cbcvebase.
CVE-2026-4747
published 2026-03-26

CVE-2026-4747: Each RPCSEC_GSS data packet is validated by a routine which checks a signature in the packet. This routine copies a portion of the packet into a stack buffer…

PriorityP267high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.92%
77.3th percentile
Each RPCSEC_GSS data packet is validated by a routine which checks a signature in the packet. This routine copies a portion of the packet into a stack buffer, but fails to ensure that the buffer is sufficiently large, and a malicious client can trigger a stack overflow. Notably, this does not require the client to authenticate itself first. As kgssapi.ko's RPCSEC_GSS implementation is vulnerable, remote code execution in the kernel is possible by an authenticated user that is able to send packets to the kernel's NFS server while kgssapi.ko is loaded into the kernel. In userspace, applications which have librpcgss_sec loaded and run an RPC server are vulnerable to remote code execution from any client able to send it packets. We are not aware of any such applications in the FreeBSD base system.

Affected

8 ranges
VendorProductVersion rangeFixed in
freebsdfreebsd
freebsdfreebsd
freebsdfreebsd
freebsdfreebsd
freebsdfreebsd>= 13.5-RELEASE < p11p11
freebsdfreebsd>= 14.3-RELEASE < p10p10
freebsdfreebsd>= 14.4-RELEASE < p1p1
freebsdfreebsd>= 15.0-RELEASE < p5p5

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://security.FreeBSD.org/patches/SA-26:08/rpcsec_gss.patch
hash1b00fdc1f3cd
hash4ec1b6213463
hashe5ed09ffd592
hash7ea03a4238e8
hashb6ce88ab9a5f
hash99ec7f9b9e48
hashc4f53a1adbd4
filenamekgssapi.ko
  • The vulnerability is exploitable pre-authentication — malicious RPCSEC_GSS packets triggering a stack overflow do not require the client to authenticate first. Detection should focus on anomalous or malformed RPCSEC_GSS packets arriving at NFS server ports from any source, including unauthenticated clients.
  • Monitor for the presence of kgssapi.ko loaded in the FreeBSD kernel on NFS servers. Systems with this module loaded are the primary attack surface for kernel-level RCE.
  • Monitor userspace daemons linked against librpcgss_sec that expose an RPC server interface; these are independently vulnerable to RCE from any network client without authentication requirements.
  • Starting from a disclosed CVE and its patch, AI models built working exploits in under a day. Treat patch deployment for this CVE as time-critical — assume a working exploit can be developed within hours of public disclosure.
  • ·NVD's description frames kernel RCE as requiring the attacker to be able to send packets while kgssapi.ko is loaded, whereas Anthropic's red team describes the result as 'full root for an unauthenticated attacker from anywhere on the internet.' The pre-auth stack overflow is confirmed; the precise conditions for full kernel RCE may depend on additional factors (e.g., KASLR, W^X bypass).
  • ·No workaround is available short of unloading kgssapi.ko. Disabling the module prevents kernel exploitation but may break Kerberos-based NFS authentication.
  • ·The FreeBSD base system is not known to ship any userspace RPC server daemons linked with librpcgss_sec, so userspace exposure is limited to third-party applications.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.