CVE-2026-4747
Published: 26 March 2026
Summary
CVE-2026-4747 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Freebsd Freebsd. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 27.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the stack buffer overflow by applying vendor patches to the kgssapi.ko module and librpcgss_sec as specified in the FreeBSD security advisory.
Mandates validation of RPCSEC_GSS packet data, including size bounds checks before copying into stack buffers, preventing the overflow trigger.
Provides runtime mitigations like stack canaries and non-executable memory to block remote code execution from the buffer overflow exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote buffer overflow in RPCSEC_GSS for NFS/RPC services, enabling remote code execution from low-privilege access (T1210: Exploitation of Remote Services) and kernel RCE for privilege escalation (T1068: Exploitation for Privilege Escalation).
NVD Description
Each RPCSEC_GSS data packet is validated by a routine which checks a signature in the packet. This routine copies a portion of the packet into a stack buffer, but fails to ensure that the buffer is sufficiently large, and a…
more
malicious client can trigger a stack overflow. Notably, this does not require the client to authenticate itself first. As kgssapi.ko's RPCSEC_GSS implementation is vulnerable, remote code execution in the kernel is possible by an authenticated user that is able to send packets to the kernel's NFS server while kgssapi.ko is loaded into the kernel. In userspace, applications which have librpcgss_sec loaded and run an RPC server are vulnerable to remote code execution from any client able to send it packets. We are not aware of any such applications in the FreeBSD base system.
Deeper analysisAI
CVE-2026-4747 is a stack-based buffer overflow vulnerability (CWE-121) in the RPCSEC_GSS packet validation routine, which copies data from a packet into a stack buffer without ensuring adequate size. This affects the kgssapi.ko kernel module's RPCSEC_GSS implementation in FreeBSD systems, as well as userspace applications that load librpcgss_sec and run RPC servers. The issue allows a malicious client to trigger the overflow without prior authentication. It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An authenticated user with low privileges (PR:L) can exploit this against a vulnerable FreeBSD NFS server while kgssapi.ko is loaded, sending crafted RPCSEC_GSS packets over the network to achieve remote code execution in the kernel. In userspace, any unauthenticated client able to reach an RPC server using librpcgss_sec can trigger remote code execution, though no such applications are known in the FreeBSD base system.
The FreeBSD security advisory (FreeBSD-SA-26:08.rpcsec_gss.asc) provides details on patches and mitigation. Additional technical publications and a proof-of-concept exploit are available in the referenced GitHub repositories.
Details
- CWE(s)