Description
Each RPCSEC_GSS data packet is validated by a routine which checks a signature in the packet. This routine copies a portion of the packet into a stack buffer, but fails to ensure that the buffer is sufficiently large, and a malicious client can trigger a stack overflow. Notably, this does not require the client to authenticate itself first.

As kgssapi.ko's RPCSEC_GSS implementation is vulnerable, remote code execution in the kernel is possible by an authenticated user that is able to send packets to the kernel's NFS server while kgssapi.ko is loaded into the kernel.

In userspace, applications which have librpcgss_sec loaded and run an RPC server are vulnerable to remote code execution from any client able to send it packets. We are not aware of any such applications in the FreeBSD base system.
Published: 2026-03-26
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution
Action: Immediate Patch
AI Analysis

Impact

The flaw lies in the RPCSEC_GSS packet validation routine. A stack buffer is used to copy data from the packet without verifying that the buffer is large enough. This leads to a stack overflow that can be triggered by a specially crafted packet sent by any client, because the routine does not require prior authentication. An attacker who can send such packets to the NFS server (or any RPC server that loads the vulnerable library) can execute arbitrary code at the privilege level of the receiving process, which may be kernel mode.

Affected Systems

FreeBSD kernel modules that provide GSS authentication. The kgssapi.ko kernel module is affected in the core system; any NFS server that loads it is vulnerable. In user space, any application that loads the librpcgss_sec library and runs an RPC server is also susceptible. While the FreeBSD base system itself is not known to ship such applications, third‑party services may still expose the risk.

Risk and Exploitability

The CVSS score of 8.8 reflects the severity of the vulnerability. The EPSS score of less than 1% indicates that the likelihood of exploitation in the immediate future is low, and the vulnerability is not listed in the CISA KEV catalog, implying it has not yet seen widespread use from known threat actors. Nevertheless, the fact that authentication is not required for user‑space exploitation means an active network presence could theoretically deliver malicious packets. In the kernel case, an authenticated NFS client can exercise the code execution. The attack surface is therefore significant for systems with active RPC/NFS services and the kgssapi.ko module enabled.

Generated by OpenCVE AI on March 26, 2026 at 15:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available FreeBSD security update that patches kgssapi.ko
  • If an update is not possible, unload or blacklist the kgssapi.ko kernel module to disable GSS authentication for RPC services
  • For user‑space services, remove or upgrade any library that loads librpcgss_sec, or disable RPC services that require GSS authentication
  • Verify that no RPC services are listening on the network; use firewall rules to block unsolicited RPC traffic
  • Keep the system and all security patches up to date, and monitor vendor advisories for updates to this vulnerability.

Generated by OpenCVE AI on March 26, 2026 at 15:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Freebsd
Freebsd freebsd
Vendors & Products Freebsd
Freebsd freebsd

Thu, 26 Mar 2026 07:00:00 +0000

Type Values Removed Values Added
Description Each RPCSEC_GSS data packet is validated by a routine which checks a signature in the packet. This routine copies a portion of the packet into a stack buffer, but fails to ensure that the buffer is sufficiently large, and a malicious client can trigger a stack overflow. Notably, this does not require the client to authenticate itself first. As kgssapi.ko's RPCSEC_GSS implementation is vulnerable, remote code execution in the kernel is possible by an authenticated user that is able to send packets to the kernel's NFS server while kgssapi.ko is loaded into the kernel. In userspace, applications which have librpcgss_sec loaded and run an RPC server are vulnerable to remote code execution from any client able to send it packets. We are not aware of any such applications in the FreeBSD base system.
Title Remote code execution via RPCSEC_GSS packet validation
Weaknesses CWE-121
References

Subscriptions

Freebsd Freebsd
cve-icon MITRE

Status: PUBLISHED

Assigner: freebsd

Published:

Updated: 2026-04-02T03:55:35.253Z

Reserved: 2026-03-24T03:57:38.500Z

Link: CVE-2026-4747

cve-icon Vulnrichment

Updated: 2026-04-01T14:07:04.429Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-26T07:16:20.670

Modified: 2026-04-01T15:23:23.797

Link: CVE-2026-4747

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:28:51Z

Weaknesses