FreeBSD The Power to Serve

FreeBSD 12.3-RELEASE Release Notes


The release notes for FreeBSD 12.3-RELEASE contain a summary of the changes made to the FreeBSD base system on the 12-STABLE development line. This document lists applicable security advisories that were issued since the last release, as well as significant changes to the FreeBSD kernel and userland. Some brief remarks on upgrading are also presented.


This document contains the release notes for FreeBSD 12.3-RELEASE. It describes recently added, changed, or deleted features of FreeBSD. It also provides some notes on upgrading from previous versions of FreeBSD.

The release distribution to which these release notes apply represents the latest point along the 12-STABLE development branch since 12-STABLE was created. Information regarding pre-built, binary release distributions along this branch can be found at

The release distribution to which these release notes apply represents a point along the 12-STABLE development branch between 12.2-RELEASE and the future 12.4-RELEASE. Information regarding pre-built, binary release distributions along this branch can be found at

This distribution of FreeBSD 12.3-RELEASE is a release distribution. It can be found at or any of its mirrors. More information on obtaining this (or other) release distributions of FreeBSD can be found in the Obtaining FreeBSD appendix to the FreeBSD Handbook.

All users are encouraged to consult the release errata before installing FreeBSD. The errata document is updated with "late-breaking" information discovered late in the release cycle or after the release. Typically, it contains information on known bugs, security advisories, and corrections to documentation. An up-to-date copy of the errata for FreeBSD 12.3-RELEASE can be found on the FreeBSD Web site.

This document describes the most user-visible new or changed features in FreeBSD since 12.2-RELEASE. In general, changes described here are unique to the 12-STABLE branch unless specifically marked as MERGED features.

Typical release note items document recent security advisories issued after 12.2-RELEASE, new drivers or hardware support, new commands or options, major bug fixes, or contributed software upgrades. They may also list changes to major ports/packages or release engineering practices. Clearly the release notes cannot list every single change made to FreeBSD between releases; this document focuses primarily on security advisories, user-visible changes, and major architectural improvements.

Upgrading from Previous Releases of FreeBSD

Binary upgrades between RELEASE versions (and snapshots of the various security branches) are supported using the freebsd-update(8) utility. The binary upgrade procedure will update unmodified userland utilities, as well as unmodified GENERIC kernels distributed as a part of an official FreeBSD release. The freebsd-update(8) utility requires that the host being upgraded have Internet connectivity.

Source-based upgrades (those based on recompiling the FreeBSD base system from source code) from previous versions are supported, according to the instructions in /usr/src/UPDATING.

Upgrading FreeBSD should only be attempted after backing up all data and configuration files.

Security and Errata

This section lists the various Security Advisories and Errata Notices since 12.2-RELEASE.

Security Advisories

Advisory Date Topic


1 December 2020

Use-after-free in error message handling


1 December 2020

Multiple vulnerabilities


8 December 2020

NULL pointer de-reference


29 January 2021

Kernel stack disclosure


29 January 2021

Kernel panic


24 February 2021

Privilege escalation


24 February 2021

Privilege escalation


24 February 2021

Privilege escalation


24 February 2021

Resource leaks


25 March 2021

Multiple vulnerabilities


6 April 2021

Kernel memory disclosure


6 April 2021

Privilege escalation or memory disclosure


6 April 2021

Privilege escalation


26 May 2021

Mitigation bypass


26 May 2021

Denial of service


24 August 2021

Missing error handling in bhyve(8) device models


24 August 2021

Remote code execution in ggatec(8)


24 August 2021

libfetch out of bounds read


24 August 2021

Multiple vulnerabilities in OpenSSL


24 August 2021

Multiple vulnerabilities in OpenSSL

Errata Notices

Errata Date Topic


1 December 2020

execve/fexecve system call auditing


1 December 2020

Timezone database information update


1 December 2020

Uninitialized variable


1 December 2020

Race condition in callout CPU migration


29 January 2021

Timezone database information update


29 January 2021

Panic when destroying VNET and epair simultaneously


29 January 2021

zfs recv fails to propagate snapshot deletion


24 February 2021

Boot-time microcode loading causes a boot hang


24 February 2021

Root certificate bundle update


24 February 2021

freebsd-update passwd regeneration

6 April 2021 not settable from loader.conf(5)


6 April 2021

lldb abort on print command


26 May 2021

Race condition in aesni(4) encrypt-then-auth operations


26 May 2021

Kernel double free when transmitting on a divert socket


26 May 2021

pms(4) data corruption


26 May 2021

dc update


1 June 2021

Incorrect validation in rad_get_attr(3)


30 June 2021

libcasper assertion failure


30 June 2021

Linux compatibility layer futex(2) system call vulnerability


24 August 2021

OpenSSL 1.1.1e API functions not exported


24 August 2021

Fix NVMe iovec construction for large IOs


4 November 2021

Root certificate bundle update


4 November 2021

Fix kernel panic in vmci driver initialization


4 November 2021

Timezone database information update


This section covers changes and additions to userland applications, contributed software, and system utilities.

Userland Configuration Changes

An update to the caroot CA bundle processor to support certificates marked with a DISTRUST_AFTER entry.

The /etc/ rc(8) script will now be run after all user processes have terminated.

Userland Application Changes

The automount(8) utility will now explicitly set the root path to / before performing an automatic mount.

The bectl(8) utility will now throw an error to prevent the creation of a boot environment with spaces.

The bhyve(8) utility had support for large IOs fixed in nvme(4) emulation.

The cmp(1) utility received -b, --print-bytes flags to be compatible with GNU cmp(1).

The cmp(1) utility received the -i, --ignore-initial flags as an alternative to skip1/skip2.

The cmp(1) utility now accepts SI suffixes for skip1/skip2.

The cmp(1) utility received the -n, --bytes flags to limit number of bytes to compare.

The cpuset(1) utility can now be used by a jail to modify the roots of a child jail.

The cron(8) utility will now pull in the user or login class environment variables.

The daemon(8) utility now has a -H flag allowing it to catch a SIGHUP and re-open output file. This was added to support newsyslog(8) operations.

The diff(1) utility will now honor other flags, such as -w when -q is specified.

The elfctl(1) utility has received a -l flag to ignore unknown variables, allowing it to work across multiple versions of FreeBSD by ignoring features which are not implemented.

The etcupdate(8) utility now supports a revert mode to restore one or more files.

The etcupdate(8) utility has received a -D flag to specify a destination directory.

The etcupdate(8) will now always extract to a temporary tree and gracefully handle a SIGINT.

The freebsd-update(8) utility received a -j flag to support jails.

The freebsd-version(1) utility received -j flag to support jails.

The fstyp(8) utility will now detect and show exFAT filesystems with the -l flag.

The geli(8) utility will no longer report an error when performing a resize to the same size.

The grep(1) utility will now disable -w if -x is also specified.

The growfs(8) utility will now function on RW mounted filesystems.

The kldxref(8) utility will no longer error out if the directory specified with the -d flag is not actually a directory.

The mergemaster(8) utility will now handle symbolic links during the update process.

The mksnap_ffs(8) utility received a fix for a crash which triggered a Panic: snapacct_ufs2: bad block panic.

The mount(8) utility will now properly show with quotas when quotas are enabled.

The mountd(8) utility will now generate a syslog(3) message when the V4: line is missing from /etc/exports.

The newsyslog(8) utility received a new E flag to prevent rotation of empty log files.

The pkg(7) utility received a -r flag used to specify a reponame for bootstrap and add.

The pkg(7) utility will now use environment variables specified in pkg.conf.

The rc.d/jail rc(8) script had a keyword change to fix jails within jails support.

The rtsold(8) daemon will now work on if_vlan (see: vlan(4)) interfaces.

The service(8) utility will now set the environment of the daemon class before invoking.

The tcpdump(8) utility will now decode packets on pfsync interfaces.

The top(1) command received the / filter on command option for displaying processes or arguments that match a specified string (imported from OpenBSD).

A segmentation fault in unzip(1) has been fixed when a target archive contains a buggy name.

The unzip(1) utility now supports password protected archives.

The zgrep(1) utility will now properly print version information when the --version parameter is specified.

The wpl_cli(8) utility now has an action file event where an event may be passed to a file.

Contributed Software

The awk(1) metamode fixes have been merged in addition to a code synchronization with upstream (to version 20210221).

Fixes for SHA256 were merged into apr (Apache Portable Runtime) from upstream (see r1889604, r1807975 upstream).

The bc(1) contributed software has been updated to 5.0.0.

The less(1) utility was updated to version v581.2.

The libarchive(3) library had a bugfix for symlink processing imported.

Libarchive version 3.5.1 was imported.

OpenPAM was upgraded to OpenPAM Tabebuia.

OpenSSL 1.1.1l was imported into the tree.

SQLite3 3.35.5 was imported into the tree.

TCSH 6.22.04 was imported into the tree.

Subversion was updated to version 1.14.1 LTS.

The vi(1) utility was updated to nvi 2.2.0-3bbdfe4.

The contrib/tzdata information was updated to correct DST (Daylight Savings Time) in Jordan and Samoa.

The tzdata 2021a was imported into the tree.

The unzip(1) utility was synced with the upstream NetBSD version.

Runtime Libraries and API

The internal KAPI between the krpc and nfsd modules was updated (see UPDATING).

The powf(3) library received a fix to prevent an incorrect result with x near 1 and |y| much larger than 1 and a test kit imported from NetBSD.


This section covers changes to kernel configurations, system tuning, and system control parameters that are not otherwise categorized.

General Kernel Changes

The ipfw(8) firewall was provided a dnctl(8) to manage dummynet(4) configurations.

An opencrypto kern.crypto sysctl(8) node was added.

A new sysctl(8), debug.uma_reclaim, was added.

The kern.timecounter.hardware OID was converted into a tuneable.

New PCI ID information was added for ASMedia® ASM116x PCIe 3.0 AHCI controllers and Intel® Gemini Lake I2C controllers.

The GENERIC kernel for amd64 now includes options COMPAT_LINUXKPI and the mlx5en(4) device driver.

Devices and Drivers

This section covers changes and additions to devices and device drivers since 12.2-RELEASE.

Device Drivers

The alc(4) device driver now supports the Mikrotik® 10/25G Network device.

The amdtemp(4) device driver has learned about family 17h models: M20h (Dali, Zen1), M60H (Renoir, Zen2), and M90H (Van Gogh, Zen2).

The amdtemp(4) device driver received support for Zen 3 "Vermeer" and Ryzen® 4000 APU (Zen 2, "Renoir").

The amdsmn(4) device driver received support for Zen 3 "Vermeer" and Ryzen® 4000 APU (Zen 2, "Renoir").

The cam(4) driver had quick unplug and replug SCSI fixed.

The bnxt(4) device driver will now report if WOL (Wake On Lan) support is supported on the hardware and show an enabled status if a filter was applied on system initialization.

The em(4) device driver now supports the flashless i211 PBA.

The em(4) device driver received several updates to shared code.

The ena(4) device driver was updated to 2.4.1.

The ice(4) device driver was updated to 0.28.1-k with an updated ice_ddp package file of version

A new driver, igc(4) was added to support the Intel® I225 Ethernet controller and supports 2.5G/1G/100MB/10MB.

The ixgbe(4) device driver received a shared code update.

The ixgbe(4) device driver received a fix for the x550em 10G NIC link status where the auto-negotiation feature was not reported correctly.

The ixl(4) device driver was given the hw.ix.flow_control tuneable.

The ixl(4) device driver had an update in shared code and fixes for 2.5G and 5G speeds.

The iwm(4) device driver now supports the Intel® Killer® Wireless-AC 1550i.

The msdosfs(5) filesystem driver received a fix for msdosfs suspension.

The ng_bridge(4) netgraph node is now SMP aware.

The ng_nat(4) netgraph node received support for RFC 6598/Carrier Grade NAT support.

The ng_source(4) netgraph node may now be injected into any netgraph network.

The nvdimm(4) ACPI driver will now export health information via a sysctl(8).

The nvme(4) device driver received support for MSI and single MSI-X support.

The nvme(4) device driver received several merged bugfixes.

The pf(4) firewall has received several bugfixes and updates.

The rctl(4) resource limits driver now supports throttling resource usage to 0 for rate-based resources that support throttling. These resources will respect the duration set by the kern.racct.rctl.throttle_max sysctl(8).

The rsu(4) device driver now supports the ASUS® WL-167G V3 device.

The rtwn_usb(4) device driver now supports the Mercusys® MW150US (N150 Nano), TP-Link® Archer T2U v3, and D-Link® DWA-121 (N150 Nano) devices.

The run(4) device driver now supports the D-Link® DWA-130 rev F1 wireless adapter and the ASUS® USB-N14 wireless adapter.

The tcp(4) protocol will now tolerate the missing of timestamps (RFC 1323/RFC 7323) via the use of the net.inet.tcp.tolerate_missing_ts sysctl(8).

The uart(4) device driver now supports the Intel® 100 Series/C230 Series AMT.

The vlan(4) interface can now support ALTQ.


This section covers changes and additions to file systems and other storage subsystems, both local and networked.

General Storage

A fix for handling of embedded symbolic links in UFS/FFS was merged.

A fix for NFSv4.1 Linux client mount getting stuck in CLOSE_WAIT status was merged.

A fix for NFSv4.1/4.2 mount recovery from an expired lease was merged.

Boot Loader Changes

This section covers the boot loader, boot menu, and other boot-related changes.

Boot Loader Changes

The boot loader will now support booting an OS from a memory disk.

The boot loader will now support pools without features.

The boot loader will now accept the zfs features com.delphix:bookmark_written and com.datto:bookmark_v2.

A new OID, was added to lua loader prevent device attachment during boot.


This section describes changes that affect networking in FreeBSD.

General Network

Several fixes for NFSv4 were merged.

A segmentation fault during wpa EAP/PEAP MSCHAPv2 authentication was fixed.

The fetch(3) library now supports proxying FTP over HTTPS.

General Notes Regarding Future FreeBSD Releases


Support for recording EC2 AMI Ids in SSM was added to release/Makefile.ec2 to allow SSM Parameter names to look like /aws/service/freebsd/amd64/base/ufs/12.3/RELEASE using the public prefix /aws/service/freebsd.

Default CPUTYPE Change

Starting with FreeBSD-13.0, the default CPUTYPE for the i386 architecture will change from 486 to 686.

This means that, by default, binaries produced will require a 686-class CPU, including but not limited to binaries provided by the FreeBSD Release Engineering team. FreeBSD 13.0 will continue to support older CPUs, however users needing this functionality will need to build their own releases for official support.

As the primary use for i486 and i586 CPUs is generally in the embedded market, the general end-user impact is expected to be minimal, as new hardware with these CPU types has long faded, and much of the deployed base of such systems is nearing retirement age, statistically.

There were several factors taken into account for this change. For example, i486 does not have 64-bit atomics, and while they can be emulated in the kernel, they cannot be emulated in the userland. Additionally, the 32-bit amd64 libraries have been i686 since their inception.

As the majority of 32-bit testing is done by developers using the lib32 libraries on 64-bit hardware with the COMPAT_FREEBSD32 option in the kernel, this change ensures better coverage and user experience. This also aligns with what the majority of Linux® distributions have been doing for quite some time.

This is expected to be the final bump of the default CPUTYPE in i386.

This change does not affect the FreeBSD 12.x series of releases.

Last modified on: December 7, 2021 by Glen Barber