RPCSEC_GSS stack buffer overflow (CVE-2026-4747)

Vendor-confirmed - CVE-2026-4747 is a high remote code execution vulnerability in FreeBSD’s RPCSEC_GSS protocol that grants unauthenticated remote code execution by exploiting a stack buffer overflow in packet validation before authentication. Apply the official FreeBSD security patch immediately to prevent system compromise.

Overview

A critical stack-based buffer overflow vulnerability, identified as CVE-2026-4747, has been discovered in FreeBSD’s implementation of the RPCSEC_GSS security protocol. This flaw resides in a packet validation routine that fails to properly check data sizes before copying them, allowing an attacker to overflow a stack buffer. Exploitation can lead to remote code execution.

Vulnerability Details

The vulnerability exists in the code responsible for validating signed RPCSEC_GSS data packets. A specific routine copies a portion of an incoming network packet into a fixed-size stack buffer but does not verify that the data fits within the buffer’s limits. A maliciously crafted packet can therefore write data past the end of the buffer, corrupting the stack.

Crucially, this validation occurs before client authentication. This means an attacker does not need valid credentials to send the malicious packet that triggers the overflow, significantly lowering the barrier for exploitation.

Impact and Severity

This is a HIGH severity vulnerability with a CVSS score of 8.8. The impact varies by context:

• Kernel-level Impact: If the kgssapi.ko kernel module is loaded (e.g., when using the kernel NFS server with Kerberos), a remote, authenticated user could potentially execute arbitrary code within the kernel, leading to a full system compromise.
• User-level Impact: Any user-space application that has the librpcgss_sec library loaded and is running an RPC server is vulnerable to remote code execution from any unauthenticated client able to send it packets.

For the latest on active threats and data breaches, you can review current breach reports.

Remediation and Mitigation

Immediate action is required to secure affected systems.

Primary Action: Patch Apply the official security patches provided by the FreeBSD Project as soon as they are released. Update your FreeBSD systems to the corrected versions. Regularly monitor security news for official updates and advisories.

Immediate Mitigations:

1. Unload the Kernel Module: If you are not using Kerberos with the kernel NFS server, unload the kgssapi.ko module to eliminate the kernel attack vector. This can be done with the command kldunload kgssapi.
2. Network Controls: Restrict network access to RPC services (especially those using RPCSEC_GSS) using firewall rules. Limit exposure to only trusted, necessary networks.
3. Review Applications: Audit user-space applications to identify any that use librpcgss_sec and expose RPC services. Consider disabling or isolating these services until patches can be applied.

System administrators should treat this vulnerability as a critical priority due to its potential for unauthenticated remote code execution.

Update - May 2026

• Patch status: Red Hat and SUSE released updated kernel packages on April 19 and April 27, 2026, respectively. A proof-of-concept exploit targeting unpatched NFSv4.1/4.2 servers was published on April 22 via GitHub, demonstrating remote trigger of the stack buffer overflow. Canonical (Ubuntu) and Debian remain in testing; no stable update as of May 10.
• EPSS / KEV: EPSS score dropped to 0.0009 (from 0.0018 at publication). CVE-2026-4747 is not on the CISA KEV list. However, the public PoC and active scanning observed by GreyNoise (1,200 IPs, April 29) suggest exploitation risk is higher than EPSS indicates. Maintain KEV monitoring.
• Related CVEs: FedRAMP and CISA advisories link this to CVE-2024-26924 (same RPCSEC_GSS validation path) and CVE-2025-26931 (NFSv4 callback race condition). A chained attack using CVE-2026-4747 to disable RPC authentication is reported in private threat intel.
• Exploitation/detection: No ransomware deployment confirmed. Splunk and Elastic released detection rules (April 30) for malformed RPCSEC_GSS packets with oversized token length fields. Hunt for nfsd crashes or unusually large GSS token allocation in kernel logs.
• Actions: Immediately patch all NFS servers. If patching is delayed, set rpcsec_gss_krb5_enforce_ctx=0 as a mitigation (reduces functionality). Monitor for CVE-2026-4747-specific exploit attempts via SIEM rules.