From d05601ed3f388f74af060178d7d95c10cde467e1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Lesimple?= <speed47_github@speed47.net>
Date: Tue, 31 Mar 2026 23:11:55 +0200
Subject: [PATCH] feat: add CVE-2023-20593 (Zenbleed) mitigation detection for
 BSD

---
 src/vulns/CVE-2023-20593.sh | 54 +++++++++++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)

diff --git a/src/vulns/CVE-2023-20593.sh b/src/vulns/CVE-2023-20593.sh
index 4685d50..4003265 100644
--- a/src/vulns/CVE-2023-20593.sh
+++ b/src/vulns/CVE-2023-20593.sh
@@ -118,3 +118,57 @@ check_CVE_2023_20593_linux() {
         pvulnstatus "$cve" "$status" "$msg"
     fi
 }
+
+# CVE-2023-20593 Zenbleed (cross-process information leak via AVX2) - BSD mitigation check
+check_CVE_2023_20593_bsd() {
+    local zenbleed_enable zenbleed_state kernel_zenbleed
+    pr_info_nol "* Kernel supports Zenbleed mitigation (machdep.mitigations.zenbleed.enable): "
+    zenbleed_enable=$(sysctl -n machdep.mitigations.zenbleed.enable 2>/dev/null)
+    if [ -n "$zenbleed_enable" ]; then
+        kernel_zenbleed=1
+        case "$zenbleed_enable" in
+            0) pstatus yellow YES "force disabled" ;;
+            1) pstatus green YES "force enabled" ;;
+            2) pstatus green YES "automatic (default)" ;;
+            *) pstatus yellow YES "unknown value: $zenbleed_enable" ;;
+        esac
+    else
+        kernel_zenbleed=0
+        pstatus yellow NO
+    fi
+
+    pr_info_nol "* Zenbleed mitigation state: "
+    zenbleed_state=$(sysctl -n machdep.mitigations.zenbleed.state 2>/dev/null)
+    if [ -n "$zenbleed_state" ]; then
+        if echo "$zenbleed_state" | grep -qi 'not.applicable\|mitigation.enabled'; then
+            pstatus green YES "$zenbleed_state"
+        elif echo "$zenbleed_state" | grep -qi 'mitigation.disabled'; then
+            pstatus yellow NO "$zenbleed_state"
+        else
+            pstatus yellow UNKNOWN "$zenbleed_state"
+        fi
+    else
+        pstatus yellow NO "sysctl not available"
+    fi
+
+    if ! is_cpu_affected "$cve"; then
+        pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not affected"
+    elif [ "$kernel_zenbleed" = 1 ] && [ "$zenbleed_enable" != 0 ]; then
+        if [ -n "$zenbleed_state" ] && echo "$zenbleed_state" | grep -qi 'mitigation.enabled'; then
+            pvulnstatus "$cve" OK "Zenbleed mitigation is enabled ($zenbleed_state)"
+        elif [ -n "$zenbleed_state" ] && echo "$zenbleed_state" | grep -qi 'not.applicable'; then
+            pvulnstatus "$cve" OK "Zenbleed mitigation not applicable to this CPU ($zenbleed_state)"
+        else
+            pvulnstatus "$cve" OK "Zenbleed mitigation is enabled"
+        fi
+    elif [ "$kernel_zenbleed" = 1 ] && [ "$zenbleed_enable" = 0 ]; then
+        pvulnstatus "$cve" VULN "Zenbleed mitigation is supported but force disabled"
+        explain "To re-enable Zenbleed mitigation, run \`sysctl machdep.mitigations.zenbleed.enable=2' for automatic mode.\n " \
+            "To make this persistent, add 'machdep.mitigations.zenbleed.enable=2' to /etc/sysctl.conf."
+    else
+        pvulnstatus "$cve" VULN "your kernel doesn't support Zenbleed mitigation, update it"
+        explain "Your CPU vendor may also have a new microcode for your CPU model that mitigates this issue.\n " \
+            "Updating to FreeBSD 14.0 or later will provide kernel-level Zenbleed mitigation via the\n " \
+            "machdep.mitigations.zenbleed sysctl."
+    fi
+}