CVE-2026-4747

HIGH EPSS 77.3%
Published Mar 26, 20263mo ago · Modified Jun 17, 20261w ago
8.8 CVSS 3.1
High
Find Similar
Published Mar 26, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago

Description

Each RPCSEC_GSS data packet is validated by a routine which checks a signature in the packet. This routine copies a portion of the packet into a stack buffer, but fails to ensure that the buffer is sufficiently large, and a malicious client can trigger a stack overflow. Notably, this does not require the client to authenticate itself first. As kgssapi.ko's RPCSEC_GSS implementation is vulnerable, remote code execution in the kernel is possible by an authenticated user that is able to send packets to the kernel's NFS server while kgssapi.ko is loaded into the kernel. In userspace, applications which have librpcgss_sec loaded and run an RPC server are vulnerable to remote code execution from any client able to send it packets. We are not aware of any such applications in the FreeBSD base system.

CVSS Details

Base Score
8.8
Exploitability
2.8
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
77.3% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available

Weaknesses 1

CWE-121

Affected Products 29

VendorProductVersionRange
freebsdfreebsd13.5any
freebsdfreebsd13.5any
freebsdfreebsd13.5any
freebsdfreebsd13.5any
freebsdfreebsd13.5any
freebsdfreebsd13.5any
freebsdfreebsd13.5any
freebsdfreebsd13.5any
freebsdfreebsd13.5any
freebsdfreebsd13.5any
freebsdfreebsd13.5any
freebsdfreebsd13.5any
freebsdfreebsd14.3any
freebsdfreebsd14.3any
freebsdfreebsd14.3any
freebsdfreebsd14.3any
freebsdfreebsd14.3any
freebsdfreebsd14.3any
freebsdfreebsd14.3any
freebsdfreebsd14.3any
freebsdfreebsd14.3any
freebsdfreebsd14.3any
freebsdfreebsd14.4any
freebsdfreebsd14.4any
freebsdfreebsd15.0any
freebsdfreebsd15.0any
freebsdfreebsd15.0any
freebsdfreebsd15.0any
freebsdfreebsd15.0any

References 3

  • github.com https://github.com/califio/publications/blob/main/MADBugs/CVE-2026-4747/exploit.py
    Exploit
  • github.com https://github.com/califio/publications/tree/main/MADBugs/CVE-2026-4747
    ExploitThird Party Advisory
  • security.freebsd.org https://security.freebsd.org/advisories/FreeBSD-SA-26:08.rpcsec_gss.asc
    Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.