I'm curious to see how many issues an LLM can find for OpenBSD. Not knocking OpenBSD at all, genuinely curious to see if all the careful development can stand up to LLMs.
Because it's a tiresome, tropey, and ultimately invalid complaint. Look downthread at the person who said the FreeBSD commit log was better than this page, despite being inscrutable to security practitioners who don't work in the kernel and not saying a word about proven exploit vectors.
These complaints aren't about what's better or worse for the user community; they're about people trying to put vulnerability researchers in their place.
It's not even a complete description of the vulnerability. It's what the kernel maintainers need to know to understand and fix the bug in the code. The claim that it's superior to the branded vulnerability page gives away the whole game.
Why not? This weird complaint has been happening since ~2010 and it has never made any sense. You are strictly better off with the website than without it. When it was vulnerability researchers getting all peevish about the status competition they were running, I at least understood where the complaint was coming from, but even among practitioners, branded vulnerabilities are so much the norm at this point that there's no status implication anymore.
Is that even the fix though? The problem sizeof*groups expression has already been removed by that point. This fixes something but it's not obviously related to the vulnerability description.
No, that commit log is obviously not better than the page explaining the vulnerability and the exploit vectors.
Case in point: what's "tired" about the stack exploitation techniques they're using here?
And, while you're not right, even stipulating that you were, what would that matter? How is anyone better off with less explanation of a vulnerability?
Is there something in this website that feels unnecessary? It seems like a good format of sharing high quality information.
This looks like a full bug into a complete root escalation of a kernel. That's hard to do and deserving of praise. The fact that we have a writeup organized like this is awesome.
-------
This is sort of the expert level stuff that I thought HackerNews would most enjoy.
Maybe they're not up to snuff on yesterday? They published this yesterday.
> The bug was silently fixed in the main branch on 2025-11-27 (commit 000d5b52c19ff3858a6f0cbb405d47713c4267a4) as a side effect of a broader function refactoring. The fix has not been backported to stable/14 or releng/14.4. FreeBSD 14.4-RELEASE remains vulnerable.
> FreeBSD 15.0 still carries the sizeof(*groups) typo and is therefore vulnerable, but the surrounding code differs enough from 14.4 that the chain primitives developed here do not lift the overflow into a working LPE on that branch. On 15.0 the bug remains a kernel panic triggered by any unprivileged user.
I would think that pure-storage NAS or network equipment
was effectively completely immune to local privilege escalation. I'll give you the NAS where it might be running untrusted containers or such, but that's it.
FreeBSD was the reason I chose TrueNAS Core. Unfortunately, you are right, TrueNAS Scale (Linux) is where they are focusing all their attention.
At this point I will not purchase additional TrueNAS equipment as I feel I was "rug pulled." I get that they are going after more of the Docker container/app market, but I just want a solid ZFS w/excellent networking NAS device. Linux is close to this ideal, but it isn't as "Set and Forget" as FreeBSD (IMO).
PlayStation 4 was a fork of FreeBSD 9, and is immune to this bug introduced in 14. Sony also changes a LOT, I'm not sure anything dealing with unix credentials even exists in this fork. It's not clear how much FreeBSD is even used in PlayStation 5 (2020), but it would be based off 12 or earlier (also immune to this bug from 14) (13 was released in 2021).
reply