FreeBSD 14.4-RELEASE Release Notes

The diff(1) utility now reports I/O errors encountered during the Stone algorithm’s file comparison phase, providing error messages where previously only the exit status indicated failure. 3c10ed2ba3aa. (Sponsored by Klara, Inc.)

The diff(1) utility no longer incorrectly compares a file or directory to itself, fixing a bug where diff could produce misleading output. In addition, several internal correctness and robustness improvements were made (see related commits), including fixes for resource leaks in the pagination code, improved error handling around file descriptor operations, and prevention of potential integer overflows when using very large context windows. Additional tests were added to cover these cases. b4139147bbb7, 6761e555376e, 2434f3b279a9, 238bf5ebf684. (Sponsored by Klara, Inc.)

The mdo(1) privilege-escalation utility adds new options to control user and group IDs in launched processes, including -k to keep current users, -g and -G to set primary and supplementary groups, -s to amend supplementary groups, and --euid/--ruid/--svuid/--egid/--rgid/--svgid to override specific IDs. This provides finer-grained control over process credentials while maintaining compatibility with existing behavior. 58f55afb301b. (Sponsored by The FreeBSD Foundation | Google LLC (GSoC 2025))

The sockstat(1) utility now displays UDP-Lite endpoints by default, providing visibility into these sockets alongside other network connections. 23cda744e4da.

The nuageinit(7) tool now supports the chpasswd command, allowing password changes via a list or multiline string, including deprecated syntax for compatibility with some providers. 6c912470030b. (Sponsored by OVHCloud)

The pkg(7) utility now parses command-line arguments in the same way as pkg(8), requiring options to be placed in the same positions. Note: This changes the behavior of some previously accepted command sequences, such as pkg -f bootstrap no longer working; users must use pkg bootstrap -f instead. 62947e508161. (Sponsored by The FreeBSD Foundation | The FreeBSD Foundation)

The bsdinstall(8) installer no longer supports ZFS installations using MBR disk layouts. This removes a previously broken option that could cause installation failures. 220584471931. (Sponsored by The FreeBSD Foundation)

The freebsd-update(8) utility now installs shared libraries in a specific order (libsys, libc, libthr, then others) to prevent failures during upgrades from 14.x to 15.x. e26928669f39. (Sponsored by https://www.patreon.com/cperciva)

The filesystem creation utility, newfs(8), gained a -u flag to disable the default soft updates and soft updates journaling for UFS2 filesystems. 929ef0d36c6c. (Sponsored by Klara, Inc. | NetApp, Inc.)

The ngctl(8) utility gained a -j flag to attach and run inside a jail, allowing manipulation of netgraph nodes from within a jail(8). This enables administrators to manage netgraph configurations in jails where ngctl may not be directly available. 04911babef1b.

A new utility for controlling sound devices, sndctl(8), has appeared with an interface similar to mixer(8). 00988d12bc37. (Sponsored by The FreeBSD Foundation)

The jail(8) subsystem has gained meta and env parameters, allowing arbitrary string metadata and environment information to be associated with each jail. The parameters can be set during jail creation or modified later using jail -cm, and can be viewed with jls(8). The security.jail.meta_maxbufsize sysctl(8) controls the maximum size of these parameters. 527027da391d. (Sponsored by SkunkWerks GmbH)

The Bluetooth startup script rc.d/bluetooth now retries the hccontrol reset up to three times for improved reliability and fixes a redirection bug that could create stray files. 53d1c328e912.

The swapon(8) utility now supports encrypted swap files using md(4) devices with an .eli suffix in fstab(5). This allows encrypted swap to be configured in fstab as previously documented. 9d80d681ee9d.

The bc(1) and dc(1) calculators have been updated to version 7.1.0. ab36487a79cd.

The bmake(1) build utility has been updated to version 20251111. c95f96dea30a.

The Kerberos kadmin(1) utility gains a new -f option for dumping Heimdal KDC databases in MIT-compatible format, enabling migration to MIT KDC without recreating the database from scratch. a93e1b731ae4.

The less(1) pager has been updated to version 685. 054ae5e7b465.

The mandoc(1) manual page compiler has been updated to version 2025-09-26, improving case sorting, visual compatability with groff(1), fixes to a PDF/PS footer regression, and improvements to the linter. 7fa4ccb8e4e7, 8039d22f6afd.

The netcat utility, nc(1), now accepts service names like http' in addition to port numbers for the `-p option and as command-line arguments. 0fe58344e829.

The xz(1) data compression suite has been updated to version 5.8.2. 07700b0107dc.

The multi-format archive and compression library, libarchive(3), has been updated to version 3.8.5. This includes a bug fix for tar(1) to resolve a regression in zero-length pattern handling. 39fd1181e5b2.

libyaml has been updated to version 0.2.5. e52f11f4bbc8.

lyaml, a Lua binding for libyaml, is now available in the base system. c508393e49fc.

libucl(3) has been updated to version 0.9.2. 0a8d8b0c878f. (Sponsored by The FreeBSD Foundation)

The expat XML parser has been updated to version 2.7.3. a85cfcb61efd.

The OpenZFS filesystem has been updated to version 2.2.9. This release includes improvements to ARC shrinking, fixes for zpool add safety checks, zvol blk-mq synchronization, and BRT range conversion math. 709465f2c4f1.

The blacklistd(8) DoS prevention utility has been updated and renamed to blocklistd(8). 4690a369ff6d.

The mapping tree utility, mtree(8), has been updated improving compatibility and fixing bugs. f9d671f726ac.

The unbound(8) DNS resolver has been updated to version 1.24.1, mitigating YXDOMAIN and nodata non-referral answer poisoning, preventing a malicious actor from exploiting a possible cache poison attack. This addresses CVE-2025-11411. eeb41dca070f, cd40a23fb249.

The PCI vendors database has been updated to version 2026-02-10. 7805899ed791.

The USB vendor database has been updated to 2025-12-13. 02138275effb.

The Time Zone database has been updated to version 2025c. 68e2f4cc5e4e.

The SQLite database has been updated to version 3.50.4. ef55f6b86626.

The gallant console font now includes over 4300 glyphs, adding support for Greek, Cyrillic, IPA extensions, extended Latin, Zapf Dingbats, arrows, mathematical symbols, box drawing, currency symbols, and Powerline glyphs. This expands the character set available in the console for multilingual text and symbols. 8d2d6647d65a.

The spleen console font has been updated to version 2.2.0, adding missing characters (em-dash, en-dash, hyphen, angle brackets, white square, dagger, double dagger) and improving character alignment, particularly for high-dpi displays. c44ec96b471e.

OpenSSH has been updated to version 10.0p2. The update removes support for the weak DSA signature algorithm and changes the default key agreement to the post-quantum hybrid algorithm mlkem768x25519-sha256. The sshd(8) authentication phase now runs in a separate sshd-auth binary. 7ca599aa6139. (Sponsored by The FreeBSD Foundation)

OpenSSL has been updated to version 3.0.16. aed5a47b3a8a.

The RIP routing protocol is deprecated and will be removed in a future release. The man pages for routed(8), rtquery(8), route6d(8), and rip6query(8) are updated to note the deprecation. Users needing RIP should use alternatives like 'bird' or 'quagga' from the ports collection. d350c18f98fd.

The Internet network number manipulation library functions, inet_net_ntop(3) and inet_net_pton(3), are updated to correctly handle IPv6 addresses, fixing previous incorrect behavior. b4871be3490d. (Sponsored by https://www.patreon.com/bsdivy)

The PAM library now searches for modules in ${LOCALBASE}/lib/security, in addition to ${LOCALBASE}/lib. This allows PAM modules installed by ports that follow the Linux directory convention to be found and used. 65808459e21b.

The jail(8) system will restrict unprivileged users in a parent jail from scheduling, debugging, or signaling processes in subordinate jails by default in FreeBSD 15.0 and later. New privileges PRIV_SCHED_DIFFJAIL, PRIV_DEBUG_DIFFJAIL, and PRIV_SIGNAL_DIFFJAIL are required for such cross-jail operations. Note: A new jail parameter allow.nounprivileged_parent_tampering has been introduced to enable early adoption of the new behavior, but this will become enabled by default in FreeBSD 15.x, affecting development setups that rely on cross-jail process management. 5c6949e12ee6.

A race condition on POWER9 was fixed in the context switch code that could cause the system to hang after starting all APs. 666599639cf6.

The epair(4) driver now supports stable MAC addresses via the net.link.epair.ether_gen_addr sysctl(8). This helps maintain consistent DHCP and dynamic DNS assignments when epair interfaces are recreated, such as after jail restarts. The default behavior remains random MAC generation, but setting the sysctl to 1 enables stable addresses. 02f70f6633fd.

The iwlwifi(4) driver now includes ACPI support, enabling regulatory features for 802.11ax, 802.11be, and Per Platform Antenna Gain (PPAG) settings. c4496f82680c. (Sponsored by The FreeBSD Foundation)

The ix(4) and ixv(4) drivers add support for the Intel Ethernet E610 family of devices, including new PCI IDs for backplane, SFP, 10 GbE, 2.5 GbE, and SGMII variants. This enables link speeds of 2.5G, 5G, and 10G on supported hardware. a728b96686e6. (Sponsored by Intel Corporation)

The mfi(4) and mrsas(4) drivers now supports the Fujitsu RAID Controller SAS 6Gbit/s 1GB (D3116), which is used in Fujitsu PRIMERGY servers like the RX300 S7. 653099bcc191, 3690911c355a.

The nvme(4) driver now supports BAR5 for Table BIR and PBA BIR, enabling FreeBSD on Google Compute Engine C4 machines. dca645cd3112. (Sponsored by Google)

The qat(4) driver now supports the 402xx device (IDs 0x4944/0x4945) under the existing qat_4xxx driver. af51f41346ad. (Sponsored by Intel Corporation)

The smartpqi(4) driver is updated to version 4660.0.2002, providing updated support for Microchip smartpqi controllers. ec98cb56861f. (Sponsored by Microchip Technology Inc.)

The in-kernel MIDI sequencer is deprecated. This change adds a deprecation notice to the kernel and may affect applications that rely on this legacy interface. ab9c9443eec5. (Sponsored by The FreeBSD Foundation)

The 9P filesystem (p9fs(4)) has been added for use with bhyve(8) virtio-9p devices. It allows guests to access host files via share mappings, and can be used as a root or non-root filesystem. The driver is loaded via virtio_p9fs_load=YES in loader.conf. 615fba7c6b39.

The tarfs(4) filesystem now correctly handles large files exceeding 4 GB and 8 GB limits. It fixes decompression errors when seeking beyond 4 GB in zstd-compressed tarballs and properly processes extended header records for files larger than 8 GB. 35c612fbabd8. (Sponsored by Klara, Inc.)

The unionfs(4) and nullfs(4) filesystems now perform stricter checks for jail root vnodes during dotdot lookups, preventing a potential chroot escape vulnerability. 3feafab4a34c.

The EFI boot loader, loader.efi(8), now uses firmware-provided Blt functions only when using the Graphics Output Protocol (GOP), avoiding issues on older UGA-based systems like MacBooks. 6741fb1bd4f4.

The bsdinstall(8) installer now copies loader.efi to all ESPs created for multi-volume ZFS datasets, providing boot redundancy if the primary disk fails. d8e73f45fc5f. (Sponsored by Netflix)

Wireless firmware packages are now included on bootonly installation media, enabling users to fetch installation files over a wireless connection. 2ee0f3c954e7. (Sponsored by The FreeBSD Foundation)

Compatibility code for IPFW versions prior to FreeBSD 8 has been removed to simplify the codebase. Users or third-party modules that still rely on the old compatibility interfaces must migrate before upgrading. 57865e505aef. (Sponsored by The FreeBSD Foundation)

A sbin/ipfw15 binary has been added with updated KBI for compatibility with 15.0+ kernels. The original ipfw(8) binary detects the new KBI and automatically runs ipfw15, ensuring firewall rules can be loaded during upgrades. The utility is also installed as /sbin/dnctl15 for dummynet compatibility. 969e2b406835.

The net80211 subsystem has been updated to properly support VHT160 and VHT80P80 channel widths with modern access points, aligning with changes from 802.11ac-2013 to 802.11-2020. This enables VHT160 and VHT80P80 in the LinuxKPI 802.11 driver compatibility code, affecting wireless performance and compatibility. ccdd6285df5d. (Sponsored by The FreeBSD Foundation)

The bhyve(8) hypervisor now reports SVM as disabled in the VM control register, preventing hangs on AMD systems with recent Windows guests. 321a15380668.

The shell builtin(1) command manual has been streamlined and gained a new section on built-in keyboard bindings. b98efcdb6210.

The newaliases(1) manual has been updated to clarify that it is for sendmail(8). e3df9a78da6b.

The ps(1) manual now documents that -A and -a show all processes regardless of other selection options, and clarifies the behavior of -J. f18a49a747f7. (Sponsored by The FreeBSD Foundation)

The write(2) manual now includes a new section describing the atomicity guarantees of write operations. c19f161f5f65.

Manuals for several DTrace providers have been added, including dtrace_fbt(4) (function boundary tracing), dtrace_vfs(4) (VFS activity), dtrace_pid(4) (user-level process tracing),dtrace_priv(4) (privilege checks), and dtrace_callout_execute(4) (callout handler execution). 0c91fa982437, 04bb91e9c5f7, ff6b04c37e78, f69bf8f994e5, 7d43404485bf.

New or improved manuals have appeared for most Ethernet switch controllers including mtkswitch(4), ip17x(4), ar40xx(4), arswitch(4), e6000sw(4), and e6060sw(4). f31ac06711e6, 17e9eb1e0eb7, 1343a5b616ec, d0e29f92f7a2, 5e0e046d95a9, ded154a1df97.

linuxkpi(4) and linuxkpi_wlan(4) manuals have been added, providing brief documentation on the LinuxKPI and its 802.11 compatibility features. 669062384f55. (Sponsored by The FreeBSD Foundation)

The cdboot(8) manual has been added, documenting the previously undocumented cdboot utility. d659366cc62a.

The crash(8) manual has been updated to reflect current system behavior, removing references to obsolete panic messages and updating guidance on recovery media. 4f2140aa9677.

The dumpon(8) manual now shows settings to adjust the behavior of crash(8) dumps. 7c8717183536.

The ipfw(8) manual now documents how to delete a NAT configuration instance. 186ac4724746.

The mtree(8) manual now clarifies that the type keyword remains mandatory and is not removed by -R all. This ensures consistent behavior and prevents potential misinterpretation of the command. f957857c4835.

The pf.conf(5) manual now documents that network address ranges used as items in list macros must be quoted with additional single quotes. 0077daf9cdc4.

The pw(8) manual now clarifies the acceptable formats for member lists with the -M, -m, and -d flags of the groupadd and groupmod options. 78343cd2a0f1.

The vt(4) manual now includes an example on increasing scrollback size and a section explaining console fonts, covering conversion, support, and usage. ce92b9d8332a, c330c43e58d7.