CVE-2026-4747
Received Received - Intake
Stack Overflow in kgssapi.ko RPCSEC_GSS Enables RCE

Publication date: 2026-03-26

Last updated on: 2026-04-20

Assigner: FreeBSD

Description
Each RPCSEC_GSS data packet is validated by a routine which checks a signature in the packet. This routine copies a portion of the packet into a stack buffer, but fails to ensure that the buffer is sufficiently large, and a malicious client can trigger a stack overflow. Notably, this does not require the client to authenticate itself first. As kgssapi.ko's RPCSEC_GSS implementation is vulnerable, remote code execution in the kernel is possible by an authenticated user that is able to send packets to the kernel's NFS server while kgssapi.ko is loaded into the kernel. In userspace, applications which have librpcgss_sec loaded and run an RPC server are vulnerable to remote code execution from any client able to send it packets. We are not aware of any such applications in the FreeBSD base system.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4747
EUVD
EUVD-2026-16132
Affected Vendors & Products
Showing 29 associated CPEs
Vendor Product Version / Range
freebsd freebsd 15.0
freebsd freebsd 15.0
freebsd freebsd 13.5
freebsd freebsd 13.5
freebsd freebsd 13.5
freebsd freebsd 13.5
freebsd freebsd 13.5
freebsd freebsd 13.5
freebsd freebsd 13.5
freebsd freebsd 13.5
freebsd freebsd 13.5
freebsd freebsd 13.5
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 15.0
freebsd freebsd 14.4
freebsd freebsd 15.0
freebsd freebsd 14.3
freebsd freebsd 14.4
freebsd freebsd 15.0
freebsd freebsd 13.5
freebsd freebsd 13.5
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-4747 is a critical vulnerability in FreeBSD's RPCSEC_GSS implementation that allows unauthenticated remote attackers to execute code. The issue arises because a routine that validates RPCSEC_GSS data packets copies part of the packet into a fixed-size stack buffer without checking if the buffer is large enough. This leads to a stack-based buffer overflow.

The vulnerability affects both the kernel module kgssapi.ko, used by the NFS server, and userspace applications using the librpcgss_sec library. In the kernel, an attacker can send crafted packets to trigger remote code execution if the kgssapi.ko module is loaded. In userspace, any RPC server linked with librpcgss_sec is vulnerable to remote code execution from any client able to send packets, although no such vulnerable applications are known in the FreeBSD base system.

Impact Analysis

This vulnerability can lead to remote code execution on affected FreeBSD systems without requiring the attacker to authenticate first.

  • In the kernel, if the kgssapi.ko module is loaded, a malicious client can send specially crafted packets to the NFS server to execute arbitrary code with kernel privileges.
  • In userspace, any RPC server linked with the librpcgss_sec library can be exploited by remote attackers to execute arbitrary code, although no such vulnerable applications are known in the FreeBSD base system.

Systems without the kgssapi.ko module loaded are not vulnerable. There is no workaround other than upgrading to patched versions or ensuring the vulnerable module is not loaded.

Detection Guidance

This vulnerability exists in the FreeBSD kernel module kgssapi.ko and in userspace applications linked with librpcgss_sec. Detection involves checking if the kgssapi.ko module is loaded on your system, as systems without this module loaded are not vulnerable.

To detect if the vulnerable kernel module is loaded, you can use the following command on FreeBSD systems:

  • kldstat | grep kgssapi

If the output shows kgssapi.ko loaded, your system is potentially vulnerable.

Additionally, monitoring network traffic for suspicious or malformed RPCSEC_GSS packets targeting the NFS server could help detect exploitation attempts, but no specific detection commands or signatures are provided.

Mitigation Strategies

The primary mitigation is to ensure that the vulnerable kgssapi.ko kernel module is not loaded on your system, as systems without this module loaded are not vulnerable.

If the module is required, immediate steps include upgrading your FreeBSD system to a patched version released after March 26, 2026.

  • Use 'pkg upgrade' if your system was installed from base system packages.
  • Use 'freebsd-update' if your system was installed from binary distribution sets.
  • Alternatively, apply the verified source code patches provided in the advisory, then recompile and reboot your system.

No other workarounds exist besides removing the module or applying the patches and updates.

Compliance Impact

The provided information does not specify any direct impact of CVE-2026-4747 on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4747. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart