← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-4747 · CWE-121 · Disclosed 2026-03-26

Each RPCSEC_GSS data packet is validated by a routine which checks a signature in the packet

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a landmine hidden in the armored gate, not in every sidewalk

CVE-2026-4747 is a stack-based buffer overflow in FreeBSD's RPCSEC_GSS packet validation path, affecting both the kernel-side kgssapi.ko implementation used by NFS and the userland librpcsec_gss library. FreeBSD says all supported versions were affected at disclosure on 2026-03-26, with fixes released in 13.5-RELEASE-p11, 14.3-RELEASE-p10, 14.4-RELEASE-p1, and 15.0-RELEASE-p5. The vulnerable routine reconstructs part of an incoming RPCSEC_GSS packet into a fixed stack buffer without verifying the incoming length, so a malicious packet can overflow the stack.

The vendor's HIGH 8.8 baseline is technically understandable because the end state is remote code execution, including kernel-context execution when the NFS path is in play. But operationally this is not a generic internet-wide FreeBSD RCE: the target must be running a reachable RPC server, and for the base-system kernel path that means FreeBSD NFS with kgssapi.ko loaded. That narrower exposure keeps this out of CRITICAL, but the public exploit and kernel impact keep it firmly above MEDIUM.

"Bad bug, real PoC, but the blast radius collapses fast unless you actually run FreeBSD NFS with RPCSEC_GSS exposed."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Find a reachable FreeBSD RPC target

The attacker first needs a host exposing an RPC service that will process RPCSEC_GSS traffic. In the base OS, the practical target is the FreeBSD NFS server path on 2049/tcp, because FreeBSD explicitly ties kgssapi.ko use to NFS for Kerberos-backed authentication.
Conditions required:
  • Network reachability to the target RPC/NFS service
  • Target is running FreeBSD
  • NFS or another RPC service is exposed
Where this breaks in practice:
  • Most enterprise NFS is internal-only, not internet-exposed
  • A FreeBSD host is a much smaller population than generic Linux/Windows server fleets
  • Port exposure alone does not prove the vulnerable RPCSEC_GSS path is active
Detection/coverage: External attack-surface tools and Nmap can find 2049/tcp, but vulnerability scanners usually stop at service/version inference here.
STEP 02

Hit the RPCSEC_GSS code path

The exploit only matters if the target actually processes RPCSEC_GSS packets. FreeBSD's advisory says the kernel path is vulnerable when kgssapi.ko is loaded, and notes no known vulnerable base-system userland RPC servers, which means the vulnerable population is much smaller than 'all FreeBSD hosts.'
Conditions required:
  • kgssapi.ko loaded for the kernel/NFS path, or a third-party RPC server linked against librpcsec_gss
  • The service accepts attacker-supplied RPCSEC_GSS packets
Where this breaks in practice:
  • kgssapi.ko is not required on every NFS deployment
  • Third-party userland RPCSEC_GSS servers appear uncommon in normal enterprise fleets
  • This prerequisite is hard to validate remotely without active testing
Detection/coverage: Very little off-the-shelf scanner coverage for 'module loaded' state; this is best verified on-host with kldstat, service config review, and listening-socket checks.
STEP 03

Send the crafted overflow packet

A public exploit is already referenced by NVD in the califio/publications repository, including exploit.py, which lowers attacker development cost substantially. The vulnerable validation routine copies attacker-controlled packet data into a fixed stack buffer without adequate length checking.
Conditions required:
  • Attacker can send raw or application-crafted RPC traffic to the service
  • Target is on an unpatched vulnerable branch
Where this breaks in practice:
  • Network ACLs, host firewalls, or segmentation may block the service path
  • Service crashes or watchdog restarts may turn some attempts into noisy denial-of-service instead of stable code execution
Detection/coverage: Network IDS may see malformed RPC/NFS traffic, but signature coverage will lag because the bug is in a niche protocol path.
STEP 04

Land code execution as root or in kernel context

On the kernel-side NFS path, successful exploitation can yield kernel-context execution, which is effectively full system compromise. Even failed attempts may generate crashes or panics, so defenders should treat unusual NFS instability on vulnerable versions as suspicious until proven otherwise.
Conditions required:
  • Exploit reliability sufficient for the target architecture and branch
  • No upstream controls block or kill the malformed session before the vulnerable routine executes
Where this breaks in practice:
  • Kernel exploitation is still harder than simple userland memory corruption in many real environments
  • A successful exploit must survive compiler, stack, and runtime hardening differences across branches
Detection/coverage: EDR visibility on FreeBSD is often thinner than on Windows/Linux; kernel panics, dmesg, service restarts, and NFS telemetry become important.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo public evidence of broad active exploitation found in authoritative sources reviewed. Not KEV-listed and no vendor note claiming active attacks.
Proof-of-concept availabilityYes — NVD references a public GitHub repo from califio/publications containing exploit.py; the repo states the PoC was *AI-generated, human-verified*.
EPSS0.00198 from the user-supplied intel block, which is a low exploit-likelihood signal. FIRST percentile was not independently verified in this session.
KEV statusNot listed in CISA's Known Exploited Vulnerabilities Catalog as of 2026-05-29.
CVSS vector reality checkCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H scores it as easy network abuse with prior low privileges. But the advisory text also says the packet trigger does not require prior authentication, while the kernel-impact paragraph mentions an authenticated user; that inconsistency is why the real driver here is service exposure, not the vendor PR field.
Affected populationFreeBSD says all supported versions at disclosure were affected, but the *reachable* population is much smaller because exploitation requires an RPCSEC_GSS-capable server path. In the base system, that mainly means NFS with kgssapi.ko loaded.
Fixed versionsPatched in 13.5-RELEASE-p11, 14.3-RELEASE-p10, 14.4-RELEASE-p1, and 15.0-RELEASE-p5; stable branches also received fixes via the advisory's listed commit hashes.
Exposure and scanning realityInternet exposure begins with NFS on 2049/tcp, but remote discovery of kgssapi.ko or vulnerable RPCSEC_GSS enablement is weak. Expect many false positives from pure port-based exposure counts and many false negatives from version-only scanners.
Disclosure and researcherDisclosed by FreeBSD on 2026-03-26. Credit: Nicholas Carlini using Claude, Anthropic.
04 · The Call

noisgate verdict.

Final Verdict
= UNCHANGED to HIGH (7.4/10)

The decisive factor is population narrowing: this is not a generic FreeBSD remote bug, it is a vulnerable path behind a reachable RPC service, and in the base system that primarily means NFS with kgssapi.ko loaded. That knocks it down from the vendor's near-critical posture, but a public exploit plus possible kernel-context RCE keeps it in HIGH.

HIGH Affected-version and fix-version mapping from FreeBSD advisory
MEDIUM Real-world exposure assessment for enterprise fleets
MEDIUM Exploitability interpretation because the CVSS PR field conflicts with the advisory text

Why this verdict

  • Kernel RCE is still kernel RCE: if the NFS/kgssapi.ko path is reachable, compromise can land in kernel context. That alone prevents a MEDIUM rating.
  • Exposure population is narrower than the CVSS implies: the attacker needs a reachable FreeBSD RPC service, and the base-system kernel path specifically needs NFS with kgssapi.ko loaded. That is a major downward adjustment from a generic network daemon bug.
  • Public exploit lowers attacker cost: NVD links to a live GitHub PoC with exploit.py, so this is not a theory-only memory corruption issue. I add risk back for weaponization maturity.
  • No exploitation evidence and low EPSS push downward: it is not KEV-listed and the supplied EPSS is very low. That matters when deciding whether this is a fleet-wide fire drill versus a targeted service hardening problem.

Why not higher?

It is not CRITICAL because the reachable population is gated by a specific service role and module state, not just 'host is FreeBSD.' Most enterprises do not expose Kerberos-enabled NFS broadly, and there is no authoritative evidence here of active exploitation or KEV inclusion.

Why not lower?

It is not MEDIUM because the technical outcome is severe and the exploit bar is no longer purely research-grade. A public PoC against a network-reachable kernel-facing parser means any environment that actually runs the vulnerable path has meaningful compromise risk.

05 · Compensating Control

What to do — in priority order.

  1. Restrict NFS reachability — Lock down 2049/tcp to approved client networks only and remove any internet exposure. For a HIGH verdict, deploy this control within 30 days anywhere patching cannot happen immediately.
  2. Disable unused NFS services — If the host is not intentionally serving NFS, turn off nfsd and related RPC exposure to remove the vulnerable entry point entirely. Do this within 30 days on all dormant or accidental NFS servers.
  3. Unload or avoid kgssapi.ko where unnecessary — FreeBSD explicitly says kernels without kgssapi.ko loaded are not vulnerable on the kernel path. If Kerberos-backed NFS is not required, remove that module from the runtime and boot configuration within 30 days.
  4. Monitor for malformed NFS/RPC activity — Add temporary detection around unusual traffic to 2049/tcp, repeated session failures, nfsd instability, and kernel panic indicators. This is not a patch substitute, but it improves time-to-detect while you work through remediation within 30 days.
What doesn't work
  • MFA does not materially help, because the vulnerable packet validation path is reached before any meaningful user-centric control matters.
  • Client-side patching alone does not protect a vulnerable FreeBSD server; the decisive risk is on the server-side RPC parser.
  • A generic perimeter WAF does not help for raw NFS/RPC traffic on 2049/tcp.
06 · Verification

Crowdsourced verification payload.

Run this on the FreeBSD target host as root or with enough privilege to read kernel module state and service/process information. Save it as check-cve-2026-4747.sh, then run sudo sh check-cve-2026-4747.sh; it reports VULNERABLE, PATCHED, or UNKNOWN based on release level and whether the obvious kernel/NFS exposure path is present.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/bin/sh
# check-cve-2026-4747.sh
# FreeBSD target-side check for CVE-2026-4747
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

kv="$(freebsd-version -k 2>/dev/null || true)"
uv="$(freebsd-version -u 2>/dev/null || true)"
rv="${kv:-$uv}"

if [ -z "$rv" ]; then
  echo "UNKNOWN: unable to determine FreeBSD version"
  exit 2
fi

# Determine whether the obvious kernel attack path is exposed.
kgss_loaded="no"
if command -v kldstat >/dev/null 2>&1; then
  if kldstat -q -m kgssapi 2>/dev/null; then
    kgss_loaded="yes"
  fi
fi

nfs_running="no"
if pgrep -x nfsd >/dev/null 2>&1; then
  nfs_running="yes"
fi

nfs_listening="unknown"
if command -v sockstat >/dev/null 2>&1; then
  if sockstat -4 -6 -l 2>/dev/null | awk '$6 ~ /:2049$/ {found=1} END{exit(found?0:1)}'; then
    nfs_listening="yes"
  else
    nfs_listening="no"
  fi
fi

is_vuln_version="unknown"
reason=""

case "$rv" in
  13.5-RELEASE-p[0-9]|13.5-RELEASE-p10|13.5-RELEASE)
    is_vuln_version="yes"
    reason="13.5 before p11"
    ;;
  13.5-RELEASE-p1[1-9]*|13.5-RELEASE-p[2-9][0-9]*)
    is_vuln_version="no"
    reason="13.5 patched at p11+"
    ;;
  14.3-RELEASE-p[0-9]|14.3-RELEASE)
    is_vuln_version="yes"
    reason="14.3 before p10"
    ;;
  14.3-RELEASE-p1[0-9]*|14.3-RELEASE-p[2-9][0-9]*)
    is_vuln_version="no"
    reason="14.3 patched at p10+"
    ;;
  14.4-RELEASE|14.4-RELEASE-p0)
    is_vuln_version="yes"
    reason="14.4 before p1"
    ;;
  14.4-RELEASE-p[1-9]* )
    is_vuln_version="no"
    reason="14.4 patched at p1+"
    ;;
  15.0-RELEASE-p[0-4]|15.0-RELEASE)
    is_vuln_version="yes"
    reason="15.0 before p5"
    ;;
  15.0-RELEASE-p[5-9]* )
    is_vuln_version="no"
    reason="15.0 patched at p5+"
    ;;
  *)
    is_vuln_version="unknown"
    reason="unsupported, non-RELEASE, or unrecognized branch; compare against FreeBSD advisory commits"
    ;;
esac

if [ "$is_vuln_version" = "no" ]; then
  echo "PATCHED: $rv ($reason); kgssapi_loaded=$kgss_loaded nfsd_running=$nfs_running nfs_listening_2049=$nfs_listening"
  exit 0
fi

if [ "$is_vuln_version" = "yes" ]; then
  if [ "$kgss_loaded" = "yes" ] || [ "$nfs_running" = "yes" ] || [ "$nfs_listening" = "yes" ]; then
    echo "VULNERABLE: $rv ($reason); kernel/NFS exposure indicators present: kgssapi_loaded=$kgss_loaded nfsd_running=$nfs_running nfs_listening_2049=$nfs_listening"
    exit 1
  else
    echo "UNKNOWN: $rv ($reason); version is vulnerable but obvious kernel/NFS exposure indicators were not found. Advisory notes kernels without kgssapi.ko loaded are not vulnerable on the kernel path; third-party userland RPCSEC_GSS servers may still apply."
    exit 2
  fi
fi

echo "UNKNOWN: $rv ($reason); kgssapi_loaded=$kgss_loaded nfsd_running=$nfs_running nfs_listening_2049=$nfs_listening"
exit 2
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, pull an inventory of all FreeBSD NFS servers and separate them from generic FreeBSD hosts; this CVE is about the reachable RPCSEC_GSS path, not every box with a FreeBSD kernel. For a HIGH verdict, use the noisgate mitigation SLA to lock down exposure — restrict 2049/tcp, disable unused NFS, and remove unnecessary kgssapi.ko usage within 30 days — then meet the noisgate remediation SLA by rolling the vendor-fixed builds (13.5-p11, 14.3-p10, 14.4-p1, 15.0-p5 or later) across affected systems within 180 days.

Sources

  1. NVD CVE record
  2. FreeBSD advisory
  3. FreeBSD fix review / commit summary
  4. FreeBSD 14.4 errata and advisory index
  5. GitHub PoC directory
  6. GitHub PoC exploit.py
  7. FreeBSD handbook: network servers / NFS
  8. CISA Known Exploited Vulnerabilities Catalog
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.