Cyber Posture

CVE-2026-4747

HighPublic PoC

Published: 26 March 2026

Published
26 March 2026
Modified
20 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0009 25.5th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Each RPCSEC_GSS data packet is validated by a routine which checks a signature in the packet. This routine copies a portion of the packet into a stack buffer, but fails to ensure that the buffer is sufficiently large, and a…

more

malicious client can trigger a stack overflow. Notably, this does not require the client to authenticate itself first. As kgssapi.ko's RPCSEC_GSS implementation is vulnerable, remote code execution in the kernel is possible by an authenticated user that is able to send packets to the kernel's NFS server while kgssapi.ko is loaded into the kernel. In userspace, applications which have librpcgss_sec loaded and run an RPC server are vulnerable to remote code execution from any client able to send it packets. We are not aware of any such applications in the FreeBSD base system.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the stack buffer overflow by applying vendor patches to the kgssapi.ko module and librpcgss_sec as specified in the FreeBSD security advisory.

SI-10 Information Input Validation good match
prevent

Mandates validation of RPCSEC_GSS packet data, including size bounds checks before copying into stack buffers, preventing the overflow trigger.

SI-16 Memory Protection partial match
prevent

Provides runtime mitigations like stack canaries and non-executable memory to block remote code execution from the buffer overflow exploitation.

Security SummaryAI

CVE-2026-4747 is a stack-based buffer overflow vulnerability (CWE-121) in the RPCSEC_GSS packet validation routine, which copies data from a packet into a stack buffer without ensuring adequate size. This affects the kgssapi.ko kernel module's RPCSEC_GSS implementation in FreeBSD systems, as well as userspace applications that load librpcgss_sec and run RPC servers. The issue allows a malicious client to trigger the overflow without prior authentication. It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An authenticated user with low privileges (PR:L) can exploit this against a vulnerable FreeBSD NFS server while kgssapi.ko is loaded, sending crafted RPCSEC_GSS packets over the network to achieve remote code execution in the kernel. In userspace, any unauthenticated client able to reach an RPC server using librpcgss_sec can trigger remote code execution, though no such applications are known in the FreeBSD base system.

The FreeBSD security advisory (FreeBSD-SA-26:08.rpcsec_gss.asc) provides details on patches and mitigation. Additional technical publications and a proof-of-concept exploit are available in the referenced GitHub repositories.

Details

CWE(s)
CWE-121

Affected Products

freebsd
freebsd
13.5, 14.3, 14.4, 15.0

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

The vulnerability is a remote buffer overflow in RPCSEC_GSS for NFS/RPC services, enabling remote code execution from low-privilege access (T1210: Exploitation of Remote Services) and kernel RCE for privilege escalation (T1068: Exploitation for Privilege Escalation).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References