RPCSEC_GSS stack buffer overflow (CVE-2026-4747)

Overview

A critical stack-based buffer overflow vulnerability, identified as CVE-2026-4747, has been discovered in FreeBSD’s implementation of the RPCSEC_GSS security protocol. This flaw resides in a packet validation routine that fails to properly check data sizes before copying them, allowing an attacker to overflow a stack buffer. Exploitation can lead to remote code execution.

Vulnerability Details

The vulnerability exists in the code responsible for validating signed RPCSEC_GSS data packets. A specific routine copies a portion of an incoming network packet into a fixed-size stack buffer but does not verify that the data fits within the buffer’s limits. A maliciously crafted packet can therefore write data past the end of the buffer, corrupting the stack.

Crucially, this validation occurs before client authentication. This means an attacker does not need valid credentials to send the malicious packet that triggers the overflow, significantly lowering the barrier for exploitation.

Impact and Severity

This is a HIGH severity vulnerability with a CVSS score of 8.8. The impact varies by context:

• Kernel-level Impact: If the kgssapi.ko kernel module is loaded (e.g., when using the kernel NFS server with Kerberos), a remote, authenticated user could potentially execute arbitrary code within the kernel, leading to a full system compromise.
• User-level Impact: Any user-space application that has the librpcgss_sec library loaded and is running an RPC server is vulnerable to remote code execution from any unauthenticated client able to send it packets.

For the latest on active threats and data breaches, you can review current breach reports.

Remediation and Mitigation

Immediate action is required to secure affected systems.

Primary Action: Patch Apply the official security patches provided by the FreeBSD Project as soon as they are released. Update your FreeBSD systems to the corrected versions. Regularly monitor security news for official updates and advisories.

Immediate Mitigations:

1. Unload the Kernel Module: If you are not using Kerberos with the kernel NFS server, unload the kgssapi.ko module to eliminate the kernel attack vector. This can be done with the command kldunload kgssapi.
2. Network Controls: Restrict network access to RPC services (especially those using RPCSEC_GSS) using firewall rules. Limit exposure to only trusted, necessary networks.
3. Review Applications: Audit user-space applications to identify any that use librpcgss_sec and expose RPC services. Consider disabling or isolating these services until patches can be applied.

System administrators should treat this vulnerability as a critical priority due to its potential for unauthenticated remote code execution.