The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-4747

CVE-2026-4747: FreeBSD RPCSEC_GSS RCE Vulnerability

CVE-2026-4747 is a remote code execution vulnerability in FreeBSD's RPCSEC_GSS implementation caused by a stack overflow. Attackers can exploit this without authentication to execute arbitrary code in the kernel.

Published: March 27, 2026

CVE-2026-4747 Overview

CVE-2026-4747 is a stack buffer overflow vulnerability in FreeBSD's RPCSEC_GSS implementation that can lead to remote code execution. The vulnerability exists in the routine that validates RPCSEC_GSS data packets by checking a signature in the packet. This routine copies a portion of the packet into a stack buffer without properly ensuring that the buffer is sufficiently large to accommodate the data, allowing a malicious client to trigger a stack overflow.

Critical Impact

Remote code execution is possible in the kernel when kgssapi.ko is loaded and the NFS server is accessible. Userspace applications running RPC servers with librpcgss_sec loaded are also vulnerable to remote code execution from any client able to send packets.

Affected Products

  • FreeBSD systems with kgssapi.ko kernel module loaded
  • FreeBSD systems running NFS server with RPCSEC_GSS authentication
  • Userspace applications with librpcgss_sec loaded running RPC servers

Discovery Timeline

  • 2026-03-26 - CVE CVE-2026-4747 published to NVD
  • 2026-03-26 - Last updated in NVD database

Technical Details for CVE-2026-4747

Vulnerability Analysis

This vulnerability is classified as CWE-121 (Stack-based Buffer Overflow). The flaw resides in the packet signature validation routine within FreeBSD's RPCSEC_GSS implementation. When processing incoming RPCSEC_GSS data packets, the validation routine allocates a fixed-size buffer on the stack to hold a portion of the packet data. However, the routine fails to verify that the incoming data will fit within this buffer before performing the copy operation.

The vulnerability is particularly severe because it does not require the client to authenticate itself before exploitation. An authenticated user who can send packets to the kernel's NFS server can achieve kernel-level remote code execution while kgssapi.ko is loaded. This provides attackers with the highest level of system access.

Root Cause

The root cause is improper bounds checking in the RPCSEC_GSS packet validation code. The validation routine copies packet data into a stack-allocated buffer without first comparing the size of the incoming data against the buffer's capacity. This missing size validation allows attackers to provide specially crafted packets with oversized signature data, causing the copy operation to write beyond the buffer boundary and corrupt adjacent stack memory.

Attack Vector

The attack is network-accessible and can be executed by authenticated users with the ability to send packets to vulnerable services. The attack does not require user interaction and exploits the following attack path:

  1. Attacker identifies a FreeBSD system running NFS with kgssapi.ko loaded or an RPC server application with librpcgss_sec
  2. Attacker crafts a malicious RPCSEC_GSS packet with an oversized signature field
  3. The packet is sent to the target service, triggering the signature validation routine
  4. The validation routine copies the malicious data into the undersized stack buffer
  5. Stack memory is corrupted, potentially allowing control of instruction pointer
  6. Attacker achieves remote code execution with kernel privileges (if targeting kgssapi.ko) or user privileges (if targeting userspace applications)

The vulnerability mechanism involves the improper handling of packet signature data in the RPCSEC_GSS validation routine. When a packet is received, the routine extracts signature data and copies it to a stack buffer for verification. The absence of proper length checks before this copy operation enables stack-based buffer overflow conditions. For detailed technical information, see the FreeBSD Security Advisory.

Detection Methods for CVE-2026-4747

Indicators of Compromise

  • Unexpected crashes or kernel panics related to kgssapi.ko or NFS services
  • Anomalous network traffic patterns targeting NFS ports (typically port 2049)
  • RPC server processes exhibiting unexpected behavior or memory corruption symptoms
  • System logs showing repeated RPCSEC_GSS authentication or validation errors

Detection Strategies

  • Monitor NFS and RPC service logs for unusual authentication patterns or malformed packet errors
  • Implement network intrusion detection rules to identify oversized or malformed RPCSEC_GSS packets
  • Deploy endpoint detection and response (EDR) solutions to detect stack overflow exploitation attempts
  • Use kernel auditing to monitor for suspicious activity involving kgssapi.ko

Monitoring Recommendations

  • Enable verbose logging for NFS and RPC services to capture detailed packet processing information
  • Monitor system stability metrics for unexpected kernel panics or service crashes
  • Implement network traffic analysis focusing on RPC protocol anomalies
  • Configure alerts for any unauthorized code execution attempts in kernel context

How to Mitigate CVE-2026-4747

Immediate Actions Required

  • Apply the latest FreeBSD security patches addressing CVE-2026-4747 immediately
  • If patching is not immediately possible, consider temporarily disabling kgssapi.ko if RPCSEC_GSS authentication is not required
  • Restrict network access to NFS services using firewall rules to trusted clients only
  • Audit all systems for the presence of kgssapi.ko and librpcgss_sec in running environments

Patch Information

FreeBSD has released a security advisory addressing this vulnerability. Administrators should apply the patches described in the FreeBSD Security Advisory FreeBSD-SA-26:08.rpcsec_gss. Review the advisory for specific patch instructions and affected FreeBSD versions.

Workarounds

  • Unload the kgssapi.ko kernel module if RPCSEC_GSS authentication is not required for NFS operations
  • Use firewall rules to restrict access to NFS services to trusted networks and hosts only
  • Consider alternative authentication mechanisms for NFS that do not rely on RPCSEC_GSS
  • Implement network segmentation to isolate systems running NFS servers from untrusted networks
bash
# Configuration example - Unload kgssapi.ko module if not required
kldunload kgssapi.ko

# Add to /etc/rc.conf to prevent automatic loading
echo 'kgssapi_load="NO"' >> /boot/loader.conf

# Restrict NFS access via firewall (example using ipfw)
ipfw add deny tcp from any to any dst-port 2049 in
ipfw add allow tcp from 192.168.1.0/24 to any dst-port 2049 in

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeRCE
  • Vendor/TechFreebsd
  • SeverityHIGH
  • CVSS Score8.8
  • EPSS Probability0.05%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-121
  • Technical References
  • FreeBSD Security Advisory
  • Related CVEs
  • CVE-2022-23088: FreeBSD Wi-Fi RCE Vulnerability
  • CVE-2024-7589: FreeBSD OpenSSH RCE Vulnerability
  • CVE-2026-4748: FreeBSD Packet Filter DOS Vulnerability
  • CVE-2026-4247: FreeBSD TCP Information Disclosure Flaw
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English