Description
When a challenge ACK is to be sent tcp_respond() constructs and sends the challenge ACK and consumes the mbuf that is passed in. When no challenge ACK should be sent the function returns and leaks the mbuf.

If an attacker is either on path with an established TCP connection, or can themselves establish a TCP connection, to an affected FreeBSD machine, they can easily craft and send packets which meet the challenge ACK criteria and cause the FreeBSD host to leak an mbuf for each crafted packet in excess of the configured rate limit settings i.e. with default settings, crafted packets in excess of the first 5 sent within a 1s period will leak an mbuf.

Technically, off-path attackers can also exploit this problem by guessing the IP addresses, TCP port numbers and in some cases the sequence numbers of established connections and spoofing packets towards a FreeBSD machine, but this is harder to do effectively.
Published: 2026-03-26
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via memory exhaustion
Action: Apply Patch
AI Analysis

Impact

When the TCP layer constructs a challenge acknowledgment it consumes the mbuf that is passed to it, but if no acknowledgment should be sent the function returns and the mbuf is left allocated. For each crafted packet that satisfies the challenge‑ACK criteria an mbuf leaks. With the default rate limit a host will leak one mbuf for every packet beyond the first five sent within one second, rapidly consuming kernel memory and eventually causing the system to halt or become unresponsive.

Affected Systems

This weakness is present in the FreeBSD operating system. No particular release numbers are specified, so any FreeBSD version that contains the affected tcp_respond implementation may be vulnerable. Administrators should check the FreeBSD security advisory and apply the recommended update or newer release.

Risk and Exploitability

The flaw carries a CVSS base score of 7.5, indicating high severity. The EPSS probability is below 1 %, meaning exploitation is considered low‑probability unless an attacker has direct network access to a FreeBSD host. An attacker who can establish a TCP connection, or who is on the same path, can easily craft packets to trigger the leak. Off‑path attacks that rely on spoofing would be more complex and less likely to succeed. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalogue, suggesting no confirmed wide‑scale attacks yet.

Generated by OpenCVE AI on March 26, 2026 at 17:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch released in the FreeBSD security advisory for CVE‑2026‑4247.
  • Verify that the system has been upgraded to a version that incorporates the fix.
  • Monitor kernel memory usage for sudden increases to detect a potential denial‑of‑service attempt.
  • Consider implementing packet filtering or rate‑limiting rules on the network perimeter to reduce the effect of crafted packets until a patch is applied.

Generated by OpenCVE AI on March 26, 2026 at 17:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Freebsd
Freebsd freebsd
Vendors & Products Freebsd
Freebsd freebsd

Thu, 26 Mar 2026 06:30:00 +0000

Type Values Removed Values Added
Description When a challenge ACK is to be sent tcp_respond() constructs and sends the challenge ACK and consumes the mbuf that is passed in. When no challenge ACK should be sent the function returns and leaks the mbuf. If an attacker is either on path with an established TCP connection, or can themselves establish a TCP connection, to an affected FreeBSD machine, they can easily craft and send packets which meet the challenge ACK criteria and cause the FreeBSD host to leak an mbuf for each crafted packet in excess of the configured rate limit settings i.e. with default settings, crafted packets in excess of the first 5 sent within a 1s period will leak an mbuf. Technically, off-path attackers can also exploit this problem by guessing the IP addresses, TCP port numbers and in some cases the sequence numbers of established connections and spoofing packets towards a FreeBSD machine, but this is harder to do effectively.
Title TCP: remotely exploitable DoS vector (mbuf leak)
Weaknesses CWE-401
References

Subscriptions

Freebsd Freebsd
cve-icon MITRE

Status: PUBLISHED

Assigner: freebsd

Published:

Updated: 2026-03-26T14:41:24.333Z

Reserved: 2026-03-16T03:51:53.368Z

Link: CVE-2026-4247

cve-icon Vulnrichment

Updated: 2026-03-26T14:38:47.013Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-26T07:16:20.387

Modified: 2026-03-26T15:16:41.263

Link: CVE-2026-4247

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:28:53Z

Weaknesses