Home / mailings FreeBSD Security Advisory FreeBSD-SA-26:41.libalias
Posted on 30 June 2026
FreeBSD security notificat=============================================================================FreeBSD-SA-26:41.libalias Security Advisory
The FreeBSD Project
Topic: Buffer overflow in libalias RTSP handler
Category: core
Module: libalias
Announced: 2026-06-30
Credits: Atuin - Automated Vulnerability Discovery Engine,
Tianchu Chen of Tencent Xuanwu Lab
Credits: UC Berkeley Antiproof
Credits: Stanislav Fort of Aisle Research
Affects: All supported versions of FreeBSD.
Corrected: 2026-06-30 17:20:09 UTC (stable/15, 15.1-STABLE)
2026-06-30 17:21:58 UTC (releng/15.1, 15.1-RELEASE-p1)
2026-06-30 17:21:26 UTC (releng/15.0, 15.0-RELEASE-p11)
2026-06-30 17:19:50 UTC (stable/14, 14.4-STABLE)
2026-06-30 17:20:58 UTC (releng/14.4, 14.4-RELEASE-p7)
2026-06-30 17:20:32 UTC (releng/14.3, 14.3-RELEASE-p16)
CVE Name: CVE-2026-49420
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
libalias is a library that performs Network Address Translation (NAT)
for outgoing and incoming IP packets. It includes protocol-specific
handlers for application-layer protocols such as RTSP that embed
addresses or port numbers in their payload. libalias is used by
ipfw(4) to implement in-kernel NAT, and by natd(8).
II. Problem Description
The RTSP handler in libalias rewrote outgoing packets into a
fixed-length stack buffer without checking whether the rewritten
data fit in the buffer, or whether the result fit back in the
original packet.
III. Impact
A host sending crafted RTSP traffic from inside a NAT gateway using libalias
can overflow a stack buffer, potentially achieving remote code execution
in the kernel (when using ipfw(4) NAT) or in the natd(8) process (which
generally runs as the root user).
IV. Workaround
Systems running natd(8) are vulnerable only so long as
libalias_smedia.so is listed in /etc/libalias.conf. Removing it from
that file and restarting natd(8) ensures that the vulnerable code is not
loaded.
Systems using ipfw(4) to implement NAT are affected only if the
alias_smedia.ko kernel module is loaded.
The affected code only runs on TCP or UDP packets undergoing outbound
NAT translation, when the source port is 554 or 7070, or the destination
port is 554 or 7070. Dropping such packets before they reach the NAT
rule prevents the bug from being triggered.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date, and
reboot the system.
Perform one of the following:
1) To update your vulnerable system installed from base system packages:
Systems running a 15.0-RELEASE or later version of FreeBSD on the amd64 or
arm64 platforms, which were installed using base system packages, can be
updated via the pkg(8) utility:
# pkg upgrade -r FreeBSD-base
# shutdown -r +10min "Rebooting for a security update"
2) To update your vulnerable system installed from binary distribution sets:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms
which were not installed using base system packages can be updated via the
freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 15.x]
# fetch https://security.FreeBSD.org/patches/SA-26:41/libalias-15.patch
# fetch https://security.FreeBSD.org/patches/SA-26:41/libalias-15.patch.asc
# gpg --verify libalias-15.patch.asc
[FreeBSD 14.x]
# fetch https://security.FreeBSD.org/patches/SA-26:41/libalias-14.patch
# fetch https://security.FreeBSD.org/patches/SA-26:41/libalias-14.patch.asc
# gpg --verify libalias-14.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch -E -p0 < /path/to/patch
c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ 1546794142f9 stable/15-n284325
releng/15.1/ 1b96804ba50d releng/15.1-n283570
releng/15.0/ 64ce87df6876 releng/15.0-n281072
stable/14/ 4c0f47666666 stable/14-n274450
releng/14.4/ 0a7dd3d960c8 releng/14.4-n273732
releng/14.3/ 935a96aa77be releng/14.3-n271532
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat <commit hash>
Or visit the following URL, replacing NNNNNN with the hash:
<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
<URL:https://www.cve.org/CVERecord?id=CVE-2026-49420>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:41.libalias.asc>
