CVE-2026-4747

HIGH

Remote code execution via RPCSEC_GSS packet validation

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-4747. PoCs published by kaleth4.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-4747, a stack buffer overflow in FreeBSD's kgssapi.ko (RPCSEC_GSS) leading to remote kernel code execution. The exploit uses a multi-packet delivery mechanism with ROP and shellcode to achieve a uid 0 reverse shell.

Description

Each RPCSEC_GSS data packet is validated by a routine which checks a signature in the packet. This routine copies a portion of the packet into a stack buffer, but fails to ensure that the buffer is sufficiently large, and a malicious client can trigger a stack overflow. Notably, this does not require the client to authenticate itself first. As kgssapi.ko's RPCSEC_GSS implementation is vulnerable, remote code execution in the kernel is possible by an authenticated user that is able to send packets to the kernel's NFS server while kgssapi.ko is loaded into the kernel. In userspace, applications which have librpcgss_sec loaded and run an RPC server are vulnerable to remote code execution from any client able to send it packets. We are not aware of any such applications in the FreeBSD base system.

Exploits (2)

nomisec WORKING POC
by kaleth4 · poc
https://github.com/kaleth4/CVE-2026-4747-

This repository contains a functional exploit for CVE-2026-4747, a stack buffer overflow in FreeBSD's kgssapi.ko (RPCSEC_GSS) leading to remote kernel code execution. The exploit uses a multi-packet delivery mechanism with ROP and shellcode to achieve a uid 0 reverse shell.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: FreeBSD 13.5, 14.3, 14.4, 15.0 (unpatched versions)
Auth required
Prerequisites: FreeBSD target with NFS and Kerberos configured · Network access to target's NFS service (port 2049) · Kerberos principal credentials for authentication
devstral-2 · analyzed Apr 10, 2026 Full analysis →
nomisec WORKING POC
by kaleth4 · poc
https://github.com/kaleth4/CVE-2026-4747

This repository contains a functional exploit for CVE-2026-4747, a stack buffer overflow in FreeBSD's kgssapi.ko module, leading to remote kernel RCE via crafted RPCSEC_GSS requests. The exploit includes detailed technical analysis, a staged ROP chain, and shellcode execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: FreeBSD 14.x with kgssapi.ko and NFS enabled
Auth required
Prerequisites: Valid Kerberos ticket for the target NFS service · Network access to port 2049/TCP · FreeBSD 14.x with kgssapi.ko loaded
devstral-2 · analyzed Apr 09, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 8.8
EPSS 0.0144
EPSS Percentile 69.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-121
Status published
Products (8)
freebsd/freebsd 13.5 (12 CPE variants)
freebsd/freebsd 14.3 (10 CPE variants)
freebsd/freebsd 14.4 (2 CPE variants)
freebsd/freebsd 15.0 (5 CPE variants)
FreeBSD/FreeBSD 13.5-RELEASE - p11
FreeBSD/FreeBSD 14.3-RELEASE - p10
FreeBSD/FreeBSD 14.4-RELEASE - p1
FreeBSD/FreeBSD 15.0-RELEASE - p5
Published Mar 26, 2026
Tracked Since Mar 26, 2026