Impact
When the TCP layer constructs a challenge acknowledgement it consumes the mbuf that is passed to it, but if no acknowledgment should be sent the function returns and the mbuf is left allocated. For each crafted packet that satisfies the challenge‑ACK criteria an mbuf leaks. With the default rate limit a host will leak one mbuf for every packet beyond the first five sent within one second, rapidly consuming kernel memory and eventually causing the system to halt or become unresponsive.
Affected Systems
These affected versions include FreeBSD 14.3 (all patch levels p1 through p9, plus the base release), 14.4 (both the release and the rc1 release), and 15.0 (all patches p1 through p4). The vulnerability sits in the TCP implementation used by these releases. Administrators should confirm that their system is running a version that incorporates the fix issued in the FreeBSD‑SA‑26:06.tcp advisory.
Risk and Exploitability
The flaw carries a CVSS base score of 7.5, indicating high severity. The EPSS probability is 1 %, meaning exploitation is considered low‑probability unless an attacker has direct network access to a FreeBSD host. An attacker who can establish a TCP connection, or who is on the same path, can easily craft packets to trigger the leak. Off‑path attacks that rely on spoofing would be more complex and less likely to succeed. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalogue, suggesting no confirmed wide‑scale attacks yet.
OpenCVE Enrichment