Naturally they don't do blog posts about what they find.
The recent two. FailCopy and DirtyFrag and FreeBSD with Execve.
2 - Linux 1 - FreeBSD.
Of course, all OS have had past-time exploits. Three now have made the news.
All that to say, the BSD userbase as a sizeable subset that are there for countercultural reasons, rather than technical. These are the people who buy into, say, OpenBSD's vaunted security reputation, or believe that "linux bad because reasons", so you're always going to get people in here bragging, because "not using linux" has become part of their identity.
I run a mix of FreeBSD and Linux on my personal devices. The ground truth is that FreeBSD is yet another unix-like OS written in C, and thus not immune from the types of bugs that stem from that lineage. None of the BSD distros are materially more secure or better than a properly-configured and patched Linux.
> thus not immune from the types of bugs that stem from that lineage
They never claimed that FreeBSD didn't have vulnerabilities. I honestly have no idea why grandparent decided to bring up their comment when it exactly validates what the person they were criticising says. GP admits the response to the vulnerability was well-coordinated. The response to security vulnerabilities was the exact, and only, subject of the post they're calling out.
I've tried to use it but I dound it pretty difficult for systems that need a GUI. Maybe I should revisit.
sysutils/vm-bhyve makes it quite friendly.
I wouldn't use it for work, though, just personal. Work is all enterprisey kubernetes stuff.
Edit: there is a 'proxmox-like' for FreeBSD out [0] -- I did try it on a couple machines and couldn't get the network working, but consoles seemed to work.. Kinda.
I use Linux as well but I really like FreeBSD for a number of technical reasons. Like the ports collection, the jails, the first-class citizen ZFS.
And Gnome 3 doesn't really have anything to do with Linux. It is also available for FreeBSD if you want it (I don't, I hate the minimalist opinionated design style so I use KDE, also on Linux).
But I use Linux on servers where I run docker for example. It's not about "not using linux".
Check out our blog post for a fun walkthrough: https://blog.calif.io/p/cve-2026-7270-how-i-get-root-on-free...
AI-generated working exploit, write-up and prompts: https://github.com/califio/publications/tree/main/MADBugs/fr...
rvz•1h ago
> No workaround is available.
Oh dear.
itsthefrank•1h ago
> Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system.
Not everyone can just freebsd-update and reboot, so yes, "Oh dear." is a good response to this.
epcoa•1h ago
itsthefrank•1h ago
wswin•17m ago
cyberpunk•1h ago
You should treat any system where non-admins regularly login as basically insecure/owned and rig your architecture appropriately.
TBH -- I don't have any of these kinds of boxes anymore. Who is really running anything like this in 2026 and for what purpose?
jmspring•53m ago
cyberpunk•42m ago
My point is that if you do, you probably shouldn't run, for e.g applications which need production db credential, or hold sensitive data on these boxes, or .. whatever.
Edit: I use FreeBSD extensively, for various things -- but shell access to them is restricted to the sysadmins..
icedchai•40m ago
bch•36m ago
> Who is really running anything like this in 2026 and for what purpose?
Am I parsing your question correctly?
cyberpunk•30m ago
mrln•23m ago
The systems should be cut off from sensitive administrative data, but a malicious student would at the very least have access to the other students' data with an LPE.
yjftsjthsd-h•18m ago
skydhash•1h ago
paulddraper•12m ago
tptacek•19m ago
wolvoleo•11m ago