FreeBSD Kernel RCE via kgssapi.ko Stack Buffer Overflow (CVE-2026-4747)

Vulnerability Details

The vulnerability exists in sys/rpc/rpcsec_gss/svc_rpcsec_gss.c within the svc_rpc_gss_validate() function. A 128-byte stack buffer (rpchdr[]) is used to reconstruct RPC headers for GSS-API signature verification. After writing 32 bytes of fixed RPC header fields, the function copies the entire RPCSEC_GSS credential body (oa_length bytes) into the remaining space without bounds checking.

static bool_t svc_rpc_gss_validate(...) {
    int32_t rpchdr[128 / sizeof(int32_t)]; // 128 bytes on stack
    // ...
    if (oa->oa_length) {
        // BUG: No bounds check on oa_length!
        // After 32 bytes of header, only 96 bytes remain in rpchdr.
        // If oa_length > 96, this overflows past rpchdr
        memcpy((caddr_t)buf, oa->oa_base, oa->oa_length);
    }
}

Attack Surface and Impact

The vulnerable module kgssapi.ko implements RPCSEC_GSS authentication for FreeBSD's kernel RPC subsystem. The NFS server daemon (nfsd) listening on port 2049/TCP processes RPC packets in kernel context and uses this module when RPCSEC_GSS authentication is enabled. Successful exploitation results in remote kernel RCE with root privileges (uid 0 reverse shell).

Affected Versions

• FreeBSD 13.5 (<p11)
• FreeBSD 14.3 (<p10)
• FreeBSD 14.4 (<p1)
• FreeBSD 15.0 (<p5)

The Fix

The patch for FreeBSD 14.4-RELEASE-p1 adds a bounds check before the copy:

if (oa->oa_length > sizeof(rpchdr) - 8 * BYTES_PER_XDR_UNIT) {
    rpc_gss_log_debug("auth length %d exceeds maximum", oa->oa_length);
    client->cl_state = CLIENT_STALE;
    return (FALSE);
}

Stack Layout Analysis

From the function's disassembly, the rpchdr array is at [rbp-0xc0]. The memcpy writes to rpchdr + 32 = [rbp-0xa0]. With a 16-byte context handle in the credential body, the return address lands at credential body byte 200, allowing control of execution flow.