=============================================================================
FreeBSD-EN-26:XX.syslogd                                        Errata Notice
                                                          The FreeBSD Project

Topic:          syslogd memory leak in casper_ttymsg()

Category:       core
Module:         syslogd
Announced:      2026-XX-XX
Credits:        Pat Maddox
Affects:        FreeBSD 15.0 and 15.1
Corrected:      2026-05-22 21:45:30 UTC (main, 16.0-CURRENT)
                2026-05-26 20:37:18 UTC (stable/15, 15.1-STABLE)
                XX                      (releng/15.1, 15.1-RELEASE-pXX)
                XX                      (releng/15.0, 15.0-RELEASE-pXX)

For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:https://security.FreeBSD.org/>.

I.   Background

syslogd(8) is the system log daemon, responsible for receiving log
messages from the kernel and from userland programs and dispatching
them according to syslog.conf(5).  As of commit 61a29eca550b, syslogd
delegates the actual writing of messages to a libcasper(3) service
(syslogd.casper) running in a sandboxed process.  Messages destined
for the console and for logged-in users' terminals are passed across the
Casper channel as nvlist(9) string arrays, and dispatched by
casper_ttymsg() and casper_wallmsg().

II.  Problem Description

casper_ttymsg() and casper_wallmsg() retrieve the message string
array from the incoming nvlist using nvlist_take_string_array(9),
which transfers ownership of the array and its strings to the caller.
casper_ttymsg() never frees the returned storage, and casper_wallmsg()
frees only the per-string buffers, never the array itself in the success
path.  Every console and tty message therefore leaks memory in the
syslogd.casper process.

III. Impact

On long-running systems that emit a steady stream of log messages routed
to /dev/console or to user terminals, the resident size of syslogd.casper
helper process grows without bound.  This may eventually lead to memory
pressure, including swap usage, or process termination by the
out-of-memory killer. syslogd itself continues to function.

IV.  Workaround

Periodically restarting syslogd will reclaim leaked memory. Systems that
do not direct syslog output to /dev/console, terminals, or wall
destinations are not affected.

V.   Solution

Upgrade your system to a supported FreeBSD stable, release, or security
branch, dated after the correction date.

Perform one of the following:

1) To update your system installed from base system packages:

Systems running a 15.0-RELEASE or 15.1-RELEASE version of FreeBSD on the
amd64 or arm64 platforms, which were installed using base system packages,
can be updated via the pkg(8) utility:

# pkg upgrade -r FreeBSD-base

Restart syslogd (service syslogd restart), or reboot the system.

2) To update your system installed from binary distribution sets:

Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms
which were not installed using base system packages can be updated via the
freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

Restart syslogd (service syslogd restart), or reboot the system.

3) To update your system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/EN-26:XX/syslogd.patch
# fetch https://security.FreeBSD.org/patches/EN-26:XX/syslogd.patch.asc
# gpg --verify syslogd.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.

Restart syslogd (service syslogd restart), or reboot the system.

VI.  Correction details

This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:

Branch/path                  Hash          Revision
-------------------------------------------------------------------------
main/                        c783d7181d6a  main/n286078
stable/15/                   be03b0fb2241  stable/15-n283693
releng/15.0/                 XXX           releng/15.0-nXX
releng/15.1/                 XXX           releng/15.0-nXX
-------------------------------------------------------------------------

Run the following command to see which files were modified by a
particular commit:

# git show --stat <commit hash>

Or visit the following URL, replacing NNNNNN with the hash:

<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:

# git rev-list --count --first-parent HEAD

VII. References

<URL:https://cgit.freebsd.org/src/commit/?id=c783d7181d6a71cb2453f06e40c08c892510c2f2>
<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=295488>
<URL:https://github.com/freebsd/freebsd-src/pull/2222>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-26:XX.syslogd.asc>