-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
============================================================================= FreeBSD-EN-25:19.zfs Errata Notice
The FreeBSD Project
Topic: Unprivileged kernel NULL pointer dereference
Category: contrib
Module: openzfs
Announced: 2025-12-16
Credits: Collin Funk
Affects: FreeBSD 15.0
Corrected: 2025-12-15 14:16:12 UTC (stable/15, 15.0-STABLE)
2025-12-16 23:42:59 UTC (releng/15.0, 15.0-RELEASE-p1)
For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit <URL:
https://security.FreeBSD.org/>.
I. Background
ZFS is an advanced and scalable file system that is commonly used on FreeBSD.
II. Problem Description
Invoking the fsync(2) system call on a named pipe will trigger a NULL pointer dereference in the kernel, causing a system panic.
III. Impact
A malicious, unprivileged user may be able to panic the system.
Software which attempts to fsync a named pipe may inadvertently panic the system.
IV. Workaround
No workaround is available. Systems not using ZFS are unaffected.
V. Solution
Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date, and reboot.
Perform one of the following:
1) To update your system via a binary patch:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
# shutdown -r now
2) To update your system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch
https://security.FreeBSD.org/patches/EN-25:19/zfs.patch
# fetch
https://security.FreeBSD.org/patches/EN-25:19/zfs.patch.asc
# gpg --verify zfs.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in <URL:
https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the following stable and release branches:
Branch/path Hash Revision
- ------------------------------------------------------------------------- stable/15/ d988a0c1fc4c stable/15-n281511 releng/15.0/ ff6b9c7c1c34 releng/15.0-n280996
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat <commit hash>
Or visit the following URL, replacing NNNNNN with the hash:
<URL:
https://cgit.freebsd.org/src/commit/?id=NNNNNN>
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
The latest revision of this advisory is available at <URL:
https://security.FreeBSD.org/advisories/FreeBSD-EN-25:19.zfs.asc> -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmlB+bIACgkQbljekB8A Gu8e+hAA1P5avUtCSkV+8EtFRP06yMwe/Lq79Q/pKZPPznhweJYx2tiEey7qfUEA 7QT8aE8EgOCaaVs159Jn5c3RmQUeV9k+CKWxGbMuThfQJTX/ytmVdQX9tbTyfet1 o6zZmvRViWR+GpArtCDrjapV5luvvW4DqFN0wBhqAN4PK4GUG/77kbWeeRGGNcNF 2hzjrqUsi7vQ4CrhYYJH01PKIOW7V4HySzodPKSD24/LxILRY/XAA5y3n1gLeZ/i G8JWIjX3bhKrmyHlL+bOCPcUpJEC3CD//CtisGQX0UsOrRbR6nZrDVpIXGnrW9kM qUZvwjd731sTmab/ZyKcqoJ5cOwe1fBHgB/uK7H8DLzUCijiUS2+m+X5U6ncggFW qsFpdW2rEUWDoc1n1qkFpIbkQqXZKiEaX5C1MFcQvRv/5nkXszHMVSKuhuamC6xc Or7GXnxSVsTLS0H5ASg5aY65KsiJdDJI/4I6VSv7BIzJrZGXA/eH0G5+lAyU7rfd vZ67vtT+Gvz2Hof8oFwUL/6ID2v/RLKG9+wIx5m2HB6DsdxqB/UCpAVV5yh2FIt9 OUODbFKIGQMtBL1pUhqxAIOzbJfAxcZfR11+2MuQWIkEXVMHWu86mRjxrQd33c10 HET/1kMnGTZBbi77QM9eQvLqxfXRhRslquITHWz6XE+QN4hu44o=
=o0ys
-----END PGP SIGNATURE-----
--- PyGate Linux v1.5.2
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)