-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
FreeBSD-SA-26:03.blocklistd Security Advisory
The FreeBSD Project
Topic: blocklistd(8) socket leak
Category: core
Module: blocklistd
Announced: 2026-02-10
Affects: FreeBSD 15.0
Corrected: 2026-02-10 01:39:29 UTC (stable/15, 15.0-STABLE)
2026-02-10 17:56:11 UTC (releng/15.0, 15.0-RELEASE-p3)
CVE Name: CVE-2026-2261
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .
I. Background
The blocklistd(8) service keeps a database of IP addresses associated with
certain adverse events reported by other system services, such as failed ssh
logins or emails submitted to non-existent recipients. Once an IP address has
exceeded a configured number of adverse events, blocklistd runs a helper script
which performs a preprogrammed action, usually adding the IP address to a
packet filter blocklist. After a certain amount of time has elapsed, the same
helper script is run again to unblock the address.
The blocklistd service was previously known as blacklistd and is present under
both names in FreeBSD 15.0-RELEASE.
II. Problem Description
Due to a programming error, blocklistd leaks a socket descriptor for each
adverse event report it receives.
Once a certain number of leaked sockets is reached, blocklistd
becomes unable to run the helper script: a child process is forked, but
this child dereferences a null pointer and crashes before it is able to
exec the helper. At this point, blocklistd still records adverse events
but is unable to block new addresses or unblock addresses whose database
entries have expired.
Once a second, much higher number of leaked sockets is reached,
blocklistd becomes unable to receive new adverse event reports.
III. Impact
An attacker may take advantage of this by triggering a large number of adverse
events from sacrificial IP addresses to effectively disable blocklistd before
launching an attack.
Even in the absence of attacks or probes by would-be attackers, adverse events
will occur regularly in the course of normal operations, and blocklistd will
gradually run out file descriptors and become ineffective.
The accumulation of open sockets may have knock-on effects on other parts of
the system, resulting in a general slowdown until blocklistd is restarted.
IV. Workaround
The issue can be mitigated to a certain extent by regularly restarting
the blocklistd service.
However, a determined attacker with access to a sufficiently large pool
of sacrificial IP addresses will be able to disable blocklistd in a
matter of minutes, or hours at most.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Perform one of the following:
1) To update your vulnerable system installed from base system packages:
Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64
platforms, which were installed using base system packages, can be updated
via the pkg(8) utility:
# pkg upgrade -r FreeBSD-base
2) To update your vulnerable system installed from binary distribution sets:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
or the i386 platform on FreeBSD 13, which were not installed using base
system packages, can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-26:03/blocklistd.patch
# fetch https://security.FreeBSD.org/patches/SA-26:03/blocklistd.patch.asc
# gpg --verify blocklistd.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in .
Restart the applicable daemons, or reboot the system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ 1864a03eb2ac stable/15-n282210
releng/15.0/ e4781e4e6d88 releng/15.0-n281007
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat
Or visit the following URL, replacing NNNNNN with the hash:
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
The latest revision of this advisory is available at
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmmLdZIACgkQbljekB8A
Gu849BAAnzXfP+LqpZM2dIPVMma5fHyMKNYSCa3nCS5cBSXgnodaM8KW2W0tuPRA
2NlMU4LUtDng0+UCm3SDVOZRvHL37/2TfaIheCs0QCmLirG78NDweHntEMHQGqUP
vsdQ1kfdkRm1VJyqE8INsSOdlE8YwCywM+HXjEhjv5VNTzzVZOj3cnlNABgrrCq7
DcKuCZ9uDZRva+X71YRs3n9ZWghSuONB9ycys2YdYG3fp2wEMUpwEsRFjR1oYWOM
JjmlvfXJSeNq4vXd425zX3trLunVEqRVEaLtkl3NDx7/fVAN05MrXx5eB7oTBa5X
9NzFDdQpJZw3Fk7B6cRUZa4v/mPFc2ZrfMKEIrMz+7brVl5InSjvi7ne3ERRujr0
Db4Kbf9XrAx1NaFXrffU6jmVrhZOz7Z9Y+H+1V7yCYZiShkwz2rrghghcrH3QH0x
2jJXsT+M5lYDA2oFPc0eXPtlidrmCcWHMVM4b8xkZ/tBCaq31F4T7RWXj0QiO44Z
7AlV7ejZquknMA0gNmmOrOMW3kQcCUwJA0SBXcQ7WE5sgnQeXdZcl9wWtSkjYuhr
g1YHde8rNUNcHBC+FPZlru/PsuOrc1/XzdjO4uRpSEK++hOR4ZmLUBThd+u8H9b4
bA9kCxgNwfuOq9c3hYhFjWme+kxHRLRAdn4un19zLwUvaqLqS0k=
=1MK1
-----END PGP SIGNATURE-----