diff --git a/website/data/security/errata.toml b/website/data/security/errata.toml
index 50d0a89e3a..702576a943 100644
--- a/website/data/security/errata.toml
+++ b/website/data/security/errata.toml
@@ -1,951 +1,955 @@
# Sort errata notices by year, month and day
# $FreeBSD$
+[[notices]]
+name = "FreeBSD-EN-24:09.zfs"
+date = "2024-04-24"
+
[[notices]]
name = "FreeBSD-EN-24:08.kerberos"
date = "2024-03-28"
[[notices]]
name = "FreeBSD-EN-24:07.clang"
date = "2024-03-28"
[[notices]]
name = "FreeBSD-EN-24:06.wireguard"
date = "2024-03-28"
[[notices]]
name = "FreeBSD-EN-24:05.tty"
date = "2024-03-28"
[[notices]]
name = "FreeBSD-EN-24:04.ip"
date = "2024-02-14"
[[notices]]
name = "FreeBSD-EN-24:03.kqueue"
date = "2024-02-14"
[[notices]]
name = "FreeBSD-EN-24:02.libutil"
date = "2024-02-14"
[[notices]]
name = "FreeBSD-EN-24:01.tzdata"
date = "2024-02-14"
[[notices]]
name = "FreeBSD-EN-23:22.vfs"
date = "2023-12-05"
[[notices]]
name = "FreeBSD-EN-23:21.tty"
date = "2023-12-05"
[[notices]]
name = "FreeBSD-EN-23:20.vm"
date = "2023-12-05"
[[notices]]
name = "FreeBSD-EN-23:19.pkgbase"
date = "2023-12-05"
[[notices]]
name = "FreeBSD-EN-23:18.openzfs"
date = "2023-12-05"
[[notices]]
name = "FreeBSD-EN-23:17.ossl"
date = "2023-12-05"
[[notices]]
name = "FreeBSD-EN-23:16.openzfs"
date = "2023-12-01"
[[notices]]
name = "FreeBSD-EN-23:15.sanitizer"
date = "2023-12-01"
[[notices]]
name = "FreeBSD-EN-23:14.regcomp"
date = "2023-11-08"
[[notices]]
name = "FreeBSD-EN-23:13.freebsd-update"
date = "2023-11-08"
[[notices]]
name = "FreeBSD-EN-23:12.freebsd-update"
date = "2023-10-03"
[[notices]]
name = "FreeBSD-EN-23:11.caroot"
date = "2023-09-06"
[[notices]]
name = "FreeBSD-EN-23:10.pci"
date = "2023-09-06"
[[notices]]
name = "FreeBSD-EN-23:09.freebsd-update"
date = "2023-09-06"
[[notices]]
name = "FreeBSD-EN-23:08.vnet"
date = "2023-08-01"
[[notices]]
name = "FreeBSD-EN-23:07.mpr"
date = "2023-06-21"
[[notices]]
name = "FreeBSD-EN-23:06.loader"
date = "2023-06-21"
[[notices]]
name = "FreeBSD-EN-23:05.tzdata"
date = "2023-06-21"
[[notices]]
name = "FreeBSD-EN-23:04.ixgbe"
date = "2023-02-08"
[[notices]]
name = "FreeBSD-EN-23:03.ena"
date = "2023-02-08"
[[notices]]
name = "FreeBSD-EN-23:02.sdhci"
date = "2023-02-08"
[[notices]]
name = "FreeBSD-EN-23:01.tzdata"
date = "2023-02-08"
[[notices]]
name = "FreeBSD-EN-22:28.heimdal"
date = "2022-11-29"
[[notices]]
name = "FreeBSD-EN-22:27.loader"
date = "2022-11-01"
[[notices]]
name = "FreeBSD-EN-22:26.cam"
date = "2022-11-01"
[[notices]]
name = "FreeBSD-EN-22:25.tcp"
date = "2022-11-01"
[[notices]]
name = "FreeBSD-EN-22:24.zfs"
date = "2022-11-01"
[[notices]]
name = "FreeBSD-EN-22:23.vm"
date = "2022-11-01"
[[notices]]
name = "FreeBSD-EN-22:22.tzdata"
date = "2022-11-01"
[[notices]]
name = "FreeBSD-EN-22:21.zfs"
date = "2022-11-01"
[[notices]]
name = "FreeBSD-EN-22:20.tzdata"
date = "2022-08-30"
[[notices]]
name = "FreeBSD-EN-22:19.pam_exec"
date = "2022-08-09"
[[notices]]
name = "FreeBSD-EN-22:18.wifi"
date = "2022-08-09"
[[notices]]
name = "FreeBSD-EN-22:17.cam"
date = "2022-08-09"
[[notices]]
name = "FreeBSD-EN-22:16.kqueue"
date = "2022-08-09"
[[notices]]
name = "FreeBSD-EN-22:15.pf"
date = "2022-04-06"
[[notices]]
name = "FreeBSD-EN-22:14.tzdata"
date = "2022-03-22"
[[notices]]
name = "FreeBSD-EN-22:13.zfs"
date = "2022-03-21"
[[notices]]
name = "FreeBSD-EN-22:12.zfs"
date = "2022-03-15"
[[notices]]
name = "FreeBSD-EN-22:11.zfs"
date = "2022-03-15"
[[notices]]
name = "FreeBSD-EN-22:10.zfs"
date = "2022-03-15"
[[notices]]
name = "FreeBSD-EN-22:09.freebsd-update"
date = "2022-03-15"
[[notices]]
name = "FreeBSD-EN-22:08.i386"
date = "2022-02-01"
[[notices]]
name = "FreeBSD-EN-22:07.la57"
date = "2022-02-01"
[[notices]]
name = "FreeBSD-EN-22:06.libalias"
date = "2022-01-11"
[[notices]]
name = "FreeBSD-EN-22:05.tail"
date = "2022-01-11"
[[notices]]
name = "FreeBSD-EN-22:04.pcid"
date = "2022-01-11"
[[notices]]
name = "FreeBSD-EN-22:03.hyperv"
date = "2022-01-11"
[[notices]]
name = "FreeBSD-EN-22:02.xsave"
date = "2022-01-11"
[[notices]]
name = "FreeBSD-EN-22:01.fsck_ffs"
date = "2022-01-11"
[[notices]]
name = "FreeBSD-EN-21:29.tzdata"
date = "2021-11-03"
[[notices]]
name = "FreeBSD-EN-21:28.vmci"
date = "2021-11-03"
[[notices]]
name = "FreeBSD-EN-21:27.caroot"
date = "2021-11-03"
[[notices]]
name = "FreeBSD-EN-21:26.libevent"
date = "2021-11-03"
[[notices]]
name = "FreeBSD-EN-21:25.bhyve"
date = "2021-08-24"
[[notices]]
name = "FreeBSD-EN-21:24.libcrypto"
date = "2021-08-24"
[[notices]]
name = "FreeBSD-EN-21:23.virtio_blk"
date = "2021-08-24"
[[notices]]
name = "FreeBSD-EN-21:22.linux_futex"
date = "2021-06-29"
[[notices]]
name = "FreeBSD-EN-21:21.ipfw"
date = "2021-06-29"
[[notices]]
name = "FreeBSD-EN-21:20.vlan"
date = "2021-06-29"
[[notices]]
name = "FreeBSD-EN-21:19.libcasper"
date = "2021-06-29"
[[notices]]
name = "FreeBSD-EN-21:18.libc++"
date = "2021-06-29"
[[notices]]
name = "FreeBSD-EN-21:17.libradius"
date = "2021-06-01"
[[notices]]
name = "FreeBSD-EN-21:16.bc"
date = "2021-05-26"
[[notices]]
name = "FreeBSD-EN-21:15.virtio"
date = "2021-05-26"
[[notices]]
name = "FreeBSD-EN-21:14.pms"
date = "2021-05-26"
[[notices]]
name = "FreeBSD-EN-21:13.mpt"
date = "2021-05-26"
[[notices]]
name = "FreeBSD-EN-21:12.divert"
date = "2021-05-26"
[[notices]]
name = "FreeBSD-EN-21:11.aesni"
date = "2021-05-26"
[[notices]]
name = "FreeBSD-EN-21:10.lldb"
date = "2021-04-06"
[[notices]]
name = "FreeBSD-EN-21:09.pf"
date = "2021-04-06"
[[notices]]
name = "FreeBSD-EN-21:08.freebsd-update"
date = "2021-02-24"
[[notices]]
name = "FreeBSD-EN-21:07.caroot"
date = "2021-02-24"
[[notices]]
name = "FreeBSD-EN-21:06.microcode"
date = "2021-02-24"
[[notices]]
name = "FreeBSD-EN-21:05.libatomic"
date = "2021-01-29"
[[notices]]
name = "FreeBSD-EN-21:04.zfs"
date = "2021-01-29"
[[notices]]
name = "FreeBSD-EN-21:03.vnet"
date = "2021-01-29"
[[notices]]
name = "FreeBSD-EN-21:02.extattr"
date = "2021-01-29"
[[notices]]
name = "FreeBSD-EN-21:01.tzdata"
date = "2021-01-29"
[[notices]]
name = "FreeBSD-EN-20:22.callout"
date = "2020-12-01"
[[notices]]
name = "FreeBSD-EN-20:21.ipfw"
date = "2020-12-01"
[[notices]]
name = "FreeBSD-EN-20:20.tzdata"
date = "2020-12-01"
[[notices]]
name = "FreeBSD-EN-20:19.audit"
date = "2020-12-01"
[[notices]]
name = "FreeBSD-EN-20:18.getfsstat"
date = "2020-09-02"
[[notices]]
name = "FreeBSD-EN-20:17.linuxthread"
date = "2020-09-02"
[[notices]]
name = "FreeBSD-EN-20:16.vmx"
date = "2020-08-05"
[[notices]]
name = "FreeBSD-EN-20:15.mps"
date = "2020-07-08"
[[notices]]
name = "FreeBSD-EN-20:14.linuxkpi"
date = "2020-07-08"
[[notices]]
name = "FreeBSD-EN-20:13.bhyve"
date = "2020-07-08"
[[notices]]
name = "FreeBSD-EN-20:12.iflib"
date = "2020-06-09"
[[notices]]
name = "FreeBSD-EN-20:11.ena"
date = "2020-06-09"
[[notices]]
name = "FreeBSD-EN-20:10.build"
date = "2020-05-12"
[[notices]]
name = "FreeBSD-EN-20:09.igb"
date = "2020-05-12"
[[notices]]
name = "FreeBSD-EN-20:08.tzdata"
date = "2020-05-12"
[[notices]]
name = "FreeBSD-EN-20:07.quotad"
date = "2020-04-21"
[[notices]]
name = "FreeBSD-EN-20:06.ipv6"
date = "2020-03-19"
[[notices]]
name = "FreeBSD-EN-20:05.mlx5en"
date = "2020-03-19"
[[notices]]
name = "FreeBSD-EN-20:04.pfctl"
date = "2020-03-19"
[[notices]]
name = "FreeBSD-EN-20:03.sshd"
date = "2020-03-19"
[[notices]]
name = "FreeBSD-EN-20:02.nmount"
date = "2020-01-28"
[[notices]]
name = "FreeBSD-EN-20:01.ssp"
date = "2020-01-28"
[[notices]]
name = "FreeBSD-EN-19:19.loader"
date = "2019-11-12"
[[notices]]
name = "FreeBSD-EN-19:18.tzdata"
date = "2019-10-23"
[[notices]]
name = "FreeBSD-EN-19:17.ipfw"
date = "2019-08-20"
[[notices]]
name = "FreeBSD-EN-19:16.bhyve"
date = "2019-08-20"
[[notices]]
name = "FreeBSD-EN-19:15.libunwind"
date = "2019-08-06"
[[notices]]
name = "FreeBSD-EN-19:14.epoch"
date = "2019-08-06"
[[notices]]
name = "FreeBSD-EN-19:13.mds"
date = "2019-07-24"
[[notices]]
name = "FreeBSD-EN-19:12.tzdata"
date = "2019-07-02"
[[notices]]
name = "FreeBSD-EN-19:11.net"
date = "2019-06-19"
[[notices]]
name = "FreeBSD-EN-19:10.scp"
date = "2019-05-14"
[[notices]]
name = "FreeBSD-EN-19:09.xinstall"
date = "2019-05-14"
[[notices]]
name = "FreeBSD-EN-19:08.tzdata"
date = "2019-05-14"
[[notices]]
name = "FreeBSD-EN-19:07.lle"
date = "2019-02-05"
[[notices]]
name = "FreeBSD-EN-19:06.dtrace"
date = "2019-02-05"
[[notices]]
name = "FreeBSD-EN-19:05.kqueue"
date = "2019-01-09"
[[notices]]
name = "FreeBSD-EN-19:04.tzdata"
date = "2019-01-09"
[[notices]]
name = "FreeBSD-EN-19:03.sqlite"
date = "2019-01-09"
[[notices]]
name = "FreeBSD-EN-19:02.tcp"
date = "2019-01-09"
[[notices]]
name = "FreeBSD-EN-19:01.cc_cubic"
date = "2019-01-09"
[[notices]]
name = "FreeBSD-EN-18:18.zfs"
date = "2018-12-19"
[[notices]]
name = "FreeBSD-EN-18:17.vm"
date = "2018-12-19"
[[notices]]
name = "FreeBSD-EN-18:16.ptrace"
date = "2018-12-19"
[[notices]]
name = "FreeBSD-EN-18:15.loader"
date = "2018-11-27"
[[notices]]
name = "FreeBSD-EN-18:14.tzdata"
date = "2018-11-27"
[[notices]]
name = "FreeBSD-EN-18:13.icmp"
date = "2018-11-27"
[[notices]]
name = "FreeBSD-EN-18:12.mem"
date = "2018-09-27"
[[notices]]
name = "FreeBSD-EN-18:11.listen"
date = "2018-09-27"
[[notices]]
name = "FreeBSD-EN-18:10.syscall"
date = "2018-09-27"
[[notices]]
name = "FreeBSD-EN-18:09.ip"
date = "2018-09-27"
[[notices]]
name = "FreeBSD-EN-18:08.lazyfpu"
date = "2018-09-12"
[[notices]]
name = "FreeBSD-EN-18:07.pmap"
date = "2018-06-21"
[[notices]]
name = "FreeBSD-EN-18:06.tzdata"
date = "2018-05-08"
[[notices]]
name = "FreeBSD-EN-18:05.mem"
date = "2018-05-08"
[[notices]]
name = "FreeBSD-EN-18:04.mem"
date = "2018-04-04"
[[notices]]
name = "FreeBSD-EN-18:03.tzdata"
date = "2018-04-04"
[[notices]]
name = "FreeBSD-EN-18:02.file"
date = "2018-03-07"
[[notices]]
name = "FreeBSD-EN-18:01.tzdata"
date = "2018-03-07"
[[notices]]
name = "FreeBSD-EN-17:09.tzdata"
date = "2017-11-02"
[[notices]]
name = "FreeBSD-EN-17:08.pf"
date = "2017-08-10"
[[notices]]
name = "FreeBSD-EN-17:07.vnet"
date = "2017-08-10"
[[notices]]
name = "FreeBSD-EN-17:06.hyperv"
date = "2017-07-12"
[[notices]]
name = "FreeBSD-EN-17:05.xen"
date = "2017-04-12"
[[notices]]
name = "FreeBSD-EN-17:04.mandoc"
date = "2017-02-23"
[[notices]]
name = "FreeBSD-EN-17:03.hyperv"
date = "2017-02-23"
[[notices]]
name = "FreeBSD-EN-17:02.yp"
date = "2017-02-23"
[[notices]]
name = "FreeBSD-EN-17:01.pcie"
date = "2017-02-23"
[[notices]]
name = "FreeBSD-EN-16:21.localedef"
date = "2016-12-06"
[[notices]]
name = "FreeBSD-EN-16:20.tzdata"
date = "2016-12-06"
[[notices]]
name = "FreeBSD-EN-16:19.tzcode"
date = "2016-12-06"
[[notices]]
name = "FreeBSD-EN-16:18.loader"
date = "2016-10-25"
[[notices]]
name = "FreeBSD-EN-16:17.vm"
date = "2016-10-25"
[[notices]]
name = "FreeBSD-EN-16:16.hv_storvsc"
date = "2016-08-12"
[[notices]]
name = "FreeBSD-EN-16:15.vmbus"
date = "2016-08-12"
[[notices]]
name = "FreeBSD-EN-16:14.hv_storvsc"
date = "2016-08-12"
[[notices]]
name = "FreeBSD-EN-16:13.vmbus"
date = "2016-08-12"
[[notices]]
name = "FreeBSD-EN-16:12.hv_storvsc"
date = "2016-08-12"
[[notices]]
name = "FreeBSD-EN-16:11.vmbus"
date = "2016-08-12"
[[notices]]
name = "FreeBSD-EN-16:10.dhclient"
date = "2016-08-12"
[[notices]]
name = "FreeBSD-EN-16:09.freebsd-update"
date = "2016-07-25"
[[notices]]
name = "FreeBSD-EN-16:08.zfs"
date = "2016-05-04"
[[notices]]
name = "FreeBSD-EN-16:07.ipi"
date = "2016-05-04"
[[notices]]
name = "FreeBSD-EN-16:06.libc"
date = "2016-05-04"
[[notices]]
name = "FreeBSD-EN-16:05.hv_netvsc"
date = "2016-03-16"
[[notices]]
name = "FreeBSD-EN-16:04.hyperv"
date = "2016-03-16"
[[notices]]
name = "FreeBSD-EN-16:03.yplib"
date = "2016-01-14"
[[notices]]
name = "FreeBSD-EN-16:02.pf"
date = "2016-01-14"
[[notices]]
name = "FreeBSD-EN-16:01.filemon"
date = "2016-01-14"
[[notices]]
name = "FreeBSD-EN-15:20.vm"
date = "2015-11-04"
[[notices]]
name = "FreeBSD-EN-15:19.kqueue"
date = "2015-11-04"
[[notices]]
name = "FreeBSD-EN-15:18.pkg"
date = "2015-09-16"
[[notices]]
name = "FreeBSD-EN-15:17.libc"
date = "2015-09-16"
[[notices]]
name = "FreeBSD-EN-15:16.pw"
date = "2015-09-16"
[[notices]]
name = "FreeBSD-EN-15:15.pkg"
date = "2015-08-25"
[[notices]]
name = "FreeBSD-EN-15:14.ixgbe"
date = "2015-08-25"
[[notices]]
name = "FreeBSD-EN-15:13.vidcontrol"
date = "2015-08-18"
[[notices]]
name = "FreeBSD-EN-15:12.netstat"
date = "2015-08-18"
[[notices]]
name = "FreeBSD-EN-15:11.toolchain"
date = "2015-08-18"
[[notices]]
name = "FreeBSD-EN-15:10.iconv"
date = "2015-06-30"
[[notices]]
name = "FreeBSD-EN-15:09.xlocale"
date = "2015-06-30"
[[notices]]
name = "FreeBSD-EN-15:08.sendmail"
date = "2015-06-18"
[[notices]]
name = "FreeBSD-EN-15:07.zfs"
date = "2015-06-09"
[[notices]]
name = "FreeBSD-EN-15:06.file"
date = "2015-06-09"
[[notices]]
name = "FreeBSD-EN-15:05.ufs"
date = "2015-05-13"
[[notices]]
name = "FreeBSD-EN-15:04.freebsd-update"
date = "2015-05-13"
[[notices]]
name = "FreeBSD-EN-15:03.freebsd-update"
date = "2015-02-25"
[[notices]]
name = "FreeBSD-EN-15:02.openssl"
date = "2015-02-25"
[[notices]]
name = "FreeBSD-EN-15:01.vt"
date = "2015-02-25"
[[notices]]
name = "FreeBSD-EN-14:13.freebsd-update"
date = "2014-12-23"
[[notices]]
name = "FreeBSD-EN-14:12.zfs"
date = "2014-11-04"
[[notices]]
name = "FreeBSD-EN-14:11.crypt"
date = "2014-10-22"
[[notices]]
name = "FreeBSD-EN-14:10.tzdata"
date = "2014-10-22"
[[notices]]
name = "FreeBSD-EN-14:09.jail"
date = "2014-07-08"
[[notices]]
name = "FreeBSD-EN-14:08.heimdal"
date = "2014-06-24"
[[notices]]
name = "FreeBSD-EN-14:07.pmap"
date = "2014-06-24"
[[notices]]
name = "FreeBSD-EN-14:06.exec"
date = "2014-06-03"
[[notices]]
name = "FreeBSD-EN-14:05.ciss"
date = "2014-05-13"
[[notices]]
name = "FreeBSD-EN-14:04.kldxref"
date = "2014-05-13"
[[notices]]
name = "FreeBSD-EN-14:03.pkg"
date = "2014-05-13"
[[notices]]
name = "FreeBSD-EN-14:02.mmap"
date = "2014-01-14"
[[notices]]
name = "FreeBSD-EN-14:01.random"
date = "2014-01-14"
[[notices]]
name = "FreeBSD-EN-13:05.freebsd-update"
date = "2013-11-28"
[[notices]]
name = "FreeBSD-EN-13:04.freebsd-update"
date = "2013-10-26"
[[notices]]
name = "FreeBSD-EN-13:03.mfi"
date = "2013-08-22"
[[notices]]
name = "FreeBSD-EN-13:01.fxp"
date = "2013-06-28"
[[notices]]
name = "FreeBSD-EN-13:02.vtnet"
date = "2013-06-28"
[[notices]]
name = "FreeBSD-EN-12:02.ipv6refcount"
date = "2012-06-12"
[[notices]]
name = "FreeBSD-EN-12:01.freebsd-update"
date = "2012-01-04"
[[notices]]
name = "FreeBSD-EN-10:02.sched_ule"
date = "2010-02-27"
[[notices]]
name = "FreeBSD-EN-10:01.freebsd"
date = "2010-01-06"
[[notices]]
name = "FreeBSD-EN-09:05.null"
date = "2009-10-02"
[[notices]]
name = "FreeBSD-EN-09:04.fork"
date = "2009-06-24"
[[notices]]
name = "FreeBSD-EN-09:03.fxp"
date = "2009-06-24"
[[notices]]
name = "FreeBSD-EN-09:02.bce"
date = "2009-06-24"
[[notices]]
name = "FreeBSD-EN-09:01.kenv"
date = "2009-03-23"
[[notices]]
name = "FreeBSD-EN-08:02.tcp"
date = "2008-06-19"
[[notices]]
name = "FreeBSD-EN-08:01.libpthread"
date = "2008-04-17"
[[notices]]
name = "FreeBSD-EN-07:05.freebsd-update"
date = "2007-03-15"
[[notices]]
name = "FreeBSD-EN-07:04.zoneinfo"
date = "2007-02-28"
[[notices]]
name = "FreeBSD-EN-07:03.rc.d_jail"
date = "2007-02-28"
[[notices]]
name = "FreeBSD-EN-07:02.net"
date = "2007-02-28"
[[notices]]
name = "FreeBSD-EN-07:01.nfs"
date = "2007-02-14"
[[notices]]
name = "FreeBSD-EN-06:02.net"
date = "2006-08-28"
[[notices]]
name = "FreeBSD-EN-06:01.jail"
date = "2006-07-07"
[[notices]]
name = "FreeBSD-EN-05:04.nfs"
date = "2005-12-19"
[[notices]]
name = "FreeBSD-EN-05:03.ipi"
date = "2005-01-16"
[[notices]]
name = "FreeBSD-EN-05:02.sk"
date = "2005-01-06"
[[notices]]
name = "FreeBSD-EN-05:01.nfs"
date = "2005-01-05"
[[notices]]
name = "FreeBSD-EN-04:01.twe"
date = "2004-06-28"
diff --git a/website/static/security/advisories/FreeBSD-EN-24:09.zfs.asc b/website/static/security/advisories/FreeBSD-EN-24:09.zfs.asc
new file mode 100644
index 0000000000..3a3b203d3a
--- /dev/null
+++ b/website/static/security/advisories/FreeBSD-EN-24:09.zfs.asc
@@ -0,0 +1,144 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+=============================================================================
+FreeBSD-EN-24:09.zfs Errata Notice
+ The FreeBSD Project
+
+Topic: High CPU usage by kernel threads related to ZFS
+
+Category: contrib
+Module: zfs
+Announced: 2024-04-24
+Affects: FreeBSD 13.3
+Corrected: 2024-04-12 13:00:11 UTC (stable/13, 13-STABLE)
+ 2024-04-24 20:21:10 UTC (releng/13.3, 13.3-RELEASE-p2)
+
+For general information regarding FreeBSD Errata Notices and Security
+Advisories, including descriptions of the fields above, security
+branches, and the following sections, please visit
+.
+
+I. Background
+
+ZFS is an advanced and scalable file system originally developed by Sun
+Microsystems for its Solaris operating system. ZFS was integrated as part of
+the FreeBSD starting with FreeBSD 7.0, and it has since become a prominent
+and preferred choice for storage management.
+
+II. Problem Description
+
+Because ZFS may consume large amounts of RAM to cache various types of
+filesystem objects, it continuously monitors system RAM available to decide
+whether to shrink its caches. Some caches are shrunk using a dedicated
+thread, to which work is dispatched asynchronously.
+
+In some cases, the cache shrinking logic may dispatch excessive amounts of
+work to the "ARC pruning" thread, causing it to continue attempting to shrink
+caches even after resource shortages are resolved.
+
+III. Impact
+
+The bug manifests as a kernel thread, "arc_prune", consuming 100% of a CPU core
+for indefinite periods, even while the system is otherwise idle. This behavior
+also impacts workloads running on the system, by reducing available CPU
+resources and by triggering lock contention in the kernel, in particular with
+the "vnlru" process whose function is to recycle vnodes (structures representing
+files, whether opened or cached), a mechanism frequently triggered by intensive
+filesystem workloads.
+
+IV. Workaround
+
+No workaround is available. Systems not using ZFS are unaffected.
+
+V. Solution
+
+Upgrade your system to a supported FreeBSD stable or release / security branch
+(releng) dated after the correction date. A reboot is required following the
+upgrade.
+
+Perform one of the following:
+
+1) To update your system via a binary patch:
+
+Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
+or the i386 platform on FreeBSD 13 and earlier, can be updated via
+the freebsd-update(8) utility:
+
+# freebsd-update fetch
+# freebsd-update install
+# reboot
+
+2) To update your system via a source code patch:
+
+The following patches have been verified to apply to the applicable
+FreeBSD release branches.
+
+a) Download the relevant patch from the location below, and verify the
+detached PGP signature using your PGP utility.
+
+# fetch https://security.FreeBSD.org/patches/EN-24:09/zfs.patch
+# fetch https://security.FreeBSD.org/patches/EN-24:09/zfs.patch.asc
+# gpg --verify zfs.patch.asc
+
+b) Apply the patch. Execute the following commands as root:
+
+# cd /usr/src
+# patch < /path/to/patch
+
+c) Recompile your kernel as described in
+ and reboot the
+system.
+
+VI. Correction details
+
+This issue is corrected as of the corresponding Git commit hash or Subversion
+revision number in the following stable and release branches:
+
+Branch/path Hash Revision
+- -------------------------------------------------------------------------
+stable/13/ 330954bdb822 stable/13-n257698
+releng/13.3/ 266b3bd3f26d releng/13.3-n257432
+- -------------------------------------------------------------------------
+
+Run the following command to see which files were modified by a
+particular commit:
+
+# git show --stat
+
+Or visit the following URL, replacing NNNNNN with the hash:
+
+
+
+To determine the commit count in a working tree (for comparison against
+nNNNNNN in the table above), run:
+
+# git rev-list --count --first-parent HEAD
+
+VII. References
+
+See problem reports
+ and
+.
+
+See also the previous, similar errata notice issued for FreeBSD 14.0:
+.
+
+The latest revision of this advisory is available at
+
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmYpapQACgkQbljekB8A
+Gu8gBxAAiuUNqeGaKNQ1XbV0kSucwnae5uOrQmthHQBY98PJJKUZpm1RTt/FnBB7
+qPxEY5vFRcGgZ43GVlnmfmH/EmqOg6WPpsgKfdq1XTy/ERU815JOsD+wKUWa/9Ia
+g67pnl8HPMSF5eZ1FreWfzNsWmxakiDLg2VXtFx7x3+qocifD/WwGvDTjdDBzzyK
++cIrBqvTlbOCRdHzl49wmNLz46ha5bmxTb7MzXB3jIQ1v+PZ71biyQxBZTrZgR6S
+La8oVe4Kj2lJTJw5S2xvsoyo5PzqmPCyD1m22fzgKTyaAUCXiioUUQDuFTxu9rhW
+I3lSvqdIRw28yRFjGslxlq9x1vShQTw3ILcH31ucxKUNow7hlDz4Ow2NzqXhSjxN
+RMGamxLTA5BcNCR4/DexAjfeh6OKnCG7n0ntlhxI0LWGr4ceT3/ySck7xhCNCSm1
+Ze/Gf9/j4+zR2jyauRANkITPkVHUV79/Sgjn1IlcMDLpzegH+QfQsX6CosG5uSWS
+UlpK2hhCv2g3lE7XuBItz7E/8i5Nx9RZgnh047Nj3ZB/6dCauAeUYKnY5X3xJa5X
+OKJWIGyJAyrCoFIg+LdBS47ggg8wswyyb1XBF2rZgZNqVmzZrJd7lBV/sjDaEC1H
+13lHhIIwtpTagDAT1Nbji++IT+2DatjhLZnMQwvALno0tIE19mg=
+=IgLQ
+-----END PGP SIGNATURE-----
diff --git a/website/static/security/patches/EN-24:09/zfs.patch b/website/static/security/patches/EN-24:09/zfs.patch
new file mode 100644
index 0000000000..48e3e06a44
--- /dev/null
+++ b/website/static/security/patches/EN-24:09/zfs.patch
@@ -0,0 +1,316 @@
+--- sys/contrib/openzfs/include/os/linux/zfs/sys/zpl.h.orig
++++ sys/contrib/openzfs/include/os/linux/zfs/sys/zpl.h
+@@ -52,7 +52,7 @@
+ extern const struct file_operations zpl_dir_file_operations;
+
+ /* zpl_super.c */
+-extern void zpl_prune_sb(int64_t nr_to_scan, void *arg);
++extern void zpl_prune_sb(uint64_t nr_to_scan, void *arg);
+
+ extern const struct super_operations zpl_super_operations;
+ extern const struct export_operations zpl_export_operations;
+--- sys/contrib/openzfs/include/sys/arc.h.orig
++++ sys/contrib/openzfs/include/sys/arc.h
+@@ -81,7 +81,7 @@
+ typedef void arc_read_done_func_t(zio_t *zio, const zbookmark_phys_t *zb,
+ const blkptr_t *bp, arc_buf_t *buf, void *priv);
+ typedef void arc_write_done_func_t(zio_t *zio, arc_buf_t *buf, void *priv);
+-typedef void arc_prune_func_t(int64_t bytes, void *priv);
++typedef void arc_prune_func_t(uint64_t bytes, void *priv);
+
+ /* Shared module parameters */
+ extern int zfs_arc_average_blocksize;
+--- sys/contrib/openzfs/include/sys/arc_impl.h.orig
++++ sys/contrib/openzfs/include/sys/arc_impl.h
+@@ -994,7 +994,6 @@
+
+ extern void arc_lowmem_init(void);
+ extern void arc_lowmem_fini(void);
+-extern void arc_prune_async(int64_t);
+ extern int arc_memory_throttle(spa_t *spa, uint64_t reserve, uint64_t txg);
+ extern uint64_t arc_free_memory(void);
+ extern int64_t arc_available_memory(void);
+--- sys/contrib/openzfs/module/os/freebsd/zfs/arc_os.c.orig
++++ sys/contrib/openzfs/module/os/freebsd/zfs/arc_os.c
+@@ -51,11 +51,6 @@
+ #include
+ #include
+
+-#if __FreeBSD_version >= 1300139
+-static struct sx arc_vnlru_lock;
+-static struct vnode *arc_vnlru_marker;
+-#endif
+-
+ extern struct vfsops zfs_vfsops;
+
+ uint_t zfs_arc_free_target = 0;
+@@ -151,53 +146,6 @@
+ return (MAX(allmem * 5 / 8, size));
+ }
+
+-/*
+- * Helper function for arc_prune_async() it is responsible for safely
+- * handling the execution of a registered arc_prune_func_t.
+- */
+-static void
+-arc_prune_task(void *arg)
+-{
+- int64_t nr_scan = (intptr_t)arg;
+-
+-#ifndef __ILP32__
+- if (nr_scan > INT_MAX)
+- nr_scan = INT_MAX;
+-#endif
+-
+-#if __FreeBSD_version >= 1300139
+- sx_xlock(&arc_vnlru_lock);
+- vnlru_free_vfsops(nr_scan, &zfs_vfsops, arc_vnlru_marker);
+- sx_xunlock(&arc_vnlru_lock);
+-#else
+- vnlru_free(nr_scan, &zfs_vfsops);
+-#endif
+-}
+-
+-/*
+- * Notify registered consumers they must drop holds on a portion of the ARC
+- * buffered they reference. This provides a mechanism to ensure the ARC can
+- * honor the arc_meta_limit and reclaim otherwise pinned ARC buffers. This
+- * is analogous to dnlc_reduce_cache() but more generic.
+- *
+- * This operation is performed asynchronously so it may be safely called
+- * in the context of the arc_reclaim_thread(). A reference is taken here
+- * for each registered arc_prune_t and the arc_prune_task() is responsible
+- * for releasing it once the registered arc_prune_func_t has completed.
+- */
+-void
+-arc_prune_async(int64_t adjust)
+-{
+-
+-#ifndef __LP64__
+- if (adjust > INTPTR_MAX)
+- adjust = INTPTR_MAX;
+-#endif
+- taskq_dispatch(arc_prune_taskq, arc_prune_task,
+- (void *)(intptr_t)adjust, TQ_SLEEP);
+- ARCSTAT_BUMP(arcstat_prune);
+-}
+-
+ uint64_t
+ arc_all_memory(void)
+ {
+@@ -248,10 +196,6 @@
+ {
+ arc_event_lowmem = EVENTHANDLER_REGISTER(vm_lowmem, arc_lowmem, NULL,
+ EVENTHANDLER_PRI_FIRST);
+-#if __FreeBSD_version >= 1300139
+- arc_vnlru_marker = vnlru_alloc_marker();
+- sx_init(&arc_vnlru_lock, "arc vnlru lock");
+-#endif
+ }
+
+ void
+@@ -259,12 +203,6 @@
+ {
+ if (arc_event_lowmem != NULL)
+ EVENTHANDLER_DEREGISTER(vm_lowmem, arc_event_lowmem);
+-#if __FreeBSD_version >= 1300139
+- if (arc_vnlru_marker != NULL) {
+- vnlru_free_marker(arc_vnlru_marker);
+- sx_destroy(&arc_vnlru_lock);
+- }
+-#endif
+ }
+
+ void
+--- sys/contrib/openzfs/module/os/freebsd/zfs/zfs_vfsops.c.orig
++++ sys/contrib/openzfs/module/os/freebsd/zfs/zfs_vfsops.c
+@@ -2097,6 +2097,26 @@
+ #endif
+ }
+
++#if __FreeBSD_version >= 1300139
++static struct sx zfs_vnlru_lock;
++static struct vnode *zfs_vnlru_marker;
++#endif
++static arc_prune_t *zfs_prune;
++
++static void
++zfs_prune_task(uint64_t nr_to_scan, void *arg __unused)
++{
++ if (nr_to_scan > INT_MAX)
++ nr_to_scan = INT_MAX;
++#if __FreeBSD_version >= 1300139
++ sx_xlock(&zfs_vnlru_lock);
++ vnlru_free_vfsops(nr_to_scan, &zfs_vfsops, zfs_vnlru_marker);
++ sx_xunlock(&zfs_vnlru_lock);
++#else
++ vnlru_free(nr_to_scan, &zfs_vfsops);
++#endif
++}
++
+ void
+ zfs_init(void)
+ {
+@@ -2123,11 +2143,23 @@
+ dmu_objset_register_type(DMU_OST_ZFS, zpl_get_file_info);
+
+ zfsvfs_taskq = taskq_create("zfsvfs", 1, minclsyspri, 0, 0, 0);
++
++#if __FreeBSD_version >= 1300139
++ zfs_vnlru_marker = vnlru_alloc_marker();
++ sx_init(&zfs_vnlru_lock, "zfs vnlru lock");
++#endif
++ zfs_prune = arc_add_prune_callback(zfs_prune_task, NULL);
+ }
+
+ void
+ zfs_fini(void)
+ {
++ arc_remove_prune_callback(zfs_prune);
++#if __FreeBSD_version >= 1300139
++ vnlru_free_marker(zfs_vnlru_marker);
++ sx_destroy(&zfs_vnlru_lock);
++#endif
++
+ taskq_destroy(zfsvfs_taskq);
+ zfsctl_fini();
+ zfs_znode_fini();
+--- sys/contrib/openzfs/module/os/linux/zfs/arc_os.c.orig
++++ sys/contrib/openzfs/module/os/linux/zfs/arc_os.c
+@@ -491,57 +491,6 @@
+ }
+ #endif /* _KERNEL */
+
+-/*
+- * Helper function for arc_prune_async() it is responsible for safely
+- * handling the execution of a registered arc_prune_func_t.
+- */
+-static void
+-arc_prune_task(void *ptr)
+-{
+- arc_prune_t *ap = (arc_prune_t *)ptr;
+- arc_prune_func_t *func = ap->p_pfunc;
+-
+- if (func != NULL)
+- func(ap->p_adjust, ap->p_private);
+-
+- zfs_refcount_remove(&ap->p_refcnt, func);
+-}
+-
+-/*
+- * Notify registered consumers they must drop holds on a portion of the ARC
+- * buffered they reference. This provides a mechanism to ensure the ARC can
+- * honor the arc_meta_limit and reclaim otherwise pinned ARC buffers. This
+- * is analogous to dnlc_reduce_cache() but more generic.
+- *
+- * This operation is performed asynchronously so it may be safely called
+- * in the context of the arc_reclaim_thread(). A reference is taken here
+- * for each registered arc_prune_t and the arc_prune_task() is responsible
+- * for releasing it once the registered arc_prune_func_t has completed.
+- */
+-void
+-arc_prune_async(int64_t adjust)
+-{
+- arc_prune_t *ap;
+-
+- mutex_enter(&arc_prune_mtx);
+- for (ap = list_head(&arc_prune_list); ap != NULL;
+- ap = list_next(&arc_prune_list, ap)) {
+-
+- if (zfs_refcount_count(&ap->p_refcnt) >= 2)
+- continue;
+-
+- zfs_refcount_add(&ap->p_refcnt, ap->p_pfunc);
+- ap->p_adjust = adjust;
+- if (taskq_dispatch(arc_prune_taskq, arc_prune_task,
+- ap, TQ_SLEEP) == TASKQID_INVALID) {
+- zfs_refcount_remove(&ap->p_refcnt, ap->p_pfunc);
+- continue;
+- }
+- ARCSTAT_BUMP(arcstat_prune);
+- }
+- mutex_exit(&arc_prune_mtx);
+-}
+-
+ /* BEGIN CSTYLED */
+ ZFS_MODULE_PARAM(zfs_arc, zfs_arc_, shrinker_limit, INT, ZMOD_RW,
+ "Limit on number of pages that ARC shrinker can reclaim at once");
+--- sys/contrib/openzfs/module/os/linux/zfs/zpl_super.c.orig
++++ sys/contrib/openzfs/module/os/linux/zfs/zpl_super.c
+@@ -334,7 +334,7 @@
+ }
+
+ void
+-zpl_prune_sb(int64_t nr_to_scan, void *arg)
++zpl_prune_sb(uint64_t nr_to_scan, void *arg)
+ {
+ struct super_block *sb = (struct super_block *)arg;
+ int objects = 0;
+--- sys/contrib/openzfs/module/zfs/arc.c.orig
++++ sys/contrib/openzfs/module/zfs/arc.c
+@@ -868,6 +868,8 @@
+ static void l2arc_hdr_arcstats_update(arc_buf_hdr_t *hdr, boolean_t incr,
+ boolean_t state_only);
+
++static void arc_prune_async(uint64_t adjust);
++
+ #define l2arc_hdr_arcstats_increment(hdr) \
+ l2arc_hdr_arcstats_update((hdr), B_TRUE, B_FALSE)
+ #define l2arc_hdr_arcstats_decrement(hdr) \
+@@ -6521,6 +6523,56 @@
+ kmem_free(p, sizeof (*p));
+ }
+
++/*
++ * Helper function for arc_prune_async() it is responsible for safely
++ * handling the execution of a registered arc_prune_func_t.
++ */
++static void
++arc_prune_task(void *ptr)
++{
++ arc_prune_t *ap = (arc_prune_t *)ptr;
++ arc_prune_func_t *func = ap->p_pfunc;
++
++ if (func != NULL)
++ func(ap->p_adjust, ap->p_private);
++
++ zfs_refcount_remove(&ap->p_refcnt, func);
++}
++
++/*
++ * Notify registered consumers they must drop holds on a portion of the ARC
++ * buffers they reference. This provides a mechanism to ensure the ARC can
++ * honor the metadata limit and reclaim otherwise pinned ARC buffers.
++ *
++ * This operation is performed asynchronously so it may be safely called
++ * in the context of the arc_reclaim_thread(). A reference is taken here
++ * for each registered arc_prune_t and the arc_prune_task() is responsible
++ * for releasing it once the registered arc_prune_func_t has completed.
++ */
++static void
++arc_prune_async(uint64_t adjust)
++{
++ arc_prune_t *ap;
++
++ mutex_enter(&arc_prune_mtx);
++ for (ap = list_head(&arc_prune_list); ap != NULL;
++ ap = list_next(&arc_prune_list, ap)) {
++
++ if (zfs_refcount_count(&ap->p_refcnt) >= 2)
++ continue;
++
++ zfs_refcount_add(&ap->p_refcnt, ap->p_pfunc);
++ ap->p_adjust = adjust;
++ if (taskq_dispatch(arc_prune_taskq, arc_prune_task,
++ ap, TQ_SLEEP) == TASKQID_INVALID) {
++ zfs_refcount_remove(&ap->p_refcnt, ap->p_pfunc);
++ continue;
++ }
++ ARCSTAT_BUMP(arcstat_prune);
++ }
++ mutex_exit(&arc_prune_mtx);
++}
++
+ /*
+ * Notify the arc that a block was freed, and thus will never be used again.
+ */
diff --git a/website/static/security/patches/EN-24:09/zfs.patch.asc b/website/static/security/patches/EN-24:09/zfs.patch.asc
new file mode 100644
index 0000000000..52cdb325ff
--- /dev/null
+++ b/website/static/security/patches/EN-24:09/zfs.patch.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmYpapUACgkQbljekB8A
+Gu+L3BAA1EBD3O+tAqKg9W8MvPihcNkHCVX5gDvY9p/xiN6nmo7JQsdNmoycZVjF
+R07XpgAtuQ0mfw4fy/FvgAy4EK1q/SjQC/ON3zu78Hph610F2wabGW5p6qbotYl2
+P/msYGFPDqUgtw1SjVzXHKYRYjQnhQqbr2SIpH7ekOej65TiWuQSsRcl0YIQrjia
+RfeH6faIXUyjNnDrlu2L71GY9XxiWR3FGXTfnXWbguz17kuWctCxT8UMfVGRoLa+
+yxzPX1cVgEW86lDtlvlnPbymR4rohGPrGlmLdHJdwY0H855ff0kQrreQzcfNYf7Y
+xu/yxj51CF+ima7o8auDGPxGFzy3zkD5GQsLw2QoXG+Ad4EY4ZiaKYryqK7zug6Q
+V8Im3PPx2CXHXXs3FmVYA+RVMHJo79zlDEwE450bRfTaj/NzRUlO62v6jqpUjayr
+2pFVYwIyECm/qNddKY/4j/hMCjp11/H1co5uqFvXDWUfyVQB3iXHl5wjjyTdO8xw
+DS9dRtNAUiCxgOHgz6k0U9C6gi6Xh8NNLE9QSU3CWpFWuTgrzIwAXYoCryg/c7J+
+17M6DnK0NN9z3ScehrVT4QgPPzxp5ziLhY84ZJ8qpCPsYV7ZR/rU9Yc/+mT5N3SE
+QcJehAsEQUJjHL7EhkML61emj8i/avXau95AkCrcmHI5eLy1F+g=
+=Q5E+
+-----END PGP SIGNATURE-----