MNBSD-2026-63: Multiple vulnerabilities in OpenZFS (CVE-2026-49429, CVE-2026-49430, CVE-2026-49431)

Severity: Unknown

Affected Package: openzfs

Summary: Multiple vulnerabilities in OpenZFS (CVE-2026-49429, CVE-2026-49430, CVE-2026-49431)

Description

Multiple vulnerabilities affect the OpenZFS implementation shipped with MidnightBSD (OpenZFS 2.1.15). ZFS delegation allows unprivileged users to perform specific administrative operations per dataset. 1. Kernel heap overflow via ZFS_IOC_USERSPACE_MANY (CWE-190/CWE-787, CVE-2026-49429) - the ioctl truncated a 64-bit output buffer size to a 32-bit integer for the kernel allocation but used the original 64-bit size when writing records. Triggerable by a user with the "userused" delegated permission. 2. Kernel memory corruption via ZFS_IOC_RECV_NEW heal path (CWE-190/CWE-787, CVE-2026-49430) - a crafted receive stream in heal mode could trigger an oversized allocation/byteswap. Triggerable by a user with the "receive" delegated permission. 3. Improper privilege check on ZFS_IOC_SET_PROP (CWE-269, CVE-2026-49431) - any local user could set the internal "$hasrecvd" metadata flag on datasets. A local user with the appropriate delegated permission may escalate privileges via kernel heap overflow or memory corruption. The FreeBSD patch targets OpenZFS 2.2.x and does not apply to MidnightBSD's OpenZFS 2.1.15; the three fixes were hand-ported. OpenZFS 2.1 is end-of-life upstream; a future update to a supported OpenZFS release is recommended.

Affected Versions

openzfs

Recommendations

No specific recommendations provided.

References

Additional Information

Aliases: CVE-2026-49429, CVE-2026-49430, CVE-2026-49431

Published: July 01, 2026
Last Modified: July 01, 2026