CVE-2026-4747 Exploit & Vulnerability Analysis

1. Vulnerability Background

What is this vulnerability?

• CVE-2026-4747 is a stack-based buffer overflow in the RPCSEC_GSS packet validation path.
• The vulnerability exists in two code paths:
  • kernel-side sys/rpc/rpcsec_gss/svc_rpcsec_gss.c
  • userland-side lib/librpcsec_gss/svc_rpcsec_gss.c
• Both paths reconstruct the RPC header and then copy RPC authentication payload bytes into a fixed-size stack buffer without checking that the length reported in the packet fits.

Why is it critical/important?

• RPCSEC_GSS is used to secure RPC services, including NFS on FreeBSD.
• The vulnerability is exploitable before the client is authenticated, meaning a malformed packet can be processed by the packet parser regardless of valid credentials.
• In the kernel path, exploitation can lead to remote code execution in the kernel, which is a complete system compromise.
• In the userland path, any RPC server linked against librpcsec_gss and accepting RPCSEC_GSS packets can be remotely compromised.
• The bug is in a network-facing parsing routine, making it high-risk for remote exploitation.

What systems/versions are affected?

• FreeBSD 14.4-RELEASE and derivatives prior to the patch applied in 14.4-RELEASE-p1.
• Systems with kgssapi.ko loaded and running NFS or other RPCSEC_GSS-backed services.
• Userland applications that load librpcsec_gss and expose an RPC server using RPCSEC_GSS.
• FreeBSD base system is not known to include vulnerable userland RPC servers, but third-party software using the library may be affected.

2. Technical Details

Root cause analysis

• The vulnerable code reconstructs an RPC header into a local buffer rpchdr.
• It then reads the credential block from msg->rm_call.cb_cred.
• It stores oa->oa_length into the packet and copies oa->oa_base into rpchdr using memcpy.
• There is no check that oa->oa_length is small enough to fit in the remaining bytes of rpchdr.
• As a result, an attacker-controlled oa_length can cause memcpy to overflow the stack buffer.

Attack vector and exploitation conditions

• The attacker must send a crafted RPCSEC_GSS packet to a vulnerable RPC service.
• For the kernel path:
  • kgssapi.ko must be loaded.
  • The target must be running an NFS server or another kernel-handled RPCSEC_GSS service.
  • The attacker must be able to reach the service over the network.
• For the userland path:
  • A target RPC server must use librpcsec_gss.
  • Any client that can send RPCSEC_GSS packets to that service is potentially able to exploit it.
• The packet can be malformed in the authentication credential length field, leading to overflow before authentication is verified.

Security implications

• Remote code execution:
  • Kernel path: arbitrary code execution in kernel context, full system compromise.
  • Userland path: arbitrary code execution in the process hosting the RPC server.
• Denial of service:
  • Stack corruption can cause crashes, kernel panics, or service termination.
• Lack of prior authentication:
  • The bug is exploitable without a valid authenticated client state, increasing exposure.
• Attackers may be able to use this bug for lateral movement or privilege escalation in environments with exposed RPCSEC_GSS services.

3. Patch Analysis

What code changes were made?

• In both vulnerable files, a bounds check was inserted before the header reconstruction and memcpy.
• New code:
  • reads oa = &msg->rm_call.cb_cred;
  • checks if (oa->oa_length > sizeof(rpchdr) - 8 * BYTES_PER_XDR_UNIT)
  • logs a debug message when the length exceeds the allowed maximum
  • marks the client as stale and returns FALSE
• This check appears in:
  • lib/librpcsec_gss/svc_rpcsec_gss.c
  • sys/rpc/rpcsec_gss/svc_rpcsec_gss.c

How do these changes fix the vulnerability?

• They ensure the credential blob length cannot exceed the space remaining in the fixed-size stack buffer after the RPC header fields have been placed there.
• If the reported credential length is too large, the routine aborts before the unsafe memcpy.
• This converts an unbounded stack copy into a guarded operation.

Security improvements introduced

• Added explicit validation of untrusted packet metadata.
• Prevented a classic stack buffer overflow in a network-facing parsing routine.
• Reduced attack surface by refusing malformed RPCSEC_GSS packets early.
• Improved error handling by marking the client stale rather than continuing with corrupted state.

4. Proof of Concept (PoC) Guide

Prerequisites for exploitation

• A vulnerable FreeBSD 14.4 system or equivalent build without the patch.
• kgssapi.ko loaded and NFS or another RPCSEC_GSS service active, or a userland RPC server using librpcsec_gss.
• Network access to the target service.
• Ability to send crafted RPCSEC_GSS packets.

Step-by-step exploitation approach

• Identify a reachable RPCSEC_GSS endpoint on the target.
• Construct an RPC call packet with:
  • valid RPC header fields
  • rm_call.cb_cred.oa_flavor set to RPCSEC_GSS flavor
  • rm_call.cb_cred.oa_length set to an oversized value larger than sizeof(rpchdr) - 8 * BYTES_PER_XDR_UNIT
  • a payload buffer of corresponding size
• Transmit the malformed packet to the target service over the appropriate transport (TCP/UDP).
• Observe the target’s response or crash behavior.

Expected behavior vs exploited behavior

• Expected behavior:
  • a correct implementation rejects invalid auth lengths
  • the service should log an error or ignore the packet without crashing
• Exploited behavior:
  • the unchecked memcpy overruns the stack buffer
  • memory corruption occurs
  • the target may crash, panic, or potentially execute attacker-controlled code

How to verify the vulnerability exists

• Check FreeBSD version and patch level; unpatched 14.4-RELEASE is vulnerable.
• Inspect source or binary for the absence of the new oa_length bounds check.
• Attempt to send a malformed RPCSEC_GSS packet in a controlled lab:
  • if the target crashes or the service drops unexpectedly, the vulnerability is likely present
  • if the target logs a debug message and cleanly rejects the packet, the patch may already be present
• Review UPDATING advisory SA-26:08.rpcsec_gss for confirmation of the fix.

5. Recommendations

Mitigation strategies

• Apply the FreeBSD patch or upgrade to 14.4-RELEASE-p1 or later.
• If patching is not immediately possible:
  • disable NFS or other RPCSEC_GSS services
  • unload kgssapi.ko if it is not required
  • restrict access to RPC ports with firewall rules

Detection methods

• Monitor kernel logs and system messages for RPCSEC_GSS validation failures and client stale events.
• Watch for unexpected process termination or kernel oops in NFS/RPC paths.
• Deploy IDS/IPS rules that detect malformed RPCSEC_GSS packets with suspiciously large auth lengths.
• Audit systems for loaded kgssapi.ko and active RPCSEC_GSS services.

Best practices to prevent similar issues

• Always validate length fields before copying data from network packets.
• Avoid copying untrusted inputs into fixed-size stack buffers without explicit bounds checks.
• Treat authentication metadata as untrusted until it has been fully validated.
• Use defensive programming patterns in protocol parsers: explicit size limits, safe copy primitives, and early rejection of malformed messages.
• Maintain timely application of security advisories and kernel patches.