The FreeBSD project published advisory FreeBSD-SA-26:31.arm64 on 9 June 2026, covering CVE-2025-10263, a hardware erratum found in a long list of 64-bit Arm processors. This isn’t a FreeBSD bug in the usual sense. It’s faulty CPU behaviour that the operating system has to work around from inside the kernel.
What actually goes wrong
When the system changes page table permissions (say, it marks a region as read-only), the processor must run a TLB Invalidate (TLBI) instruction followed by a Data Synchronization Barrier (DSB) so the change takes effect in the right order. On the affected CPUs, the ordering between pending stores and that TLBI+DSB sequence can be wrong.
The result is that software can write to a memory page after its permissions were changed to prevent exactly that. It’s a microarchitectural race condition, not a mistake visible in the source code.
Who is affected
The advisory lists around 20 Arm models, from the Cortex-A76 up to the Cortex-X925, plus Neoverse cores and Ampere processors. That spans a good chunk of recent Arm server and desktop hardware, so this isn’t a niche case.
On the OS side, every supported FreeBSD branch on arm64 is affected:
- stable/15 and releng/15.1, 15.0
- stable/14 and releng/14.4, 14.3
If you run FreeBSD on an Arm board or instance using one of those cores, you’re in scope.
Severity
FreeBSD rates this as high severity. The described impact is privilege escalation: the flaw could let software write to memory owned by a higher exception level, which opens the door to jumping to that level (for example, from userland into the kernel, or between higher exception levels). It isn’t remote code execution. An attacker needs to run code on the machine first, but from there the privilege ceiling stops being trustworthy.
Mitigation and patch
FreeBSD can’t fix the silicon, so the kernel ships a mitigation that forces the correct ordering for page table operations. To get protected you have to update the kernel and reboot: without the reboot the mitigation doesn’t kick in.
Update paths depend on your install:
- Base packages (15.0 on amd64/arm64):
pkg upgrade -r FreeBSD-base - Standard update:
freebsd-update fetch && freebsd-update install - From source: download the patch from security.FreeBSD.org, verify the PGP signature, apply it with
patchand rebuild the kernel.
Then reboot. Check your system version and branch first so you pull the right package or patch, especially if you maintain several Arm instances.
For more on FreeBSD’s supported versions and update cycles, see the FreeBSD page.
Source
- Official advisory: FreeBSD-SA-26:31.arm64
- CVE detail: CVE-2025-10263 on NVD