Full Report
FreeBSD security advisory (AV26-291)
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in FreeBSD (AV26-291)
## CVE Details
- **CVE ID:** CVE-2026-4747 (RCE), CVE-2026-4247 (DoS), CVE-2026-4652 (DoS), CVE-2026-4748 (Logic Bug)
- **CVSS Score:** Not explicitly provided in the bulletin (Estimated High/Critical for RCE)
- **CWE:** Included weaknesses:
- CWE-400 (Uncontrolled Resource Consumption)
- CWE-476 (NULL Pointer Dereference)
- CWE-20 (Improper Input Validation)
- CWE-693 (Protection Mechanism Failure)
## Affected Systems
- **Products:** FreeBSD Operating System
- **Versions:**
- FreeBSD 13.5
- FreeBSD 14.x
- FreeBSD 15.0
- **Configurations:** Systems running TCP network stacks, NVMe over Fabrics (nvmf), RPC services using GSS-API, or the `pf` packet filter.
## Vulnerability Description
This advisory covers four distinct security flaws identified within the FreeBSD kernel and core utilities:
1. **CVE-2026-4747 (RPCSEC_GSS):** A critical vulnerability in RPCSEC_GSS packet validation that allows for remote code execution.
2. **CVE-2026-4247 (TCP mbuf leak):** A resource exhaustion flaw where the TCP stack fails to release memory buffers (mbufs), leading to a kernel panic or system-wide denial of service.
3. **CVE-2026-4652 (NVMe-oF):** A NULL pointer dereference in the NVMe over Fabrics implementation, allowing a remote attacker to crash the host.
4. **CVE-2026-4748 (Packet Filter):** A logic flaw in the `pf` firewall where certain rules are silently ignored, potentially bypassing intended network security policies.
## Exploitation
- **Status:** Vulnerabilities verified by vendor; no widespread "in the wild" exploitation reported in this brief.
- **Complexity:** Low to Medium
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Due to RCE and firewall bypass potential)
- **Integrity:** High (Due to RCE and firewall bypass potential)
- **Availability:** High (System crashes and memory exhaustion)
## Remediation
### Patches
FreeBSD has released several security advisories corresponding to these flaws. Users should update via `freebsd-update`:
- **FreeBSD-SA-26:06.tcp**
- **FreeBSD-SA-26:07.nvmf**
- **FreeBSD-SA-26:08.rpcsec_gss**
- **FreeBSD-SA-26:09.pf**
### Workarounds
- **TCP DoS:** Monitor system memory and limit concurrent TCP connections from untrusted sources.
- **NVMe-oF:** Disable the `nvmf` service/module if not explicitly required.
- **RPC:** Disable RPCSEC_GSS or restrict RPC access to trusted internal networks.
- **PF:** Review active rulesets using `pfctl -sr` to ensure rules are correctly loaded into the kernel despite this bug.
## Detection
- **Indicators of Compromise:** High memory utilization (specifically mbuf usage), unintended network traffic passing through the firewall, or kernel panics related to RPC or NVMe modules.
- **Detection methods and tools:**
- Use `netstat -m` to monitor mbuf leaks.
- Check system logs (/var/log/messages) for NULL pointer dereference errors.
## References
- **Vendor Advisories:**
- hxxps[://]www[.]freebsd[.]org/security/advisories/FreeBSD-SA-26:06.tcp.asc
- hxxps[://]www[.]freebsd[.]org/security/advisories/FreeBSD-SA-26:07.nvmf.asc
- hxxps[://]www[.]freebsd[.]org/security/advisories/FreeBSD-SA-26:08.rpcsec_gss.asc
- hxxps[://]www[.]freebsd[.]org/security/advisories/FreeBSD-SA-26:09.pf.asc
- **Cyber Centre Alert:**
- hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/freebsd-security-advisory-av26-291