-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-EN-26:03.vm                                             Errata Notice
                                                          The FreeBSD Project

Topic:          The page fault handler fails to zero memory

Category:       core
Module:         vm
Announced:      2026-01-27
Affects:        All supported versions of FreeBSD.
Corrected:      2025-12-15 10:37:54 UTC (stable/15, 15.0-STABLE)
                2026-01-27 19:15:47 UTC (releng/15.0, 15.0-RELEASE-p2)
                2025-12-15 10:42:28 UTC (stable/14, 14.3-STABLE)
                2026-01-27 19:16:12 UTC (releng/14.3, 14.3-RELEASE-p8)
                2026-01-26 15:18:32 UTC (stable/13, 13.4-STABLE)
                2026-01-27 19:16:34 UTC (releng/13.5, 13.5-RELEASE-p9)

For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.

I.   Background

The mmap(2) system call allows applications and system libraries to allocate
heap memory using the MAP_ANON flag.  The system call allocates virtual memory
in the calling thread's address space and physical memory is allocated on
demand as page faults occur.  Memory allocated this way is guaranteed to be
zero-filled.

II.  Problem Description

Under some conditions, the physical pages allocated and mapped by the kernel
may not be zero-filled.

III. Impact

This bug has been observed to cause process crashes.

IV.  Workaround

No workaround is available.

V.   Solution

Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.

Perform one of the following:

1) To update your system via a binary patch:

Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r now

2) To update your system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 15.0]
# fetch https://security.FreeBSD.org/patches/EN-26:03/vm-15.patch
# fetch https://security.FreeBSD.org/patches/EN-26:03/vm-15.patch.asc
# gpg --verify vm-15.patch.asc

[FreeBSD 14.3]
# fetch https://security.FreeBSD.org/patches/EN-26:03/vm-14.patch
# fetch https://security.FreeBSD.org/patches/EN-26:03/vm-14.patch.asc
# gpg --verify vm-14.patch.asc

[FreeBSD 13.5]
# fetch https://security.FreeBSD.org/patches/EN-26:03/vm-13.patch
# fetch https://security.FreeBSD.org/patches/EN-26:03/vm-13.patch.asc
# gpg --verify vm-13.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI.  Correction details

This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:

Branch/path                             Hash                     Revision
- -------------------------------------------------------------------------
stable/15/                              3c0942f99209    stable/15-n281508
releng/15.0/                            6e279feb40be  releng/15.0-n281002
stable/14/                              99f641267d44    stable/14-n272998
releng/14.3/                            de311ee39b3f  releng/14.3-n271457
stable/13/                              babac9d7bc05    stable/13-n259725
releng/13.5/                            4967e14ba25b  releng/13.5-n259188
- -------------------------------------------------------------------------

Run the following command to see which files were modified by a
particular commit:

# git show --stat <commit hash>

Or visit the following URL, replacing NNNNNN with the hash:

<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:

# git rev-list --count --first-parent HEAD

VII. References

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-26:03.vm.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAml5NC8ACgkQbljekB8A
Gu/4KhAAgF/05mLRDs9wlSC1BrN5xZf6zoFdrsj0BC72miZD1qQXe9VtxzJINMLu
b/jbKYT1ILPEXGhHX7epjc4GEM1Eq/kUJnTb35jnkFN63stMn1MX1nqtSNxLzj5f
tJcsb2Atp/3EkNMhcFwFmolQ2qSdQG+s7xDZhHI/hNi5CS/8B7W59LZI3tWXJujM
AbTiHZZSS68RA/co0lmbDYtLMkFEuQBLdcDAdfOHL5+rV2/QIAVYBdqiynVx+cia
iJBbwBuOjiMWSdqP9JiSRnd1HhW3dMUMJTlZFmyGiQNmS+lYE1AgLgPdMPwSReO8
+79yUfIrFUqWpG6lM33a9T/t3jN8ejZsYRO8OFghvtaePJvUm/P6D0n0werR8PaE
lI9u7BlBqpX9PJ4FUJmUCHAojqXH6msT2RXLg5GcLhjlApMUi2hAcNuT9tp7/+4A
ekc0/sZqJdrcWTmu00w6Tpk9zohW/MX/DHxNEj4SPn5dpjvz9QttaCpNJNyNARuU
GdzZc8poPk3mpTcawABAD0LItpW6d2XLUehtgaWRc5mDoKZj5GIfLjDmqIqqxe9k
C9e6bhL+1QSZQ2HTTNl8e/xoUX+D2pAiE4GkpRSc6u6ZZ3BOQ+fRwbZlnFSz6diT
IIkUddz63TCmxPiiZiJs7XZFZMpx2wJTvuu51hjLs5t6Eswdk20=
=ecKh
-----END PGP SIGNATURE-----