-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-26:41.libalias Security Advisory The FreeBSD Project Topic: Buffer overflow in libalias RTSP handler Category: core Module: libalias Announced: 2026-06-30 Credits: Atuin - Automated Vulnerability Discovery Engine, Tianchu Chen of Tencent Xuanwu Lab Credits: UC Berkeley Antiproof Credits: Stanislav Fort of Aisle Research Affects: All supported versions of FreeBSD. Corrected: 2026-06-30 17:20:09 UTC (stable/15, 15.1-STABLE) 2026-06-30 17:21:58 UTC (releng/15.1, 15.1-RELEASE-p1) 2026-06-30 17:21:26 UTC (releng/15.0, 15.0-RELEASE-p11) 2026-06-30 17:19:50 UTC (stable/14, 14.4-STABLE) 2026-06-30 17:20:58 UTC (releng/14.4, 14.4-RELEASE-p7) 2026-06-30 17:20:32 UTC (releng/14.3, 14.3-RELEASE-p16) CVE Name: CVE-2026-49420 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background libalias is a library that performs Network Address Translation (NAT) for outgoing and incoming IP packets. It includes protocol-specific handlers for application-layer protocols such as RTSP that embed addresses or port numbers in their payload. libalias is used by ipfw(4) to implement in-kernel NAT, and by natd(8). II. Problem Description The RTSP handler in libalias rewrote outgoing packets into a fixed-length stack buffer without checking whether the rewritten data fit in the buffer, or whether the result fit back in the original packet. III. Impact A host sending crafted RTSP traffic from inside a NAT gateway using libalias can overflow a stack buffer, potentially achieving remote code execution in the kernel (when using ipfw(4) NAT) or in the natd(8) process (which generally runs as the root user). IV. Workaround Systems running natd(8) are vulnerable only so long as libalias_smedia.so is listed in /etc/libalias.conf. Removing it from that file and restarting natd(8) ensures that the vulnerable code is not loaded. Systems using ipfw(4) to implement NAT are affected only if the alias_smedia.ko kernel module is loaded. The affected code only runs on TCP or UDP packets undergoing outbound NAT translation, when the source port is 554 or 7070, or the destination port is 554 or 7070. Dropping such packets before they reach the NAT rule prevents the bug from being triggered. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system. Perform one of the following: 1) To update your vulnerable system installed from base system packages: Systems running a 15.0-RELEASE or later version of FreeBSD on the amd64 or arm64 platforms, which were installed using base system packages, can be updated via the pkg(8) utility: # pkg upgrade -r FreeBSD-base # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system installed from binary distribution sets: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms which were not installed using base system packages can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 15.x] # fetch https://security.FreeBSD.org/patches/SA-26:41/libalias-15.patch # fetch https://security.FreeBSD.org/patches/SA-26:41/libalias-15.patch.asc # gpg --verify libalias-15.patch.asc [FreeBSD 14.x] # fetch https://security.FreeBSD.org/patches/SA-26:41/libalias-14.patch # fetch https://security.FreeBSD.org/patches/SA-26:41/libalias-14.patch.asc # gpg --verify libalias-14.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch -E -p0 < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 1546794142f9 stable/15-n284325 releng/15.1/ 1b96804ba50d releng/15.1-n283570 releng/15.0/ 64ce87df6876 releng/15.0-n281072 stable/14/ 4c0f47666666 stable/14-n274450 releng/14.4/ 0a7dd3d960c8 releng/14.4-n273732 releng/14.3/ 935a96aa77be releng/14.3-n271532 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQJPBAEBCgA5FiEEthUnfoEIffdcgYM7bljekB8AGu8FAmpEEkAbFIAAAAAABAAO bWFudTIsMi41KzEuMTIsMCwzAAoJEG5Y3pAfABrvrg4QAN0ZqVi9f+0/PMb2W+5d AmlzLM8foU/Po/ZHFgJxdNGEGjmrvJkh7YIg3/+XwnhICtai7Fgbl68PB6SYQNpe oUQyZiS+pDJEogj7TO0WD4X5XDxmOxQ9LKrgno+jYN4DvpKvXdFs0j6Ad0pD8SNa qi7GHz0SkEp6mG5Mdr4jr26ZiWiz1pce/buyIDJiHF1gI8munbBJ11OQZBKYCb0C TE3jBeTPuksIL6o2+Wa8usxdqRUoiFTvRl/ueyDtcDqCasIxgbn8povTgznuPgot 7s4VOc3osXQTkABE42WXa48UzfgsiF8yCUIrYWAA7GLrhTx14gl+XPREkW0c1g/n n2o7eSRquSQN3eAUgjvqrAmDrJlHeQoLg5w6ojqSIY3yeK8ozJakCU8DT1I/63wF r7hFMMgVDBe+Gqb3wzq1QTl83UcqbaBYgLbhRkMsRFagMk6toKEtJxXtoBh2G03O QOSByYug9cgbrbpA7uMZaRHJTsYJDeHFC3b1LhtBAssPq/rHNsrVaL0KQru6odWb z6dRH4UpQr++pGD5qswBwyxkT1B3lS51sbauoSCbg5Pch3xEqzgGQjcPwaKTebU9 kbPR8Gt8sC7AZH9tpt+L7m6jWLzP5zdYbC0YVqdaMavZGqk6QR4VwLBSj5ivdrkB MQFPoDvZ8ua+TPP+0+yOK2hV =O443 -----END PGP SIGNATURE-----