Unsubscribe
> On 10 Jun 2026, at 00:32, FreeBSD Security Advisories
> <[email protected]> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> =============================================================================
> FreeBSD-SA-26:28.capsicum Security Advisory
> The FreeBSD Project
>
> Topic: sigqueue(2) missing capability mode restriction
>
> Category: core
> Module: capsicum
> Announced: 2026-06-09
> Credits: Ed Maste
> Affects: All supported versions of FreeBSD.
> Corrected: 2026-05-29 19:11:40 UTC (stable/15, 15.1-STABLE)
> 2026-06-09 19:20:09 UTC (releng/15.1, 15.1-RC3-p1)
> 2026-06-09 19:19:46 UTC (releng/15.0, 15.0-RELEASE-p10)
> 2026-05-29 19:12:58 UTC (stable/14, 14.4-STABLE)
> 2026-06-09 19:19:08 UTC (releng/14.4, 14.4-RELEASE-p6)
> 2026-06-09 19:18:38 UTC (releng/14.3, 14.3-RELEASE-p15)
> CVE Name: CVE-2026-45259
>
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the
> following sections, please visit <URL:https://security.FreeBSD.org/>.
>
> I. Background
>
> Capsicum is a lightweight OS capability and sandbox framework. It provides
> two kernel primitives: capability mode, and capabilities. Capability mode
> restricts the ability of a sandboxed process to interact with the global
> namespace, including the ability to send signals to other processes, other
> than via capability-based interfaces.
>
> In capability mode, kill(2) restricts signal delivery to the calling process
> only, preventing a sandboxed process from signalling other processes.
> sigqueue(2) provides similar signal delivery functionality, and is similarly
> permitted in capability mode.
>
> II. Problem Description
>
> sigqueue(2) was marked as permitted in capability mode with the introduction
> of Capsicum in 2011, but the implementation of kern_sigqueue did not include
> a capability mode check restricting signal delivery to the calling process's
> own PID.
>
> III. Impact
>
> A process in capability mode can use sigqueue(2) to send signals to any
> process it could signal following standard Unix permissions, bypassing the
> Capsicum sandbox restriction. A compromised sandboxed process could
> interfere with other processes, for example by sending SIGKILL or SIGSTOP.
> This could be any process running as the same user, or any process, for a
> superuser sandboxed process.
>
> IV. Workaround
>
> No workaround is available.
>
> V. Solution
>
> Upgrade your vulnerable system to a supported FreeBSD stable or
> release / security branch (releng) dated after the correction date, and
> reboot.
>
> Perform one of the following:
>
> 1) To update your vulnerable system installed from base system packages:
>
> Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64
> platforms, which were installed using base system packages, can be updated
> via the pkg(8) utility:
>
> # pkg upgrade -r FreeBSD-base
> # shutdown -r +10min "Rebooting for a security update"
>
> 2) To update your vulnerable system installed from binary distribution sets:
>
> Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms
> which were not installed using base system packages can be updated via the
> freebsd-update(8) utility:
>
> # freebsd-update fetch
> # freebsd-update install
> # shutdown -r +10min "Rebooting for a security update"
>
> 3) To update your vulnerable system via a source code patch:
>
> The following patches have been verified to apply to the applicable
> FreeBSD release branches.
>
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
>
> [FreeBSD 15.1]
> # fetch https://security.FreeBSD.org/patches/SA-26:28/capsicum-15.1.patch
> # fetch https://security.FreeBSD.org/patches/SA-26:28/capsicum-15.1.patch.asc
> # gpg --verify capsicum-15.1.patch.asc
>
> [FreeBSD 15.0]
> # fetch https://security.FreeBSD.org/patches/SA-26:28/capsicum-15.0.patch
> # fetch https://security.FreeBSD.org/patches/SA-26:28/capsicum-15.0.patch.asc
> # gpg --verify capsicum-15.0.patch.asc
>
> [FreeBSD 14.x]
> # fetch https://security.FreeBSD.org/patches/SA-26:28/capsicum-14.patch
> # fetch https://security.FreeBSD.org/patches/SA-26:28/capsicum-14.patch.asc
> # gpg --verify capsicum-14.patch.asc
>
> b) Apply the patch. Execute the following commands as root:
>
> # cd /usr/src
> # patch < /path/to/patch
>
> c) Recompile your kernel as described in
> <URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
> system.
>
> VI. Correction details
>
> This issue is corrected as of the corresponding Git commit hash in the
> following stable and release branches:
>
> Branch/path Hash Revision
> - -------------------------------------------------------------------------
> stable/15/ defd9b86ef99 stable/15-n283744
> releng/15.1/ 871d33e8a66a releng/15.1-n283553
> releng/15.0/ 77ee83d12625 releng/15.0-n281055
> stable/14/ d11ff01b3aec stable/14-n274231
> releng/14.4/ eab757f954ed releng/14.4-n273717
> releng/14.3/ f56e8cb94df6 releng/14.3-n271517
> - -------------------------------------------------------------------------
>
> Run the following command to see which files were modified by a
> particular commit:
>
> # git show --stat <commit hash>
>
> Or visit the following URL, replacing NNNNNN with the hash:
>
> <URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
>
> To determine the commit count in a working tree (for comparison against
> nNNNNNN in the table above), run:
>
> # git rev-list --count --first-parent HEAD
>
> VII. References
>
> <URL:https://www.cve.org/CVERecord?id=CVE-2026-45259>
>
> The latest revision of this advisory is available at
> <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:28.capsicum.asc>
> -----BEGIN PGP SIGNATURE-----
>
> iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmoolxAbFIAAAAAABAAO
> bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrv9xQQALSpP1xklc9UjGzlSpTo
> 2owWykX02TVDqd7a57jEFpak6F9sJ1B83jrkEQVIGjBGQpTIWYt/C34QEzeo502F
> +dqfqXr32MyudPDq+lsWB7HhafG/gktTDpibJrQkqPDdTc+TwzzhoHxGAdckAMsr
> vCqnUF6UmtmTzQEyoQBqPGPWbVnyVboOQ0ZvKouMZdMBVlC7IvWPDlbpMEOLePTE
> NPHeuxFYbFHMUkOLq97Dhg4XTqdIG0t3n/0jA1kjCDvJWDbXpR1bPy1USTNxHO35
> xjeZshL2IWXDJSxLFBNE+cNFwg4dyp5vXcQXh3HtyMC9PMPMyIbJT7zQluV3CVI7
> 9gC6MMH7QiLssj5hJqMSXccrNzkag6Alu9ET5A/NtoGjyogbXmIPsQ9hLAqf/c9v
> 5m4O86dlHBL/JsGcPqsGw3+gucqgso2gy4yQ8h1GqGwNGv440TMAHRz5eAu+qOZq
> tDxo3OqK3HIEoChiQaRZp5bc/p0L1Rfka10J0HmIxB2KkdHEjdMn5SBsEYRsIv5v
> Sp34rl0cLm0oHraIQ0jNVTwZetrxl4CMIAexHYO1hJ+jZDRdBQ5CC7S83+t2Tbnu
> JgRsm6A+1TZfWsaflIx9ga42DEndXgqpmdrtjIFoO1zNQjrvcd3sqJH6GTMNdywg
> 2woyv6Bb/bwINWDE7EhicoJl
> =WJPW
> -----END PGP SIGNATURE-----
>