CVE-2026-4247
Received Received - Intake
Memory Leak in FreeBSD TCP Challenge ACK Handling Allows Resource Exhaustion

Publication date: 2026-03-26

Last updated on: 2026-04-30

Assigner: FreeBSD

Description
When a challenge ACK is to be sent tcp_respond() constructs and sends the challenge ACK and consumes the mbuf that is passed in. When no challenge ACK should be sent the function returns and leaks the mbuf. If an attacker is either on path with an established TCP connection, or can themselves establish a TCP connection, to an affected FreeBSD machine, they can easily craft and send packets which meet the challenge ACK criteria and cause the FreeBSD host to leak an mbuf for each crafted packet in excess of the configured rate limit settings i.e. with default settings, crafted packets in excess of the first 5 sent within a 1s period will leak an mbuf. Technically, off-path attackers can also exploit this problem by guessing the IP addresses, TCP port numbers and in some cases the sequence numbers of established connections and spoofing packets towards a FreeBSD machine, but this is harder to do effectively.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-04-30
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4247
EUVD
EUVD-2026-16128
Affected Vendors & Products
Showing 17 associated CPEs
Vendor Product Version / Range
freebsd freebsd 15.0
freebsd freebsd 15.0
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 15.0
freebsd freebsd 14.4
freebsd freebsd 15.0
freebsd freebsd 14.3
freebsd freebsd 14.4
freebsd freebsd 15.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-401 The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in the FreeBSD TCP stack when handling challenge ACK TCP segments. Normally, when a challenge ACK is sent, the system properly consumes the associated memory buffer (mbuf). However, if the challenge ACK is not sent due to rate limiting, the function returns without freeing the mbuf, causing a memory leak.

An attacker who is on the network path or can establish a TCP connection to the affected FreeBSD machine can send specially crafted TCP packets that trigger this behavior. Packets exceeding the configured rate limit (default is 5 packets per second) cause the system to leak one mbuf per excess packet.

Off-path attackers can also exploit this by guessing IP addresses, TCP ports, and sequence numbers to spoof packets, but this is more difficult.

Impact Analysis

The vulnerability can lead to resource exhaustion on the affected FreeBSD system because each crafted packet exceeding the rate limit causes a memory buffer (mbuf) leak.

This resource exhaustion can result in a denial-of-service (DoS) condition, potentially making the system unresponsive or unstable.

Detection Guidance

This vulnerability involves a memory buffer (mbuf) leak in the FreeBSD TCP stack triggered by crafted TCP packets that cause challenge ACKs to be rate limited. Detection involves monitoring for unusual TCP challenge ACK behavior or mbuf resource exhaustion on affected FreeBSD systems.

While the advisory does not provide explicit detection commands, you can monitor system resource usage related to mbufs and TCP connections using standard FreeBSD commands such as:

  • netstat -m (to monitor mbuf usage and detect leaks)
  • netstat -s tcp (to view TCP statistics including challenge ACKs)
  • tcpdump or packet capture tools to analyze TCP packets and identify unusual challenge ACK traffic patterns

Additionally, reviewing the sysctl parameters related to challenge ACK rate limiting can help understand if the system is under attack:

  • sysctl net.inet.tcp.ack_war_timewindow
  • sysctl net.inet.tcp.ack_war_cnt
Mitigation Strategies

The immediate mitigation step is to disable the rate limiting of challenge ACKs, which prevents the mbuf leak by ensuring all challenge ACKs are sent and mbufs are properly consumed.

This can be done by setting the following sysctl parameter:

  • sysctl net.inet.tcp.ack_war_timewindow=0

Disabling the 1-second window causes challenge ACKs to be sent for all qualifying packets, eliminating the leak but potentially increasing CPU and resource usage.

To make this change persistent across reboots, add the setting to /etc/sysctl.conf.

The long-term solution is to upgrade FreeBSD to a version with the fix applied, using one of the following methods depending on your installation:

  • For base system packages: pkg upgrade -r FreeBSD-base, then reboot
  • For binary distribution sets: freebsd-update fetch and install, then reboot
  • For source-based systems: download and apply the patch, recompile the kernel, and reboot
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4247. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart