The FreeBSD project has published the security advisory FreeBSD-SA-26:03.blocklistd, which fixes vulnerability CVE-2026-2261. It’s a resource-management bug in blocklistd(8), the daemon that automates blocking IP addresses after repeated adverse events such as failed authentication attempts. The severity is rated medium, but the effect is particularly nasty because it wears down one of the system’s own defensive mechanisms.
What blocklistd is and what fails
blocklistd gets notifications from services like SSH when something suspicious happens (say, several failed login attempts from the same IP) and responds by adding firewall rules to temporarily block those addresses. In the FreeBSD world it plays a role similar to fail2ban on Linux.
The problem is a programming error that causes a socket descriptor leak: for every adverse event blocklistd processes, the daemon leaves a socket descriptor open. These descriptors pile up over time until the process runs out of available resources.
Who is affected
The vulnerability affects FreeBSD 15.0 and 15.0-RELEASE. Any system running blocklistd to protect its exposed services can end up degraded, both through normal use over time and through deliberate abuse.
Impact: a defense that shuts itself down
Descriptor exhaustion degrades the service in two stages:
- First, after leaking enough descriptors,
blocklistdcan no longer run the helper scripts that apply or remove blocks (the child processes crash on a null pointer dereference). The system stops adding new blocks and stops releasing expired ones. - Then, with the leak further advanced,
blocklistdcannot even receive new event reports.
The real risk is that an attacker deliberately generates a large number of adverse events from sacrificial IP addresses to saturate and disable blocklistd before launching the attack they actually care about. According to the advisory itself, someone with enough IPs could render the service useless “in a matter of minutes, or hours at most.” And even without an attacker, normal use gradually drains the descriptors.
Mitigation and patch
Restarting blocklistd regularly buys temporary relief, but it doesn’t touch the root cause: a determined attacker saturates it again in no time.
The real fix is to apply the official patch. FreeBSD released the fixes on February 10, 2026 for stable/15 (commit 1864a03eb2ac) and releng/15.0 (commit e4781e4e6d88). You can install the update via freebsd-update, pkg, or by rebuilding from the patched source, depending on how your system is managed. After updating, restart the service so the fix takes effect.
If you run FreeBSD servers that rely on blocklistd as a layer of protection against brute force, apply this patch as soon as you can. A defense that the attacker can switch off is no defense at all.
You can check the full FreeBSD profile to learn more about this operating system and its support lifecycle.
Source
- Official advisory: FreeBSD-SA-26:03.blocklistd
- CVE details: CVE-2026-2261 on NVD