Home / mailings FreeBSD Security Advisory FreeBSD-SA-26:38.jail
Posted on 30 June 2026
FreeBSD security notificat=============================================================================FreeBSD-SA-26:38.jail Security Advisory
The FreeBSD Project
Topic: Jail reference count underflow
Category: core
Module: jail
Announced: 2026-06-30
Credits: Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li, and
Ke Xu from Tsinghua University using GLM-5.1 from Z.ai
Affects: FreeBSD 15.0 and later
Corrected: 2026-06-12 17:59:54 UTC (stable/15, 15.1-STABLE)
2026-06-30 17:21:54 UTC (releng/15.1, 15.1-RELEASE-p1)
2026-06-30 17:21:21 UTC (releng/15.0, 15.0-RELEASE-p11)
CVE Name: CVE-2026-49419
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
Jails are an operating system virtualization technology which allow
administrators to confine processes within an environment with limited
ability to affect the system outside of that environment. The
jail_set(2) and jail_get(2) system calls are used to create, modify,
and query jails.
Starting in FreeBSD 15.0, jails can be referred to using jail
descriptors, a type of file descriptor tied to a particular jail. The
JAIL_AT_DESC flag causes jail_set(2) and jail_get(2) to operate in the
context of the jail identified by the descriptor, rather than the
caller's current jail.
II. Problem Description
When the JAIL_AT_DESC flag is specified, kern_jail_set() and
kern_jail_get() released the reference to the caller's current prison
before looking up the jail descriptor. If the descriptor lookup
failed, error-handling paths released the same reference a second
time.
III. Impact
An unprivileged local user can trigger a prison reference count
underflow, which may cause the prison structure to be freed while still
in use. When this is done on the jail host, the bug will generally
result in an immediate panic. However, if the user is running in a
jail, then it may be possible to exploit the bug to elevate privileges.
IV. Workaround
No workaround is available.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot the system.
Perform one of the following:
1) To update your vulnerable system installed from base system packages:
Systems running a 15.0-RELEASE or later version of FreeBSD on the amd64 or
arm64 platforms, which were installed using base system packages, can be
updated via the pkg(8) utility:
# pkg upgrade -r FreeBSD-base
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system installed from binary distribution sets:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms
which were not installed using base system packages can be updated via the
freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-26:38/jail.patch
# fetch https://security.FreeBSD.org/patches/SA-26:38/jail.patch.asc
# gpg --verify jail.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch -E -p0 < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ 4938fd9361b4 stable/15-n283929
releng/15.1/ fc9fe1b9f024 releng/15.1-n283566
releng/15.0/ 029528221261 releng/15.0-n281068
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat <commit hash>
Or visit the following URL, replacing NNNNNN with the hash:
<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
<URL:https://www.cve.org/CVERecord?id=CVE-2026-49419>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:38.jail.asc>
