CVE-2026-4247
Published: 26 March 2026
Summary
CVE-2026-4247 is a high-severity Missing Release of Memory after Effective Lifetime (CWE-401) vulnerability in Freebsd Freebsd. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 7.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely application of vendor patches directly remediates the tcp_respond() mbuf leak vulnerability, preventing exploitation via crafted TCP packets.
Denial-of-service protections such as rate limiting on TCP connections directly mitigate the ability of attackers to send excessive crafted packets that exceed limits and trigger mbuf leaks.
Resource availability protections monitor and mitigate memory exhaustion caused by repeated mbuf leaks from the TCP stack vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Memory leak in FreeBSD TCP stack (tcp_respond) is directly exploitable via crafted TCP packets to exhaust mbuf memory and cause endpoint DoS; maps precisely to application/system exploitation subtechnique.
NVD Description
When a challenge ACK is to be sent tcp_respond() constructs and sends the challenge ACK and consumes the mbuf that is passed in. When no challenge ACK should be sent the function returns and leaks the mbuf. If an attacker…
more
is either on path with an established TCP connection, or can themselves establish a TCP connection, to an affected FreeBSD machine, they can easily craft and send packets which meet the challenge ACK criteria and cause the FreeBSD host to leak an mbuf for each crafted packet in excess of the configured rate limit settings i.e. with default settings, crafted packets in excess of the first 5 sent within a 1s period will leak an mbuf. Technically, off-path attackers can also exploit this problem by guessing the IP addresses, TCP port numbers and in some cases the sequence numbers of established connections and spoofing packets towards a FreeBSD machine, but this is harder to do effectively.
Deeper analysisAI
CVE-2026-4247 is a memory leak vulnerability (CWE-401) in the FreeBSD TCP stack, specifically within the tcp_respond() function. When the function determines that a challenge ACK should not be sent, it returns without consuming the input mbuf, resulting in a leak. This issue affects FreeBSD systems and has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high-impact availability disruption with low attack complexity.
Attackers on path with an established TCP connection, or those able to establish their own TCP connection to the affected FreeBSD host, can craft packets meeting the challenge ACK criteria to trigger mbuf leaks for each packet exceeding the configured rate limit (default: first 5 within 1 second). Off-path attackers can also exploit this by guessing IP addresses, TCP ports, and sequence numbers to spoof packets toward the host, though this is technically more challenging. Exploitation causes progressive memory exhaustion through repeated mbuf leaks, enabling denial-of-service.
The FreeBSD Security Advisory FreeBSD-SA-26:06.tcp, available at https://security.freebsd.org/advisories/FreeBSD-SA-26:06.tcp.asc, provides details on patches and mitigation measures.
Details
- CWE(s)