Skip to main content

Freebsd CVE-2026-4247

| EUVDEUVD-2026-16128 HIGH
Memory Leak (CWE-401)
2026-03-26 freebsd
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 26, 2026 - 06:30 euvd
EUVD-2026-16128
Analysis Generated
Mar 26, 2026 - 06:30 vuln.today
CVE Published
Mar 26, 2026 - 06:09 nvd
HIGH 7.5

DescriptionCVE.org

When a challenge ACK is to be sent tcp_respond() constructs and sends the challenge ACK and consumes the mbuf that is passed in. When no challenge ACK should be sent the function returns and leaks the mbuf.

If an attacker is either on path with an established TCP connection, or can themselves establish a TCP connection, to an affected FreeBSD machine, they can easily craft and send packets which meet the challenge ACK criteria and cause the FreeBSD host to leak an mbuf for each crafted packet in excess of the configured rate limit settings i.e. with default settings, crafted packets in excess of the first 5 sent within a 1s period will leak an mbuf.

Technically, off-path attackers can also exploit this problem by guessing the IP addresses, TCP port numbers and in some cases the sequence numbers of established connections and spoofing packets towards a FreeBSD machine, but this is harder to do effectively.

AnalysisAI

This vulnerability is a memory leak in FreeBSD's TCP stack where the tcp_respond() function fails to properly free allocated memory buffers (mbufs) when challenge ACKs are not sent in response to crafted packets. FreeBSD systems of all versions are affected. An attacker with network access (either on-path with an established connection or able to establish one, or via spoofed packets) can trigger this leak repeatedly by sending specially crafted packets that exceed rate limits, causing heap exhaustion and potential denial of service through resource depletion.

Technical ContextAI

This vulnerability exists in the FreeBSD kernel's TCP/IP network stack, specifically in the tcp_respond() function which handles challenge ACK generation. Challenge ACKs are legitimate TCP responses used to verify connection state in edge cases. The root cause is classified under CWE-401 (Missing Release of Memory after Effective Lifetime), a classic resource management flaw. When the function constructs a challenge ACK, it properly consumes the input mbuf (kernel memory buffer). However, when the function determines that no challenge ACK should be sent (due to rate limiting or other conditions), it returns without deallocating the mbuf, causing a memory leak. Each leak is small, but repeated exploitation exhausts kernel memory resources. The affected product is FreeBSD across all versions (cpe:2.3:a:freebsd:freebsd:*:*:*:*:*:*:*:*), indicating this is a long-standing issue in the core TCP implementation.

RemediationAI

Apply the security patch provided by FreeBSD in advisory FreeBSD-SA-26:06.tcp.asc immediately (https://security.freebsd.org/advisories/FreeBSD-SA-26:06.tcp.asc). The patch corrects the tcp_respond() function to properly deallocate mbufs in all code paths. For systems unable to patch immediately, network-level mitigation can be implemented by restricting TCP traffic from untrusted sources using firewalls or access control lists, though this does not eliminate the vulnerability for on-path or spoofed traffic scenarios. Additionally, increasing kernel memory buffers and monitoring for signs of memory exhaustion (e.g., mbuf pool depletion warnings in system logs) can provide temporary resilience but should not be relied upon as a permanent workaround. Prioritize patching over compensating controls.

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2025-14558 HIGH POC
7.2 Mar 09

The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement mess

CVE-2013-4854 HIGH POC
7.8 Jul 29

The RFC 5011 implementation in rdata.c in ISC BIND 9.7.x and 9.8.x before 9.8.5-P2, 9.8.6b1, 9.9.x before 9.9.3-P2, and

CVE-2024-6387 HIGH POC
8.1 Jul 01

Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to

CVE-2023-48795 MEDIUM POC
5.9 Dec 18

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot

CVE-2013-2171 MEDIUM POC
6.9 Jul 02

The vm_map_lookup function in sys/vm/vm_map.c in the mmap implementation in the kernel in FreeBSD 9.0 through 9.1-RELEAS

CVE-2016-5766 HIGH POC
8.8 Aug 07

Integer overflow in the _gd2GetHeader function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.3, as used

CVE-2016-1879 HIGH POC
7.5 Jan 29

The Stream Control Transmission Protocol (SCTP) module in FreeBSD 9.3 before p33, 10.1 before p26, and 10.2 before p9, w

CVE-2020-7457 HIGH POC
8.1 Jul 09

In FreeBSD 12.1-STABLE before r359565, 12.1-RELEASE before p7, 11.4-STABLE before r362975, 11.4-RELEASE before p1, and 1

CVE-2018-8897 HIGH POC
7.8 May 08

A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) wa

CVE-2012-3549 HIGH POC
7.8 Oct 09

The SCTP implementation in FreeBSD 8.2 allows remote attackers to cause a denial of service (NULL pointer dereference an

CVE-2024-29937 CRITICAL POC
9.8 Apr 11

NFS in a BSD derived codebase, as used in OpenBSD through 7.4 and FreeBSD through 14.0-RELEASE, allows remote attackers

Share

CVE-2026-4247 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy