SecurityHome.eu FreeBSD Security Advisory FreeBSD-SA-26:31.arm64

Home / mailings PDF

FreeBSD Security Advisory FreeBSD-SA-26:31.arm64
Posted on 10 June 2026
FreeBSD security notificat
=============================================================================FreeBSD-SA-26:31.arm64 Security Advisory
The FreeBSD Project

Topic: Arm CPU errata may bypass page table permission changes

Category: core
Module: arm64
Announced: 2026-06-09
Affects: All supported versions of FreeBSD
Corrected: 2026-06-09 19:17:34 UTC (stable/15, 15.1-STABLE)
2026-06-09 19:20:12 UTC (releng/15.1, 15.1-RC3-p1)
2026-06-09 19:19:50 UTC (releng/15.0, 15.0-RELEASE-p10)
2026-06-09 19:17:51 UTC (stable/14, 14.4-STABLE)
2026-06-09 19:19:12 UTC (releng/14.4, 14.4-RELEASE-p6)
2026-06-09 19:18:41 UTC (releng/14.3, 14.3-RELEASE-p15)
CVE Name: CVE-2025-10263

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.

I. Background

Page tables control the translation of virtual addresses to physical
addresses and the access permissions on those addresses. On Arm CPUs, when
page table permissions are updated, a TLB Invalidate (TLBI) instruction
followed by a Data Synchronization Barrier (DSB) must be issued to ensure
subsequent accesses observe the new permissions.

II. Problem Description

Some Arm CPUs have errata where the ordering of stores and the TLBI+DSB
sequence may be incorrect. If one CPU stores to a virtual address while
another CPU invalidates the translation for that address, the second CPU's
TLBI+DSB may complete before the first CPU's store has been globally
observed.

III. Impact

This erratum may allow software to write to a previously writable location
after the page table is modified to forbid writes to that location.
Consequently this may allow software to write to memory owned by a higher
exception level, possibly allowing software to escalate privilege to that
higher exception level.

IV. Workaround

No workaround is available. The following ARM CPU models are affected:

C1-Premium
C1-Ultra
Cortex-A76
Cortex-A76AE
Cortex-A77
Cortex-A78
Cortex-A78AE
Cortex-A78C
Cortex-A710
Cortex-X1
Cortex-X1C
Cortex-X2
Cortex-X3
Cortex-X4
Cortex-X925
Neoverse-N1
Neoverse-N2
Neoverse-V1
Neoverse-V2
Neoverse-V3
Neoverse-V3AE

V. Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot the system.

Perform one of the following:

1) To update your vulnerable system installed from base system packages:

Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64
platforms, which were installed using base system packages, can be updated
via the pkg(8) utility:

# pkg upgrade -r FreeBSD-base
# shutdown -r +10min "Rebooting for a security update"

2) To update your vulnerable system installed from binary distribution sets:

Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms
which were not installed using base system packages can be updated via the
freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 15.x]
# fetch https://security.FreeBSD.org/patches/SA-26:31/arm64-15.patch
# fetch https://security.FreeBSD.org/patches/SA-26:31/arm64-15.patch.asc
# gpg --verify arm64-15.patch.asc

[FreeBSD 14.4]
# fetch https://security.FreeBSD.org/patches/SA-26:31/arm64-14.4.patch
# fetch https://security.FreeBSD.org/patches/SA-26:31/arm64-14.4.patch.asc
# gpg --verify arm64-14.4.patch.asc

[FreeBSD 14.3]
# fetch https://security.FreeBSD.org/patches/SA-26:31/arm64-14.3.patch
# fetch https://security.FreeBSD.org/patches/SA-26:31/arm64-14.3.patch.asc
# gpg --verify arm64-14.3.patch.asc

b) Apply the patch. Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:

Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ 9d9d6c6e6081 stable/15-n283887
releng/15.1/ 81435fc0882c releng/15.1-n283556
releng/15.0/ a53619675cdc releng/15.0-n281058
stable/14/ e99aa8682dba stable/14-n274316
releng/14.4/ 889e306ded21 releng/14.4-n273720
releng/14.3/ 61d0cea4c00f releng/14.3-n271520
- -------------------------------------------------------------------------

Run the following command to see which files were modified by a
particular commit:

# git show --stat <commit hash>

Or visit the following URL, replacing NNNNNN with the hash:

<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:

# git rev-list --count --first-parent HEAD

VII. References

<URL:https://www.cve.org/CVERecord?id=CVE-2025-10263>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:31.arm64.asc>

TOP

Mailings :

Last 20

Exploits :

Last 20