyond the end of an allocated network packet buffer.

Impact:

An attacker with physical access to a USB port and the ability to bring a network interface up may be able to use a specially crafted USB device to gain kernel or user-space code execution.


Discovery 2020-08-05
Entry 2020-08-06
FreeBSD-kernel
ge 12.1 lt 12.1_8

ge 11.4 lt 11.4_2

ge 11.3 lt 11.3_12

CVE-2020-7459
SA-20:21.usb_net
9f15c2da-947e-11ea-92ab-00163e433440FreeBSD -- Use after free in cryptodev module

Problem Description:

A race condition permitted a data structure in the kernel to be used after it was freed by the cryptodev module.

Impact:

An unprivileged process can overwrite arbitrary kernel memory.


Discovery 2020-01-20
Entry 2020-05-12
FreeBSD-kernel
ge 12.1 lt 12.1_5

ge 11.3 lt 11.3_9

CVE-2019-15879
SA-20:15.cryptodev
a479a725-9adb-11e6-a298-14dae9d210b8FreeBSD -- bhyve - privilege escalation vulnerability

Problem Description:

An unchecked array reference in the VGA device emulation code could potentially allow guests access to the heap of the bhyve process. Since the bhyve process is running as root, this may allow guests to obtain full control of the hosts they are running on.

Impact:

For bhyve virtual machines with the "fbuf" framebuffer device configured, if exploited, a malicious guest could obtain full access to not just the host system, but to other virtual machines running on the system.


Discovery 2016-10-25
Entry 2016-10-25
Modified 2016-10-25
FreeBSD-kernel
ge 11.0 lt 11.0_2

SA-16:32.bhyve
a5cf3ecd-38db-11e8-8b7f-a4badb2f469bFreeBSD -- vt console memory disclosure

Problem Description:

Insufficient validation of user-provided font parameters can result in an integer overflow, leading to the use of arbitrary kernel memory as glyph data. Characters that reference this data can be displayed on the screen, effectively disclosing kernel memory.

Impact:

Unprivileged users may be able to access privileged kernel data.

Such memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way; for example, a terminal buffer might include a user-entered password.


Discovery 2018-04-04
Entry 2018-04-05
FreeBSD-kernel
ge 11.1 lt 11.1_9

ge 10.4 lt 10.4_8

ge 10.3 lt 10.3_29

CVE-2018-6917
SA-18:04.vt
a633651b-b309-11e9-a87f-a4badb2f4699FreeBSD -- Microarchitectural Data Sampling (MDS)

Problem Description:

On some Intel processors utilizing speculative execution a local process may be able to infer stale information from microarchitectural buffers to obtain a memory disclosure.

Impact:

An attacker may be able to read secret data from the kernel or from a process when executing untrusted code (for example, in a web browser).


Discovery 2019-05-14
Entry 2019-07-30
FreeBSD-kernel
ge 12.0 lt 12.0_5

ge 11.2 lt 11.2_10

CVE-2018-1212
CVE-2018-1213
CVE-2019-1109
SA-19:07.mds
a67c122a-b693-11e8-ac58-a4badb2f4699FreeBSD -- Improper ELF header parsing

Problem Description:

Insufficient validation was performed in the ELF header parser, and malformed or otherwise invalid ELF binaries were not rejected as they should be.

Impact:

Execution of a malicious ELF binary may result in a kernel crash or may disclose kernel memory.


Discovery 2018-09-12
Entry 2018-09-12
FreeBSD-kernel
ge 11.2 lt 11.2_3

ge 11.1 lt 11.1_14

ge 10.4 lt 10.4_12

CVE-2018-6924
SA-18:12.elf
a7b97d26-9792-11eb-b87a-901b0ef719abFreeBSD -- jail escape possible by mounting over jail root

Problem Description:

Due to a race condition between lookup of ".." and remounting a filesystem, a process running inside a jail might access filesystem hierarchy outside of jail.

Impact:

A process with superuser privileges running inside a jail configured with the allow.mount permission (not enabled by default) could change the root directory outside of the jail, and thus gain full read and write access to all files and directories in the system.


Discovery 2021-04-06
Entry 2021-04-07
FreeBSD-kernel
ge 12.2 lt 12.2_6

ge 11.4 lt 11.4_9

CVE-2020-25584
SA-21:10.jail_mount
a9c6e9be-61fb-11eb-b87a-901b0ef719abFreeBSD -- Uninitialized kernel stack leaks in several file systems

Problem Description:

Several file systems were not properly initializing the d_off field of the dirent structures returned by VOP_READDIR. In particular, tmpfs(5), smbfs(5), autofs(5) and mqueuefs(5) were failing to do so. As a result, eight uninitialized kernel stack bytes may be leaked to userspace by these file systems. This problem is not present in FreeBSD 11.

Additionally, msdosfs(5) was failing to zero-fill a pair of padding fields in the dirent structure, resulting in a leak of three uninitialized bytes.

Impact:

Kernel stack disclosures may leak sensitive information which could be used to compromise the security of the system.


Discovery 2021-01-29
Entry 2021-01-29
FreeBSD-kernel
ge 12.2 lt 12.2_3

ge 12.1 lt 12.1_13

ge 11.4 lt 11.4_7

CVE-2020-25578
CVE-2020-25579
SA-21:01.fsdisclosure
b2b83761-6a09-11ea-92ab-00163e433440FreeBSD -- Insufficient ixl(4) ioctl(2) privilege checking

Problem Description:

The driver-specific ioctl(2) command handlers in ixl(4) failed to check whether the caller has sufficient privileges to perform the corresponding operation.

Impact:

The ixl(4) handler permits unprivileged users to trigger updates to the device's non-volatile memory (NVM).


Discovery 2020-03-19
Entry 2020-03-19
FreeBSD-kernel
ge 12.1 lt 12.1_3

CVE-2019-15877
SA-20:06.if_ixl_ioctl
ba796b98-b61c-11ec-9ebc-1c697aa5a594FreeBSD -- Bhyve e82545 device emulation out-of-bounds write

Problem Description:

The e1000 network adapters permit a variety of modifications to an Ethernet packet when it is being transmitted. These include the insertion of IP and TCP checksums, insertion of an Ethernet VLAN header, and TCP segmentation offload ("TSO"). The e1000 device model uses an on-stack buffer to generate the modified packet header when simulating these modifications on transmitted packets.

When checksum offload is requested for a transmitted packet, the e1000 device model used a guest-provided value to specify the checksum offset in the on-stack buffer. The offset was not validated for certain packet types.

Impact:

A misbehaving bhyve guest could overwrite memory in the bhyve process on the host, possibly leading to code execution in the host context.

The bhyve process runs in a Capsicum sandbox, which (depending on the FreeBSD version and bhyve configuration) limits the impact of exploiting this issue.


Discovery 2022-04-06
Entry 2022-04-07
FreeBSD-kernel
ge 13.0 lt 13.0_11

ge 12.3 lt 12.3_5

CVE-2022-23087
SA-22:05.bhyve
bb53af7b-f7e4-11ea-88f8-901b0ef719abFreeBSD -- ure device driver susceptible to packet-in-packet attack

Problem Description:

A programming error in the ure(4) device driver caused some Realtek USB Ethernet interfaces to incorrectly report packets with more than 2048 bytes in a single USB transfer as having a length of only 2048 bytes.

An adversary can exploit this to cause the driver to misinterpret part of the payload of a large packet as a separate packet, and thereby inject packets across security boundaries such as VLANs.

Impact:

An attacker that can send large frames (larger than 2048 bytes in size) to be received by the host (be it VLAN, or non-VLAN tagged packet), can inject arbitrary packets to be received and processed by the host. This includes spoofing packets from other hosts, or injecting packets to other VLANs than the host is on.


Discovery 2020-09-15
Entry 2020-09-16
FreeBSD-kernel
ge 12.1 lt 12.1_10

ge 11.4 lt 11.4_4

ge 11.3 lt 11.3_14

CVE-2020-7464
SA-20:27.ure
bba850fd-770e-11eb-b87a-901b0ef719abFreeBSD -- jail_attach(2) relies on the caller to change the cwd

Problem Description:

When a process, such as jexec(8) or killall(1), calls jail_attach(2) to enter a jail, the jailed root can attach to it using ptrace(2) before the current working directory is changed.

Impact:

A process with superuser privileges running inside a jail could change the root directory outside of the jail, thereby gaining full read and writing access to all files and directories in the system.


Discovery 2021-02-24
Entry 2021-02-25
FreeBSD-kernel
ge 12.2 lt 12.2_4

ge 11.4 lt 11.4_8

CVE-2020-25582
SA-21:05.jail_chdir
c0c5afef-38db-11e8-8b7f-a4badb2f469bFreeBSD -- ipsec crash or denial of service

Problem Description:

The length field of the option header does not count the size of the option header itself. This causes a problem when the length is zero, the count is then incremented by zero, which causes an infinite loop.

In addition there are pointer/offset mistakes in the handling of IPv4 options.

Impact:

A remote attacker who is able to send an arbitrary packet, could cause the remote target machine to crash.


Discovery 2018-04-04
Entry 2018-04-05
FreeBSD-kernel
ge 11.1 lt 11.1_9

ge 10.4 lt 10.4_8

ge 10.3 lt 10.3_29

CVE-2018-6918
SA-18:05.ipsec
c11ee146-c266-11ea-8659-901b0ef719abFreeBSD -- IPv6 socket option race condition and use after free

Problem Description:

The IPV6_2292PKTOPTIONS set handler was missing synchronization, so racing accesses could modify freed memory.

Impact:

A malicious user application could trigger memory corruption, leading to privilege escalation.


Discovery 2020-07-09
Entry 2020-07-10
FreeBSD-kernel
ge 12.1 lt 12.1_7

ge 11.4 lt 11.4_1

ge 11.3 lt 11.3_11

CVE-2020-7457
SA-20:20.ipv6
c294c2e6-b309-11e9-a87f-a4badb2f4699FreeBSD -- Resource exhaustion in non-default RACK TCP stack

Problem Description:

While processing acknowledgements, the RACK code uses several linked lists to maintain state entries. A malicious attacker can cause the lists to grow unbounded. This can cause an expensive list traversal on every packet being processed, leading to resource exhaustion and a denial of service.

Impact:

An attacker with the ability to send specially crafted TCP traffic to a victim system can degrade network performance and/or consume excessive CPU by exploiting the inefficiency of traversing the potentially very large RACK linked lists with relatively small bandwidth cost.


Discovery 2019-06-19
Entry 2019-07-30
FreeBSD-kernel
ge 12.0 lt 12.0_6

CVE-2019-5599
SA-19:08.rack
d1ac6a6a-bea8-11eb-b87a-901b0ef719abFreeBSD-kernel -- SMAP bypass

Problem Description:

The FreeBSD kernel enables SMAP during boot when the CPU reports that the SMAP capability is present. Subroutines such as copyin() and copyout() are responsible for disabling SMAP around the sections of code that perform user memory accesses.

Such subroutines must handle page faults triggered when user memory is not mapped. The kernel's page fault handler checks the validity of the fault, and if it is indeed valid it will map a page and resume copying. If the fault is invalid, the fault handler returns control to a trampoline which aborts the operation and causes an error to be returned. In this second scenario, a bug in the implementation of SMAP support meant that SMAP would remain disabled until the thread returns to user mode.

Impact:

This bug may be used to bypass the protections provided by SMAP for the duration of a system call. It could thus be combined with other kernel bugs to craft an exploit.


Discovery 2021-05-27
Entry 2021-05-27
FreeBSD-kernel
ge 13.0 lt 13.0_1

ge 12.2 lt 12.2_7

CVE-2021-29628
SA-21:11.smap
d4cc994f-b61d-11ec-9ebc-1c697aa5a594FreeBSD -- 802.11 heap buffer overflow

Problem Description:

The 802.11 beacon handling routine failed to validate the length of an IEEE 802.11s Mesh ID before copying it to a heap-allocated buffer.

Impact:

While a FreeBSD Wi-Fi client is in scanning mode (i.e., not associated with a SSID) a malicious beacon frame may overwrite kernel memory, leading to remote code execution.


Discovery 2022-04-06
Entry 2022-04-07
FreeBSD-kernel
ge 13.0 lt 13.0_11

ge 12.3 lt 12.3_5

CVE-2022-23088
SA-22:07.wifi_meshid
dca7ced0-2796-11e8-95ec-a4badb2f4699FreeBSD -- ipsec validation and use-after-free

Problem Description:

Due to a lack of strict checking, an attacker from a trusted host can send a specially constructed IP packet that may lead to a system crash.

Additionally, a use-after-free vulnerability in the AH handling code could cause unpredictable results.

Impact:

Access to out of bounds or freed mbuf data can lead to a kernel panic or other unpredictable results.


Discovery 2018-03-07
Entry 2018-03-14
FreeBSD-kernel
ge 11.1 lt 11.1_7

ge 10.4 lt 10.4_7

ge 10.3 lt 10.3_28

CVE-2018-6916
SA-18:01.ipsec
dd48d9b9-5e7e-11e6-a6c3-14dae9d210b8FreeBSD -- Kernel memory disclosure in sctp(4)

Problem Description:

When initializing the SCTP state cookie being sent in INIT-ACK chunks, a buffer allocated from the kernel stack is not completely initialized.

Impact:

Fragments of kernel memory may be included in SCTP packets and transmitted over the network. For each SCTP session, there are two separate instances in which a 4-byte fragment may be transmitted.

This memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way. For example, a terminal buffer might include a user-entered password.


Discovery 2013-08-22
Entry 2016-08-09
FreeBSD-kernel
ge 9.1 lt 9.1_6

ge 8.4 lt 8.4_3

ge 8.3 lt 8.3_10

SA-13:10.sctp
CVE-2013-5209
deb6e164-b30b-11e9-a87f-a4badb2f4699FreeBSD -- Reference count overflow in mqueue filesystem

Problem Description:

System calls operating on file descriptors obtain a reference to relevant struct file which due to a programming error was not always put back, which in turn could be used to overflow the counter of affected struct file.

Impact:

A local user can use this flaw to obtain access to files, directories, sockets etc. opened by processes owned by other users. If obtained struct file represents a directory from outside of user's jail, it can be used to access files outside of the jail. If the user in question is a jailed root they can obtain root privileges on the host system.


Discovery 2019-07-24
Entry 2019-07-30
FreeBSD-kernel
ge 12.0 lt 12.0_8

ge 11.2 lt 11.2_12

ge 11.3 lt 11.3_1

CVE-2019-5603
SA-19:15.mqueuefs
e5d2442d-5e76-11e6-a6c3-14dae9d210b8FreeBSD -- Incorrect privilege validation in the NFS server

Problem Description:

The kernel incorrectly uses client supplied credentials instead of the one configured in exports(5) when filling out the anonymous credential for a NFS export, when -network or -host restrictions are used at the same time.

Impact:

The remote client may supply privileged credentials (e.g. the root user) when accessing a file under the NFS share, which will bypass the normal access checks.


Discovery 2013-07-06
Entry 2016-08-09
FreeBSD-kernel
ge 9.1 lt 9.1_5

ge 8.3 lt 8.3_9

CVE-2013-4851
SA-13:08.nfsserver
e73c688b-f7e6-11ea-88f8-901b0ef719abFreeBSD -- bhyve SVM guest escape

Problem Description:

A number of AMD virtualization instructions operate on host physical addresses, are not subject to nested page table translation, and guest use of these instructions was not trapped.

Impact:

From kernel mode a malicious guest can write to arbitrary host memory (with some constraints), affording the guest full control of the host.


Discovery 2020-09-15
Entry 2020-09-16
FreeBSD-kernel
ge 12.1 lt 12.1_10

ge 11.4 lt 11.4_4

ge 11.3 lt 11.3_14

CVE-2020-7467
SA-20:29.bhyve_svm
edc0bf7e-05a1-11ea-9dfa-f8b156ac3ff9FreeBSD -- Machine Check Exception on Page Size Change

Intel discovered a previously published erratum on some Intel platforms can be exploited by malicious software to potentially cause a denial of service by triggering a machine check that will crash or hang the system.

Malicious guest operating systems may be able to crash the host.


Discovery 2019-11-14
Entry 2019-11-25
FreeBSD-kernel
ge 12.1 lt 12.1_1

ge 12.0 lt 12.0_12

ge 11.3 lt 11.3_5

CVE-2018-12207
SA-19:25.mcepsc
edf064fb-b30b-11e9-a87f-a4badb2f4699FreeBSD -- Bhyve out-of-bounds read in XHCI device

Problem Description:

The pci_xhci_device_doorbell() function does not validate the 'epid' and 'streamid' provided by the guest, leading to an out-of-bounds read.

Impact:

A misbehaving bhyve guest could crash the system or access memory that it should not be able to.


Discovery 2019-07-24
Entry 2019-07-30
FreeBSD-kernel
ge 12.0 lt 12.0_8

ge 11.2 lt 11.2_12

ge 11.3 lt 11.3_1

CVE-2019-5604
SA-19:16.bhyve
f8e1e2a6-9791-11eb-b87a-901b0ef719abFreeBSD -- double free in accept_filter(9) socket configuration interface

Problem Description:

An unprivileged process can configure an accept filter on a listening socket. This is done using the setsockopt(2) system call. The process supplies the name of the accept filter which is to be attached to the socket, as well as a string containing filter-specific information.

If the filter implements the accf_create callback, the socket option handler attempts to preserve the process-supplied argument string. A bug in the socket option handler caused this string to be freed prematurely, leaving a dangling pointer. Additional operations on the socket can turn this into a double free or a use-after-free.

Impact:

The bug may be exploited to trigger local privilege escalation or kernel memory disclosure.


Discovery 2021-04-06
Entry 2021-04-07
FreeBSD-kernel
ge 12.2 lt 12.2_6

CVE-2021-29627
SA-21:09.accept_filter
fbe10a8a-05a1-11ea-9dfa-f8b156ac3ff9FreeBSD -- Intel CPU Microcode Update

Starting with version 1.26, the devcpu-data port/package includes updates and mitigations for the following technical and security advisories (depending on CPU model).

Intel TSX Updates (TAA) CVE-2019-11135 Voltage Modulation Vulnerability CVE-2019-11139 MD_CLEAR Operations CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2018-11091 TA Indirect Sharing CVE-2017-5715 EGETKEY CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2018-11091 JCC SKX102 Erratum

Updated microcode includes mitigations for CPU issues, but may also cause a performance regression due to the JCC erratum mitigation. Please visit http://www.intel.com/benchmarks for further information.

Please visit http://www.intel.com/security for detailed information on these advisories as well as a list of CPUs that are affected.

Operating a CPU without the latest microcode may result in erratic or unpredictable behavior, including system crashes and lock ups. Certain issues listed in this advisory may result in the leakage of privileged system information to unprivileged users. Please refer to the security advisories listed above for detailed information.


Discovery 2019-11-14
Entry 2019-11-25
FreeBSD-kernel
ge 12.1 lt 12.1_1

ge 12.0 lt 12.0_12

ge 11.3 lt 11.3_5

CVE-2019-11135
CVE-2019-11139
CVE-2018-12126
CVE-2018-12127
CVE-2018-12130
CVE-2018-11091
CVE-2017-5715
SA-19:26.mcu
ff82610f-b309-11e9-a87f-a4badb2f4699FreeBSD -- Kernel stack disclosure in UFS/FFS

Problem Description:

A bug causes up to three bytes of kernel stack memory to be written to disk as uninitialized directory entry padding. This data can be viewed by any user with read access to the directory. Additionally, a malicious user with write access to a directory can cause up to 254 bytes of kernel stack memory to be exposed.

Impact:

Some amount of the kernel stack is disclosed and written out to the filesystem.


Discovery 2019-07-02
Entry 2019-07-30
FreeBSD-kernel
ge 12.0 lt 12.0_7

ge 11.2 lt 11.2_11

CVE-2019-5601
SA-19:10.ufs