THE FreeBSD Project has issued critical security advisories regarding vulnerabilities in OpenZFS, libalias, TCP RACK, and POSIX shared memory that could allow remote code execution and privilege escalation. The vulnerabilities can be exploited through specific RTSP traffic and affect all supported FreeBSD versions (14.x and 15.x).
Key vulnerabilities include CVE-2026-49420 (buffer overflow in libalias), CVE-2026-49429 and CVE-2026-49430 (OpenZFS memory allocation flaws), and CVE-2026-49422 (use-after-free bug in TCP RACK). No active exploitation has been reported, but system administrators are urged to apply patches or remove vulnerable modules to secure their systems.