Home / mailings FreeBSD Security Advisory FreeBSD-SA-26:40.zfs
Posted on 30 June 2026
FreeBSD security notificat=============================================================================FreeBSD-SA-26:40.zfs Security Advisory
The FreeBSD Project
Topic: Multiple vulnerabilities in OpenZFS
Category: contrib
Module: openzfs
Announced: 2026-06-30
Credits: Yuxiang Yang, Yizhou Zhao, Ao Wang, Xuewei Feng, Qi Li,
and Ke Xu from Tsinghua University using GLM-5.1 from Z.ai
Credits: Emmanuel Genier at Quarkslab
Affects: All supported versions of FreeBSD.
Corrected: 2026-06-17 07:21:06 UTC (stable/15, 15.1-STABLE)
2026-06-30 17:21:56 UTC (releng/15.1, 15.1-RELEASE-p1)
2026-06-30 17:21:23 UTC (releng/15.0, 15.0-RELEASE-p11)
2026-06-30 17:19:48 UTC (stable/14, 14.4-STABLE)
2026-06-30 17:20:56 UTC (releng/14.4, 14.4-RELEASE-p7)
2026-06-30 17:20:29 UTC (releng/14.3, 14.3-RELEASE-p16)
CVE Name: CVE-2026-49429, CVE-2026-49430, CVE-2026-49431
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
ZFS is an advanced and scalable file system originally developed by Sun
Microsystems for its Solaris operating system. ZFS was integrated as
part of FreeBSD starting with FreeBSD 7.0.
ZFS delegation allows the system administrator to grant unprivileged
users the ability to perform specific administrative operations, such
as creating snapshots or managing properties, on a per-dataset basis.
This is configured using the zfs-allow(8) command.
II. Problem Description
The ZFS_IOC_USERSPACE_MANY ioctl, used by zfs-userspace(8), truncated a
64-bit output buffer size to a 32-bit integer for the kernel allocation,
but used the original 64-bit size as the buffer limit when writing
records.
The ZFS_IOC_RECV_NEW ioctl, in the heal receive path, similarly
truncated a 64-bit payload size to a 32-bit integer for allocation,
then used the original 64-bit size as the length for a byteswap
operation.
The ZFS_IOC_SET_PROP ioctl, used by zfs-set(8), incorrectly validated
the calling user such that an unprivileged user is able to set metadata
on a dataset indicating that the dataset has received properties from
a zfs-recv(8) stream.
III. Impact
A local user with the "userused" delegated ZFS permission can trigger a
kernel heap overflow via the ZFS_IOC_USERSPACE_MANY ioctl, potentially
escalating privileges. [CVE-2026-49429]
A local user with the "receive" delegated ZFS permission can trigger
kernel memory corruption via ZFS_IOC_RECV_NEW by sending a crafted
receive stream in heal mode. [CVE-2026-49430]
Any local user can set the internal ZFS metadata flag "$hasrecvd" on
datasets via ZFS_IOC_SET_PROP. [CVE-2026-49431]
IV. Workaround
Systems that do not use ZFS are not affected. The first two bugs
are only triggerable by the root user or by a user with delegated
permissions.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date, and
reboot the system.
Perform one of the following:
1) To update your vulnerable system installed from base system packages:
Systems running a 15.0-RELEASE or later version of FreeBSD on the amd64 or
arm64 platforms, which were installed using base system packages, can be
updated via the pkg(8) utility:
# pkg upgrade -r FreeBSD-base
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system installed from binary distribution sets:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms
which were not installed using base system packages can be updated via the
freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 15.x]
# fetch https://security.FreeBSD.org/patches/SA-26:40/zfs-15.patch
# fetch https://security.FreeBSD.org/patches/SA-26:40/zfs-15.patch.asc
# gpg --verify zfs-15.patch.asc
[FreeBSD 14.x]
# fetch https://security.FreeBSD.org/patches/SA-26:40/zfs-14.patch
# fetch https://security.FreeBSD.org/patches/SA-26:40/zfs-14.patch.asc
# gpg --verify zfs-14.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch -E -p0 < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ 25c6e6ed725d stable/15-n284009
releng/15.1/ 7eeab0afea4d releng/15.1-n283568
releng/15.0/ 2318d229b76a releng/15.0-n281070
stable/14/ 6419ed0df139 stable/14-n274448
releng/14.4/ 62f64d81b50e releng/14.4-n273730
releng/14.3/ 6503d56e7c63 releng/14.3-n271530
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat <commit hash>
Or visit the following URL, replacing NNNNNN with the hash:
<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
<URL:https://www.cve.org/CVERecord?id=CVE-2026-49429>
<URL:https://www.cve.org/CVERecord?id=CVE-2026-49430>
<URL:https://www.cve.org/CVERecord?id=CVE-2026-49431>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:40.zfs.asc>
