What is CVE-2026-4747?

CVE-2026-4747 is a security vulnerability identified in freebsd-src. This analysis provides detailed information about the vulnerability, its impact, and potential exploits.

Is there a PoC for CVE-2026-4747?

This security analysis examines the vulnerability in detail. Review the analysis findings for exploit potential and proof-of-concept information related to CVE-2026-4747.

How can I protect against CVE-2026-4747?

Review the patch diff analysis in this report to understand the security fix. Updating to the patched version is recommended to mitigate CVE-2026-4747.

REPORT / 01

Analysis Report · freebsd-src release/14.4.0 → release/14.4.0-p1 — CVE-2026-4747

Shared security patch analysis results

mode patchdiff ai copilot oswe-vscode-prime

02 · Lifecycle actions cancel · resume · skip · regenerate

03 · Share this analysis copy link · embed report

03 · CVE Security Analysis & Writeups ai-generated · per cve

Comprehensive security analysis generated by AI for each confirmed CVE match. Click on a CVE to view the detailed writeup including vulnerability background, technical details, patch analysis, and PoC guide.

CVE-2026-4747 NVD

AI-Generated Analysis

## 1. Vulnerability Background

What is this vulnerability?

- CVE-2026-4747 is a stack-based buffer overflow in the RPCSEC_GSS packet validation path.
- The vulnerability exists in two code paths:
  - kernel-side `sys/rpc/rpcsec_gss/svc_rpcsec_gss.c`
  - userland-side `lib/librpcsec_gss/svc_rpcsec_gss.c`
- Both paths reconstruct the RPC header and then copy RPC authentication payload bytes into a fixed-size stack buffer without checking that the length reported in the packet fits.

Why is it critical/important?

- RPCSEC_GSS is used to secure RPC services, including NFS on FreeBSD.
- The vulnerability is exploitable before the client is authenticated, meaning a malformed packet can be processed by the packet parser regardless of valid credentials.
- In the kernel path, exploitation can lead to remote code execution in the kernel, which is a complete system compromise.
- In the userland path, any RPC server linked against `librpcsec_gss` and accepting RPCSEC_GSS packets can be remotely compromised.
- The bug is in a network-facing parsing routine, making it high-risk for remote exploitation.

What systems/versions are affected?

- FreeBSD 14.4-RELEASE and derivatives prior to the patch applied in 14.4-RELEASE-p1.
- Systems with `kgssapi.ko` loaded and running NFS or other RPCSEC_GSS-backed services.
- Userland applications that load `librpcsec_gss` and expose an RPC server using RPCSEC_GSS.
- FreeBSD base system is not known to include vulnerable userland RPC servers, but third-party software using the library may be affected.

## 2. Technical Details

Root cause analysis

- The vulnerable code reconstructs an RPC header into a local buffer `rpchdr`.
- It then reads the credential block from `msg->rm_call.cb_cred`.
- It stores `oa->oa_length` into the packet and copies `oa->oa_base` into `rpchdr` using `memcpy`.
- There is no check that `oa->oa_length` is small enough to fit in the remaining bytes of `rpchdr`.
- As a result, an attacker-controlled `oa_length` can cause `memcpy` to overflow the stack buffer.

Attack vector and exploitation conditions

- The attacker must send a crafted RPCSEC_GSS packet to a vulnerable RPC service.
- For the kernel path:
  - `kgssapi.ko` must be loaded.
  - The target must be running an NFS server or another kernel-handled RPCSEC_GSS service.
  - The attacker must be able to reach the service over the network.
- For the userland path:
  - A target RPC server must use `librpcsec_gss`.
  - Any client that can send RPCSEC_GSS packets to that service is potentially able to exploit it.
- The packet can be malformed in the authentication credential length field, leading to overflow before authentication is verified.

Security implications

- Remote code execution:
  - Kernel path: arbitrary code execution in kernel context, full system compromise.
  - Userland path: arbitrary code execution in the process hosting the RPC server.
- Denial of service:
  - Stack corruption can cause crashes, kernel panics, or service termination.
- Lack of prior authentication:
  - The bug is exploitable without a valid authenticated client state, increasing exposure.
- Attackers may be able to use this bug for lateral movement or privilege escalation in environments with exposed RPCSEC_GSS services.

## 3. Patch Analysis

What code changes were made?

- In both vulnerable files, a bounds check was inserted before the header reconstruction and `memcpy`.
- New code:
  - reads `oa = &msg->rm_call.cb_cred;`
  - checks `if (oa->oa_length > sizeof(rpchdr) - 8 * BYTES_PER_XDR_UNIT)`
  - logs a debug message when the length exceeds the allowed maximum
  - marks the client as stale and returns `FALSE`
- This check appears in:
  - `lib/librpcsec_gss/svc_rpcsec_gss.c`
  - `sys/rpc/rpcsec_gss/svc_rpcsec_gss.c`

How do these changes fix the vulnerability?

- They ensure the credential blob length cannot exceed the space remaining in the fixed-size stack buffer after the RPC header fields have been placed there.
- If the reported credential length is too large, the routine aborts before the unsafe `memcpy`.
- This converts an unbounded stack copy into a guarded operation.

Security improvements introduced

- Added explicit validation of untrusted packet metadata.
- Prevented a classic stack buffer overflow in a network-facing parsing routine.
- Reduced attack surface by refusing malformed RPCSEC_GSS packets early.
- Improved error handling by marking the client stale rather than continuing with corrupted state.

## 4. Proof of Concept (PoC) Guide

Prerequisites for exploitation

- A vulnerable FreeBSD 14.4 system or equivalent build without the patch.
- `kgssapi.ko` loaded and NFS or another RPCSEC_GSS service active, or a userland RPC server using `librpcsec_gss`.
- Network access to the target service.
- Ability to send crafted RPCSEC_GSS packets.

Step-by-step exploitation approach

- Identify a reachable RPCSEC_GSS endpoint on the target.
- Construct an RPC call packet with:
  - valid RPC header fields
  - `rm_call.cb_cred.oa_flavor` set to RPCSEC_GSS flavor
  - `rm_call.cb_cred.oa_length` set to an oversized value larger than `sizeof(rpchdr) - 8 * BYTES_PER_XDR_UNIT`
  - a payload buffer of corresponding size
- Transmit the malformed packet to the target service over the appropriate transport (TCP/UDP).
- Observe the target’s response or crash behavior.

Expected behavior vs exploited behavior

- Expected behavior:
  - a correct implementation rejects invalid auth lengths
  - the service should log an error or ignore the packet without crashing
- Exploited behavior:
  - the unchecked `memcpy` overruns the stack buffer
  - memory corruption occurs
  - the target may crash, panic, or potentially execute attacker-controlled code

How to verify the vulnerability exists

- Check FreeBSD version and patch level; unpatched 14.4-RELEASE is vulnerable.
- Inspect source or binary for the absence of the new `oa_length` bounds check.
- Attempt to send a malformed RPCSEC_GSS packet in a controlled lab:
  - if the target crashes or the service drops unexpectedly, the vulnerability is likely present
  - if the target logs a debug message and cleanly rejects the packet, the patch may already be present
- Review `UPDATING` advisory SA-26:08.rpcsec_gss for confirmation of the fix.

## 5. Recommendations

Mitigation strategies

- Apply the FreeBSD patch or upgrade to 14.4-RELEASE-p1 or later.
- If patching is not immediately possible:
  - disable NFS or other RPCSEC_GSS services
  - unload `kgssapi.ko` if it is not required
  - restrict access to RPC ports with firewall rules

Detection methods

- Monitor kernel logs and system messages for RPCSEC_GSS validation failures and client stale events.
- Watch for unexpected process termination or kernel oops in NFS/RPC paths.
- Deploy IDS/IPS rules that detect malformed RPCSEC_GSS packets with suspiciously large auth lengths.
- Audit systems for loaded `kgssapi.ko` and active RPCSEC_GSS services.

Best practices to prevent similar issues

- Always validate length fields before copying data from network packets.
- Avoid copying untrusted inputs into fixed-size stack buffers without explicit bounds checks.
- Treat authentication metadata as untrusted until it has been fully validated.
- Use defensive programming patterns in protocol parsers: explicit size limits, safe copy primitives, and early rejection of malformed messages.
- Maintain timely application of security advisories and kernel patches.

05 · Findings filter · search · paginate

Showing 0 to 0 of 0 results

UPDATING AI: 3 vulnerabilities 1 false positive(s), 2 true positive(s) CVE-2026-4747

--- cache/freebsd-src_release_14.4.0/UPDATING	2026-04-21 05:53:17.278325585 +0000+++ cache/freebsd-src_release_14.4.0-p1/UPDATING	2026-04-21 05:54:13.418370739 +0000@@ -12,6 +12,17 @@ /usr/ports/UPDATING.  Please read that file before updating system packages and/or ports. +20260325:+	14.4-RELEASE-p1	SA-26:06.tcp+			SA-26:08.rpcsec_gss+			SA-26:09.pf++	TCP: remotely exploitable DoS vector (mbuf leak). [SA-26:06.tcp]++	Remote code execution via RPCSEC_GSS packet validation. [SA-26:08.rpcsec_gss]++	pf silently ignores certain rules. [SA-26:09.pf]+ 20260310: 	14.4-RELEASE.

AI Analysis

Vulnerability Existed: yes
TRUE POSITIVE
SA-26:06.tcp UPDATING lines 12-17
Old Code:
 /usr/ports/UPDATING.  Please read that file before updating system packages
 and/or ports.
 20260310:
 	14.4-RELEASE.
Fixed Code:
 /usr/ports/UPDATING.  Please read that file before updating system packages
 and/or ports.
 20260325:
 	14.4-RELEASE-p1	SA-26:06.tcp
 			SA-26:08.rpcsec_gss
 			SA-26:09.pf
 	TCP: remotely exploitable DoS vector (mbuf leak). [SA-26:06.tcp]
 20260310:
 	14.4-RELEASE.

Vulnerability Existed: yes
FALSE POSITIVE
SA-26:08.rpcsec_gss UPDATING lines 12-17
Old Code:
 /usr/ports/UPDATING.  Please read that file before updating system packages
 and/or ports.
 20260310:
 	14.4-RELEASE.
Fixed Code:
 /usr/ports/UPDATING.  Please read that file before updating system packages
 and/or ports.
 20260325:
 	14.4-RELEASE-p1	SA-26:06.tcp
 			SA-26:08.rpcsec_gss
 			SA-26:09.pf
 	Remote code execution via RPCSEC_GSS packet validation. [SA-26:08.rpcsec_gss]
 20260310:
 	14.4-RELEASE.

Vulnerability Existed: yes
TRUE POSITIVE
SA-26:09.pf UPDATING lines 12-17
Old Code:
 /usr/ports/UPDATING.  Please read that file before updating system packages
 and/or ports.
 20260310:
 	14.4-RELEASE.
Fixed Code:
 /usr/ports/UPDATING.  Please read that file before updating system packages
 and/or ports.
 20260325:
 	14.4-RELEASE-p1	SA-26:06.tcp
 			SA-26:08.rpcsec_gss
 			SA-26:09.pf
 	pf silently ignores certain rules. [SA-26:09.pf]
 20260310:
 	14.4-RELEASE.

CVE Analysis Results:

CVE-2026-4747: Yes

View CVE Description

Each RPCSEC_GSS data packet is validated by a routine which checks a signature in the packet. This routine copies a portion of the packet into a stack buffer, but fails to ensure that the buffer is sufficiently large, and a malicious client can trigger a stack overflow. Notably, this does not require the client to authenticate itself first. As kgssapi.ko's RPCSEC_GSS implementation is vulnerable, remote code execution in the kernel is possible by an authenticated user that is able to send packets to the kernel's NFS server while kgssapi.ko is loaded into the kernel. In userspace, applications which have librpcgss_sec loaded and run an RPC server are vulnerable to remote code execution from any client able to send it packets. We are not aware of any such applications in the FreeBSD base system.

lib/librpcsec_gss/svc_rpcsec_gss.c AI: 1 vulnerabilities 1 true positive(s) CVE-2026-4747

--- cache/freebsd-src_release_14.4.0/lib/librpcsec_gss/svc_rpcsec_gss.c	2026-04-21 05:53:22.978731814 +0000+++ cache/freebsd-src_release_14.4.0-p1/lib/librpcsec_gss/svc_rpcsec_gss.c	2026-04-21 05:54:18.986776678 +0000@@ -758,6 +758,14 @@ 	 	memset(rpchdr, 0, sizeof(rpchdr)); +	oa = &msg->rm_call.cb_cred;++	if (oa->oa_length > sizeof(rpchdr) - 8 * BYTES_PER_XDR_UNIT) {+		log_debug("auth length %d exceeds maximum", oa->oa_length);+		client->cl_state = CLIENT_STALE;+		return (FALSE);+	}+ 	/* Reconstruct RPC header for signing (from xdr_callmsg). */ 	buf = rpchdr; 	IXDR_PUT_LONG(buf, msg->rm_xid);@@ -766,7 +774,6 @@ 	IXDR_PUT_LONG(buf, msg->rm_call.cb_prog); 	IXDR_PUT_LONG(buf, msg->rm_call.cb_vers); 	IXDR_PUT_LONG(buf, msg->rm_call.cb_proc);-	oa = &msg->rm_call.cb_cred; 	IXDR_PUT_ENUM(buf, oa->oa_flavor); 	IXDR_PUT_LONG(buf, oa->oa_length); 	if (oa->oa_length) {

AI Analysis

Vulnerability Existed: yes
TRUE POSITIVE
Unchecked authentication length leading to stack buffer overflow lib/librpcsec_gss/svc_rpcsec_gss.c lines ~758-774
Old Code
    memset(rpchdr, 0, sizeof(rpchdr));
 
    /* Reconstruct RPC header for signing (from xdr_callmsg). */
    buf = rpchdr;
    IXDR_PUT_LONG(buf, msg->rm_xid);
    IXDR_PUT_ENUM(buf, msg->rm_direction);
    IXDR_PUT_LONG(buf, msg->rm_call.cb_rpcvers);
    IXDR_PUT_LONG(buf, msg->rm_call.cb_prog);
    IXDR_PUT_LONG(buf, msg->rm_call.cb_vers);
    IXDR_PUT_LONG(buf, msg->rm_call.cb_proc);
    oa = &msg->rm_call.cb_cred;
    IXDR_PUT_ENUM(buf, oa->oa_flavor);
    IXDR_PUT_LONG(buf, oa->oa_length);
    if (oa->oa_length) {
        memcpy((caddr_t)buf, oa->oa_base, oa->oa_length);
        buf += RNDUP(oa->oa_length) / sizeof(int32_t);
    }
Fixed Code
    memset(rpchdr, 0, sizeof(rpchdr));
 
    oa = &msg->rm_call.cb_cred;
 
    if (oa->oa_length > sizeof(rpchdr) - 8 * BYTES_PER_XDR_UNIT) {
        log_debug("auth length %d exceeds maximum", oa->oa_length);
        client->cl_state = CLIENT_STALE;
        return (FALSE);
    }
 
    /* Reconstruct RPC header for signing (from xdr_callmsg). */
    buf = rpchdr;
    IXDR_PUT_LONG(buf, msg->rm_xid);
    IXDR_PUT_ENUM(buf, msg->rm_direction);
    IXDR_PUT_LONG(buf, msg->rm_call.cb_rpcvers);
    IXDR_PUT_LONG(buf, msg->rm_call.cb_prog);
    IXDR_PUT_LONG(buf, msg->rm_call.cb_vers);
    IXDR_PUT_LONG(buf, msg->rm_call.cb_proc);
    IXDR_PUT_ENUM(buf, oa->oa_flavor);
    IXDR_PUT_LONG(buf, oa->oa_length);
    if (oa->oa_length) {
        memcpy((caddr_t)buf, oa->oa_base, oa->oa_length);
        buf += RNDUP(oa->oa_length) / sizeof(int32_t);
    }

CVE Analysis Results:

CVE-2026-4747: Yes

View CVE Description

Each RPCSEC_GSS data packet is validated by a routine which checks a signature in the packet. This routine copies a portion of the packet into a stack buffer, but fails to ensure that the buffer is sufficiently large, and a malicious client can trigger a stack overflow. Notably, this does not require the client to authenticate itself first. As kgssapi.ko's RPCSEC_GSS implementation is vulnerable, remote code execution in the kernel is possible by an authenticated user that is able to send packets to the kernel's NFS server while kgssapi.ko is loaded into the kernel. In userspace, applications which have librpcgss_sec loaded and run an RPC server are vulnerable to remote code execution from any client able to send it packets. We are not aware of any such applications in the FreeBSD base system.

sys/rpc/rpcsec_gss/svc_rpcsec_gss.c AI: 1 vulnerabilities 1 true positive(s) CVE-2026-4747

--- cache/freebsd-src_release_14.4.0/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c	2026-04-21 05:53:27.871080460 +0000+++ cache/freebsd-src_release_14.4.0-p1/sys/rpc/rpcsec_gss/svc_rpcsec_gss.c	2026-04-21 05:54:24.011142881 +0000@@ -1107,6 +1107,15 @@ 	 	memset(rpchdr, 0, sizeof(rpchdr)); +	oa = &msg->rm_call.cb_cred;++	if (oa->oa_length > sizeof(rpchdr) - 8 * BYTES_PER_XDR_UNIT) {+		rpc_gss_log_debug("auth length %d exceeds maximum",+		    oa->oa_length);+		client->cl_state = CLIENT_STALE;+		return (FALSE);+	}+ 	/* Reconstruct RPC header for signing (from xdr_callmsg). */ 	buf = rpchdr; 	IXDR_PUT_LONG(buf, msg->rm_xid);@@ -1115,7 +1124,6 @@ 	IXDR_PUT_LONG(buf, msg->rm_call.cb_prog); 	IXDR_PUT_LONG(buf, msg->rm_call.cb_vers); 	IXDR_PUT_LONG(buf, msg->rm_call.cb_proc);-	oa = &msg->rm_call.cb_cred; 	IXDR_PUT_ENUM(buf, oa->oa_flavor); 	IXDR_PUT_LONG(buf, oa->oa_length); 	if (oa->oa_length) {

AI Analysis

Vulnerability Existed: yes
TRUE POSITIVE
Buffer overflow (unchecked auth length) sys/rpc/rpcsec_gss/svc_rpcsec_gss.c 1107-1116
[Old Code]
    /* Reconstruct RPC header for signing (from xdr_callmsg). */
    buf = rpchdr;
    IXDR_PUT_LONG(buf, msg->rm_xid);
    IXDR_PUT_ENUM(buf, msg->rm_direction);
    IXDR_PUT_LONG(buf, msg->rm_call.cb_rpcvers);
    IXDR_PUT_LONG(buf, msg->rm_call.cb_prog);
    IXDR_PUT_LONG(buf, msg->rm_call.cb_vers);
    IXDR_PUT_LONG(buf, msg->rm_call.cb_proc);
    oa = &msg->rm_call.cb_cred;
    IXDR_PUT_ENUM(buf, oa->oa_flavor);
    IXDR_PUT_LONG(buf, oa->oa_length);
    if (oa->oa_length) {
        memcpy((caddr_t)buf, oa->oa_base, oa->oa_length);
        buf += RNDUP(oa->oa_length) / sizeof(int32_t);
    }
[Fixed Code]
    oa = &msg->rm_call.cb_cred;
    if (oa->oa_length > sizeof(rpchdr) - 8 * BYTES_PER_XDR_UNIT) {
        rpc_gss_log_debug("auth length %d exceeds maximum",
            oa->oa_length);
        client->cl_state = CLIENT_STALE;
        return (FALSE);
    }

    /* Reconstruct RPC header for signing (from xdr_callmsg). */
    buf = rpchdr;
    IXDR_PUT_LONG(buf, msg->rm_xid);
    IXDR_PUT_ENUM(buf, msg->rm_direction);
    IXDR_PUT_LONG(buf, msg->rm_call.cb_rpcvers);
    IXDR_PUT_LONG(buf, msg->rm_call.cb_prog);
    IXDR_PUT_LONG(buf, msg->rm_call.cb_vers);
    IXDR_PUT_LONG(buf, msg->rm_call.cb_proc);
    IXDR_PUT_ENUM(buf, oa->oa_flavor);
    IXDR_PUT_LONG(buf, oa->oa_length);
    if (oa->oa_length) {
        memcpy((caddr_t)buf, oa->oa_base, oa->oa_length);
        buf += RNDUP(oa->oa_length) / sizeof(int32_t);
    }

CVE Analysis Results:

CVE-2026-4747: Yes

View CVE Description

Each RPCSEC_GSS data packet is validated by a routine which checks a signature in the packet. This routine copies a portion of the packet into a stack buffer, but fails to ensure that the buffer is sufficiently large, and a malicious client can trigger a stack overflow. Notably, this does not require the client to authenticate itself first. As kgssapi.ko's RPCSEC_GSS implementation is vulnerable, remote code execution in the kernel is possible by an authenticated user that is able to send packets to the kernel's NFS server while kgssapi.ko is loaded into the kernel. In userspace, applications which have librpcgss_sec loaded and run an RPC server are vulnerable to remote code execution from any client able to send it packets. We are not aware of any such applications in the FreeBSD base system.

Showing 1 to 3 of 3 results