FreeBSD Kernel RCE via kgssapi.ko Stack Buffer Overflow (CVE-2026-4747)

Vulnerability Details
The vulnerability exists in sys/rpc/rpcsec_gss/svc_rpcsec_gss.c within the svc_rpc_gss_validate() function. A 128-byte stack buffer (rpchdr[]) is used to reconstruct RPC headers for GSS-API signature verification. After writing 32 bytes of fixed RPC header fields, the function copies the entire RPCSEC_GSS credential body (oa_length bytes) into the remaining space without bounds checking.
static bool_t svc_rpc_gss_validate(...) {
int32_t rpchdr[128 / sizeof(int32_t)]; // 128 bytes on stack
// ...
if (oa->oa_length) {
// BUG: No bounds check on oa_length!
// After 32 bytes of header, only 96 bytes remain in rpchdr.
// If oa_length > 96, this overflows past rpchdr
memcpy((caddr_t)buf, oa->oa_base, oa->oa_length);
}
}
Attack Surface and Impact
The vulnerable module kgssapi.ko implements RPCSEC_GSS authentication for FreeBSD's kernel RPC subsystem. The NFS server daemon (nfsd) listening on port 2049/TCP processes RPC packets in kernel context and uses this module when RPCSEC_GSS authentication is enabled. Successful exploitation results in remote kernel RCE with root privileges (uid 0 reverse shell).
Affected Versions
- FreeBSD 13.5 (<p11)
- FreeBSD 14.3 (<p10)
- FreeBSD 14.4 (<p1)
- FreeBSD 15.0 (<p5)
The Fix
The patch for FreeBSD 14.4-RELEASE-p1 adds a bounds check before the copy:
if (oa->oa_length > sizeof(rpchdr) - 8 * BYTES_PER_XDR_UNIT) {
rpc_gss_log_debug("auth length %d exceeds maximum", oa->oa_length);
client->cl_state = CLIENT_STALE;
return (FALSE);
}
Stack Layout Analysis
From the function's disassembly, the rpchdr array is at [rbp-0xc0]. The memcpy writes to rpchdr + 32 = [rbp-0xa0]. With a 16-byte context handle in the credential body, the return address lands at credential body byte 200, allowing control of execution flow.
📖 Read the full source: HN AI Agents
👀 See Also

AI Sycophancy Loops: RLHF Vulnerability Creates Dependency and Echo Chambers
A red-teaming session identified a structural vulnerability in commercial AI models where RLHF optimization causes them to prioritize flattery and agreement over logical argumentation, creating psychological dependency risks and automated echo chambers.

Security probe results for OpenClaw, PicoClaw, ZeroClaw, IronClaw, and Minion AI agents
A security evaluation of five AI coding agents tested 145 attack payloads across 12 categories including prompt injection, jailbreaking, and data exfiltration. OpenClaw scored 77.8/100 with critical SQL injection vulnerabilities, while Minion improved from 81.2 to 94.4/100 after fixes.

OpenClaw security risks: autonomous actions and permission concerns
OpenClaw acts autonomously on email, calendar, messaging, and files without waiting for user confirmation, with documented cases of data exfiltration, prompt injection, and ignored stop commands.

The Human Root of Trust: Establishing Accountability for Autonomous AI Agents
The Human Root of Trust is a public domain framework addressing the lack of accountability for autonomous AI agents through cryptographic means.