CVE-2026-4747 | FreeBSD RPCSEC_GSS kgssapi.ko stack-based overflow

VDB-353567 · CVE-2026-4747 · GCVE-0-2026-4747 FREEBSD RPCSEC_GSS KGSSAPI.KO STACK-BASED OVERFLOW HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 8.4 $5k-$25k 4.67+ Summaryinfo A vulnerability marked as critical has been reported in FreeBSD. Impacted is an unknown function in the library kgssapi.ko of the component RPCSEC_GSS Handler. The manipulation leads to stack-based overflow. This vulnerability is uniquely identified as CVE-2026-4747. The attack is possible to be carried out remotely. No exploit exists. It is recommended to apply a patch to fix this issue. Detailsinfo A vulnerability, which was classified as critical, has been found in FreeBSD (the affected version is unknown). This issue affects an unknown code in the library kgssapi.ko of the component RPCSEC_GSS Handler. The manipulation with an unknown input leads to a stack-based overflow vulnerability. Using CWE to declare the problem leads to CWE-121. A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). Impacted is confidentiality, integrity, and availability. The summary by CVE is: Each RPCSEC_GSS data packet is validated by a routine which checks a signature in the packet. This routine copies a portion of the packet into a stack buffer, but fails to ensure that the buffer is sufficiently large, and a malicious client can trigger a stack overflow. Notably, this does not require the client to authenticate itself first. As kgssapi.ko's RPCSEC_GSS implementation is vulnerable, remote code execution in the kernel is possible by an authenticated user that is able to send packets to the kernel's NFS server while kgssapi.ko is loaded into the kernel. In userspace, applications which have librpcgss_sec loaded and run an RPC server are vulnerable to remote code execution from any client able to send it packets. We are not aware of any such applications in the FreeBSD base system. The weakness was disclosed by Nicholas Carlini. It is possible to read the advisory at security.freebsd.org. The identification of this vulnerability is CVE-2026-4747 since 03/24/2026. The exploitation is known to be easy. The attack may be initiated remotely. Technical details of the vulnerability are known, but there is no available exploit. The pricing for an exploit might be around USD $5k-$25k at the moment (estimation calculated on 03/26/2026). Applying a patch is able to eliminate this problem. Productinfo Type Operating System Name FreeBSD License open-source Website Product: https://www.freebsd.org/ CPE 2.3info 🔒 CPE 2.2info 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv3info VulDB Meta Base Score: 8.8 VulDB Meta Temp Score: 8.4 VulDB Base Score: 8.8 VulDB Temp Score: 8.4 VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Stack-based overflow CWE: CWE-121 / CWE-119 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Yes Availability: 🔒 Status: Not defined Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Patch Status: 🔍 0-Day Time: 🔒 Timelineinfo 03/24/2026 CVE reserved 03/26/2026 +2 days Advisory disclosed 03/26/2026 +0 days VulDB entry created 03/26/2026 +0 days VulDB entry last update Sourcesinfo Product: freebsd.org Advisory: security.freebsd.org Researcher: Nicholas Carlini Status: Confirmed CVE: CVE-2026-4747 (🔒) GCVE (CVE): GCVE-0-2026-4747 GCVE (VulDB): GCVE-100-353567 Entryinfo Created: 03/26/2026 08:53 Changes: 03/26/2026 08:53 (55) Complete: 🔍 Cache ID: 99:63D:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸