{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4747", "assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109", "state": "PUBLISHED", "assignerShortName": "freebsd", "dateReserved": "2026-03-24T03:57:38.500Z", "datePublished": "2026-03-26T06:21:12.735Z", "dateUpdated": "2026-03-26T13:30:42.498Z"}, "containers": {"cna": {"datePublic": "2026-03-26T05:00:00.000Z", "title": "Remote code execution via RPCSEC_GSS packet validation", "references": [{"tags": ["vendor-advisory"], "url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:08.rpcsec_gss.asc"}], "affected": [{"defaultStatus": "unknown", "modules": ["rpcsec_gss"], "product": "FreeBSD", "vendor": "FreeBSD", "versions": [{"status": "affected", "versionType": "release", "version": "15.0-RELEASE", "lessThan": "p5"}, {"status": "affected", "versionType": "release", "version": "14.4-RELEASE", "lessThan": "p1"}, {"status": "affected", "versionType": "release", "version": "14.3-RELEASE", "lessThan": "p10"}, {"status": "affected", "versionType": "release", "version": "13.5-RELEASE", "lessThan": "p11"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nicholas Carlini using Claude, Anthropic"}], "descriptions": [{"lang": "en", "value": "Each RPCSEC_GSS data packet is validated by a routine which checks a signature in the packet. This routine copies a portion of the packet into a stack buffer, but fails to ensure that the buffer is sufficiently large, and a malicious client can trigger a stack overflow. Notably, this does not require the client to authenticate itself first.\n\nAs kgssapi.ko's RPCSEC_GSS implementation is vulnerable, remote code execution in the kernel is possible by an authenticated user that is able to send packets to the kernel's NFS server while kgssapi.ko is loaded into the kernel.\n\nIn userspace, applications which have librpcgss_sec loaded and run an RPC server are vulnerable to remote code execution from any client able to send it packets. We are not aware of any such applications in the FreeBSD base system."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-121", "description": "CWE-121: Stack-based Buffer Overflow", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109", "shortName": "freebsd", "dateUpdated": "2026-03-26T06:21:12.735Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T13:30:18.388029Z", "id": "CVE-2026-4747", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T13:30:42.498Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4747", "assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109", "state": "PUBLISHED", "assignerShortName": "freebsd", "dateReserved": "2026-03-24T03:57:38.500Z", "datePublished": "2026-03-26T06:21:12.735Z", "dateUpdated": "2026-03-26T13:30:42.498Z"}, "containers": {"cna": {"datePublic": "2026-03-26T05:00:00.000Z", "title": "Remote code execution via RPCSEC_GSS packet validation", "references": [{"tags": ["vendor-advisory"], "url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:08.rpcsec_gss.asc"}], "affected": [{"defaultStatus": "unknown", "modules": ["rpcsec_gss"], "product": "FreeBSD", "vendor": "FreeBSD", "versions": [{"status": "affected", "versionType": "release", "version": "15.0-RELEASE", "lessThan": "p5"}, {"status": "affected", "versionType": "release", "version": "14.4-RELEASE", "lessThan": "p1"}, {"status": "affected", "versionType": "release", "version": "14.3-RELEASE", "lessThan": "p10"}, {"status": "affected", "versionType": "release", "version": "13.5-RELEASE", "lessThan": "p11"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nicholas Carlini using Claude, Anthropic"}], "descriptions": [{"lang": "en", "value": "Each RPCSEC_GSS data packet is validated by a routine which checks a signature in the packet. This routine copies a portion of the packet into a stack buffer, but fails to ensure that the buffer is sufficiently large, and a malicious client can trigger a stack overflow. Notably, this does not require the client to authenticate itself first.\n\nAs kgssapi.ko's RPCSEC_GSS implementation is vulnerable, remote code execution in the kernel is possible by an authenticated user that is able to send packets to the kernel's NFS server while kgssapi.ko is loaded into the kernel.\n\nIn userspace, applications which have librpcgss_sec loaded and run an RPC server are vulnerable to remote code execution from any client able to send it packets. We are not aware of any such applications in the FreeBSD base system."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-121", "description": "CWE-121: Stack-based Buffer Overflow", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109", "shortName": "freebsd", "dateUpdated": "2026-03-26T06:21:12.735Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-4747", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T13:30:18.388029Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T13:30:13.640Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Each RPCSEC_GSS data packet is validated by a routine which checks a signature in the packet. This routine copies a portion of the packet into a stack buffer, but fails to ensure that the buffer is sufficiently large, and a malicious client can trigger a stack overflow. Notably, this does not require the client to authenticate itself first.\n\nAs kgssapi.ko's RPCSEC_GSS implementation is vulnerable, remote code execution in the kernel is possible by an authenticated user that is able to send packets to the kernel's NFS server while kgssapi.ko is loaded into the kernel.\n\nIn userspace, applications which have librpcgss_sec loaded and run an RPC server are vulnerable to remote code execution from any client able to send it packets. We are not aware of any such applications in the FreeBSD base system."}], "id": "CVE-2026-4747", "lastModified": "2026-03-26T15:13:15.790", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-26T07:16:20.670", "references": [{"source": "secteam@freebsd.org", "url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:08.rpcsec_gss.asc"}], "sourceIdentifier": "secteam@freebsd.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-121"}], "source": "secteam@freebsd.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[15.0-RELEASE,p5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[14.4-RELEASE,p1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[14.3-RELEASE,p10)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[13.5-RELEASE,p11)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "FreeBSD", "source": "cna", "vendor": "FreeBSD"}, "product": "freebsd", "vendor": "freebsd"}], "analysis": {"en": {"generated_at": "2026-03-26T08:22:03.660314+00:00", "value": {"mitigation_remediation": ["Apply the latest FreeBSD security update that patches the RPCSEC_GSS stack overflow.", "If an update cannot be applied immediately, unload or disable the kgssapi.ko kernel module to prevent the vulnerable implementation from being used.", "Restart the NFS service after unblocking kgssapi.ko to ensure the module is not loaded.", "Verify that the NFS server no longer exposes the RPCSEC_GSS protocol by checking module status and service configuration.", "Monitor system logs for anomalous RPCSEC_GSS traffic and access attempts."], "summary": {"action": "Immediate Patch", "impact": "Remote code execution via stack overflow in RPCSEC_GSS packet validation"}, "threat_synthesis": {"affected_systems": "The flaw affects FreeBSD systems that load the kgssapi.ko kernel module and run NFS services. User\u2011space applications that include librpcgss_sec and expose an RPC server are also vulnerable if they are running on a FreeBSD host with the vulnerable module present. Only the FreeBSD base distribution is mentioned; no other vendors or products are listed.", "description_and_impact": "A stack overflow occurs when RPCSEC_GSS validates network packets. The routine copies part of the packet into a stack buffer that is not sized properly, allowing a malicious client to overflow the buffer. The overflow can lead to remote code execution in the FreeBSD kernel or user-space RPC servers that rely on librpcgss_sec. No prior authentication is required for the overflow, but kernel RCE requires the sender to have authenticated access to the NFS server while the kgssapi.ko module is loaded.", "risk_and_exploitability": "Given that remote code execution is possible without prior authentication during packet validation, this vulnerability presents a high risk. The CVSS score is not stated, but the presence of a stack buffer overflow with execution potential indicates a critical severity. EPSS data is unavailable, and the flaw is not in CISA's KEV catalog. An attacker with network access to an NFS service that loads kgssapi.ko can craft a packet to trigger the overflow, thereby gaining kernel\u2011level privileges on the target system."}}}}, "created": "2026-03-26T11:30:16.555698+00:00", "updated": "2026-03-26T12:08:21.037273+00:00", "vendors": ["freebsd", "freebsd$PRODUCT$freebsd"]}