This section covers changes and additions to userland applications, contributed software, and system utilities.
Userland Application Changes
The diff(1) utility now reports I/O errors encountered during the Stone algorithm’s file comparison phase, providing error messages where previously only the exit status indicated failure. 3c10ed2ba3aa. (Sponsored by Klara, Inc.)
The diff(1) utility no longer incorrectly compares a file or directory to itself, fixing a bug where diff could produce misleading output. In addition, several internal correctness and robustness improvements were made (see related commits), including fixes for resource leaks in the pagination code, improved error handling around file descriptor operations, and prevention of potential integer overflows when using very large context windows. Additional tests were added to cover these cases. b4139147bbb7, 6761e555376e, 2434f3b279a9, 238bf5ebf684. (Sponsored by Klara, Inc.)
The
mdo(1) privilege-escalation utility adds new options to control
user and group IDs in launched processes, including -k
to keep current users, -g and -G to set
primary and supplementary groups, -s to amend
supplementary groups, and
--euid/--ruid/--svuid/--egid/--rgid/--svgid
to override specific IDs. This provides finer-grained control over
process credentials while maintaining compatibility with existing
behavior. 58f55afb301b.
(Sponsored by The FreeBSD Foundation | Google
LLC (GSoC 2025))
The sockstat(1) utility now displays UDP-Lite endpoints by default, providing visibility into these sockets alongside other network connections. 23cda744e4da.
The nuageinit(7) tool now supports the chpasswd command, allowing password changes via a list or multiline string, including deprecated syntax for compatibility with some providers. 6c912470030b. (Sponsored by OVHCloud)
The
pkg(7) utility now parses command-line arguments in the same
way as
pkg(8), requiring options to be placed in the same positions.
Note: This changes the behavior of some previously
accepted command sequences, such as pkg -f bootstrap
no longer working; users must use pkg bootstrap -f
instead. 62947e508161.
(Sponsored by The FreeBSD Foundation | The
FreeBSD Foundation)
The bsdinstall(8) installer no longer supports ZFS installations using MBR disk layouts. This removes a previously broken option that could cause installation failures. 220584471931. (Sponsored by The FreeBSD Foundation)
The freebsd-update(8) utility now installs shared libraries in a specific order (libsys, libc, libthr, then others) to prevent failures during upgrades from 14.x to 15.x. e26928669f39. (Sponsored by https://www.patreon.com/cperciva)
The filesystem creation utility,
newfs(8), gained a -u flag to disable the default
soft updates and soft updates journaling for UFS2 filesystems.
929ef0d36c6c.
(Sponsored by Klara, Inc. | NetApp,
Inc.)
The
ngctl(8) utility gained a -j flag to attach and
run inside a jail, allowing manipulation of netgraph nodes from
within a
jail(8). This enables administrators to manage netgraph
configurations in jails where ngctl may not be directly available.
04911babef1b.
A new utility for controlling sound devices, sndctl(8), has appeared with an interface similar to mixer(8). 00988d12bc37. (Sponsored by The FreeBSD Foundation)
The
jail(8) subsystem has gained meta and
env parameters, allowing arbitrary string metadata and
environment information to be associated with each jail. The
parameters can be set during jail creation or modified later using
jail -cm, and can be viewed with
jls(8). The security.jail.meta_maxbufsize
sysctl(8) controls the maximum size of these parameters.
527027da391d.
(Sponsored by SkunkWerks GmbH)
The Bluetooth startup script rc.d/bluetooth now retries the hccontrol reset up to three times for improved reliability and fixes a redirection bug that could create stray files. 53d1c328e912.
The swapon(8) utility now supports encrypted swap files using md(4) devices with an .eli suffix in fstab(5). This allows encrypted swap to be configured in fstab as previously documented. 9d80d681ee9d.
Contributed Software
The Kerberos
kadmin(1) utility gains a new -f option for
dumping Heimdal KDC databases in MIT-compatible format, enabling
migration to MIT KDC without recreating the database from scratch.
a93e1b731ae4.
The mandoc(1) manual page compiler has been updated to version 2025-09-26, improving case sorting, visual compatability with groff(1), fixes to a PDF/PS footer regression, and improvements to the linter. 7fa4ccb8e4e7, 8039d22f6afd.
The netcat utility,
nc(1), now accepts service names like http' in addition
to port numbers for the `-p option and as command-line
arguments. 0fe58344e829.
The xz(1) data compression suite has been updated to version 5.8.2. 07700b0107dc.
The multi-format archive and compression library, libarchive(3), has been updated to version 3.8.5. This includes a bug fix for tar(1) to resolve a regression in zero-length pattern handling. 39fd1181e5b2.
libyaml has been updated to version 0.2.5. e52f11f4bbc8.
lyaml, a Lua binding for libyaml, is now available in the base system. c508393e49fc.
libucl(3) has been updated to version 0.9.2. 0a8d8b0c878f. (Sponsored by The FreeBSD Foundation)
The expat XML parser has been updated to version 2.7.3. a85cfcb61efd.
The OpenZFS filesystem has been updated to version 2.2.9. This
release includes improvements to ARC shrinking, fixes for
zpool add safety checks, zvol blk-mq synchronization,
and BRT range conversion math. 709465f2c4f1.
The mapping tree utility, mtree(8), has been updated improving compatibility and fixing bugs. f9d671f726ac.
The
unbound(8) DNS resolver has been updated to version 1.24.1,
mitigating YXDOMAIN and nodata non-referral answer
poisoning, preventing a malicious actor from exploiting a possible
cache poison attack. This addresses CVE-2025-11411. eeb41dca070f,
cd40a23fb249.
The PCI vendors database has been updated to version 2026-02-10. 7805899ed791.
The USB vendor database has been updated to 2025-12-13. 02138275effb.
The Time Zone database has been updated to version 2025c. 68e2f4cc5e4e.
The SQLite database has been updated to version 3.50.4. ef55f6b86626.
The gallant console font now includes over 4300
glyphs, adding support for Greek, Cyrillic, IPA extensions,
extended Latin, Zapf Dingbats, arrows, mathematical symbols, box
drawing, currency symbols, and Powerline glyphs. This expands the
character set available in the console for multilingual text and
symbols. 8d2d6647d65a.
The spleen console font has been updated to version
2.2.0, adding missing characters (em-dash, en-dash, hyphen, angle
brackets, white square, dagger, double dagger) and improving
character alignment, particularly for high-dpi displays. c44ec96b471e.
OpenSSH has been updated to version 10.0p2. The update removes support for the weak DSA signature algorithm and changes the default key agreement to the post-quantum hybrid algorithm mlkem768x25519-sha256. The sshd(8) authentication phase now runs in a separate sshd-auth binary. 7ca599aa6139. (Sponsored by The FreeBSD Foundation)
OpenSSL has been updated to version 3.0.16. aed5a47b3a8a.
Deprecated Applications
The RIP routing protocol is deprecated and will be removed in a future release. The man pages for routed(8), rtquery(8), route6d(8), and rip6query(8) are updated to note the deprecation. Users needing RIP should use alternatives like 'bird' or 'quagga' from the ports collection. d350c18f98fd.
Runtime Libraries and API
The Internet network number manipulation library functions, inet_net_ntop(3) and inet_net_pton(3), are updated to correctly handle IPv6 addresses, fixing previous incorrect behavior. b4871be3490d. (Sponsored by https://www.patreon.com/bsdivy)
The PAM library now searches for modules in ${LOCALBASE}/lib/security, in addition to ${LOCALBASE}/lib. This allows PAM modules installed by ports that follow the Linux directory convention to be found and used. 65808459e21b.