SB2026033033 - Multiple vulnerabilities in FreeBSD

Description

This security bulletin contains information about 4 vulnerabilities.

1) Improper resource shutdown or release (CVE-ID: CVE-2026-4247)

CWE-ID: CWE-404 - Improper Resource Shutdown or Release

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper memory management in the TCP stack when handling unexpected TCP segments that meet challenge ACK criteria. A remote attacker can send a specially crafted sequence of TCP packets to exceed the rate limit for challenge ACKs and trigger an mbuf leak, leading to resource exhaustion.

Off-path attackers may also exploit this issue by spoofing packets with guessed connection parameters, though this is more difficult.

2) NULL pointer dereference (CVE-ID: CVE-2026-4652)

CWE-ID: CWE-476 - NULL Pointer Dereference

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to a null pointer dereference in the nvmf driver when handling CONNECT commands for I/O queues with a bogus or stale CNTLID. A remote attacker can send a specially crafted CONNECT command to cause a kernel panic.

3) Stack-based buffer overflow (CVE-ID: CVE-2026-4747)

CWE-ID: CWE-121 - Stack-based buffer overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to execute arbitrary code in the kernel or in userspace RPC servers.

The vulnerability exists due to improper input validation in the RPCSEC_GSS packet validation routine when handling RPC packets. A remote attacker can send a specially crafted RPC packet to trigger a stack overflow, leading to arbitrary code execution.

The kernel component kgssapi.ko is vulnerable when loaded, and userspace applications linked with librpcsec_gss that run an RPC server are also vulnerable. 

4) Input validation error (CVE-ID: CVE-2026-4748)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to an error in pf packet filter implementation when handling rules containing the address range syntax (x.x.x.x - y.y.y.y) that only differ in the address ranges. A remote attacker can bypass previously configured rules and gain unauthorized access to the system bypassing packet filtering. 

Remediation

Install update from vendor's website.

References

• https://www.freebsd.org/security/advisories/FreeBSD-SA-26:06.tcp.asc
• https://www.freebsd.org/security/advisories/FreeBSD-SA-26:07.nvmf.asc
• https://security.FreeBSD.org/patches/SA-26:08/rpcsec_gss.patch
• https://www.freebsd.org/security/advisories/FreeBSD-SA-26:09.pf.asc