CVE-2026-4747
Remote code execution via RPCSEC_GSS packet validation
Description
Each RPCSEC_GSS data packet is validated by a routine which checks a signature in the packet. This routine copies a portion of the packet into a stack buffer, but fails to ensure that the buffer is sufficiently large, and a malicious client can trigger a stack overflow. Notably, this does not require the client to authenticate itself first. As kgssapi.ko's RPCSEC_GSS implementation is vulnerable, remote code execution in the kernel is possible by an authenticated user that is able to send packets to the kernel's NFS server while kgssapi.ko is loaded into the kernel. In userspace, applications which have librpcgss_sec loaded and run an RPC server are vulnerable to remote code execution from any client able to send it packets. We are not aware of any such applications in the FreeBSD base system.
INFO
Published Date :
March 26, 2026, 7:16 a.m.
Last Modified :
April 1, 2026, 3:23 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | HIGH | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
Solution
- Update the RPCSEC_GSS implementation to validate buffer sizes.
- Ensure stack buffers are sufficiently large for copied data.
- Apply vendor patches for kgssapi.ko and librpcgss_sec.
- Remove or secure vulnerable RPC server applications.
Public PoC/Exploit Available at Github
CVE-2026-4747 has a 12 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-4747.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-4747 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-4747
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Open-source cybersecurity AI — trained to think like a defender
Python JavaScript
Multi-agent Claude-based end-to-end vulnerability discovery and exploit development. Orchestration for recon, parallelized analysis, adversarial verification, and exploit chain construction.
Shell
Community defense plan for the post-Mythos cybersecurity landscape. 49 files, 8000+ lines. 13 stack guides, 19 scanning prompts, 5 audit scripts, Docker scanner. Free. Open. CC BY 4.0.
Dockerfile Shell PowerShell
None
Python
None
Python
None
Interactive infographic exploring Claude Mythos Preview — Anthropic's most capable frontier model, withheld from public release due to autonomous cybersecurity capabilities
JavaScript HTML CSS TypeScript
Security audit engine that learns from your feedback. Bayesian calibration turns 6,000 noisy findings into 135 real issues. Model-agnostic, zero-config. Born from 93 real-world vulnerabilities.
adaptive-learning bayesian cli-tool defense-in-depth freebsd go knowledge-base llm owasp sast security security-audit vulnerability-scanner
Go Shell
可复现的AI Agent定制方案:有记忆、能进化、全自动内容生产
ai-agent automation llm memory obsidian openclaw rag self-evolving spring-ai wechat
Python Shell Mermaid
Real-time tool call visualization + undercover mode detector for Claude Code
JavaScript
Cathedral-Grade Security for AI Agents. 23/23 attack vectors caught. Local-first, zero API cost. MIT licensed.
Python
Daily news reports
Shell
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-4747 vulnerability anywhere in the article.
-
Help Net Security
Anthropic’s new AI model finds and exploits zero-days across every major OS and browser
Automated vulnerability discovery tools have existed for decades, and the gap between finding a bug and building a working exploit has always slowed attackers. That gap is now substantially narrower. ... Read more
The following table lists the changes that have been made to the
CVE-2026-4747 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Apr. 01, 2026
Action Type Old Value New Value Added Reference https://github.com/califio/publications/blob/main/MADBugs/CVE-2026-4747/exploit.py -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Apr. 01, 2026
Action Type Old Value New Value Added Reference https://github.com/califio/publications/tree/main/MADBugs/CVE-2026-4747 -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Mar. 26, 2026
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H -
New CVE Received by [email protected]
Mar. 26, 2026
Action Type Old Value New Value Added Description Each RPCSEC_GSS data packet is validated by a routine which checks a signature in the packet. This routine copies a portion of the packet into a stack buffer, but fails to ensure that the buffer is sufficiently large, and a malicious client can trigger a stack overflow. Notably, this does not require the client to authenticate itself first. As kgssapi.ko's RPCSEC_GSS implementation is vulnerable, remote code execution in the kernel is possible by an authenticated user that is able to send packets to the kernel's NFS server while kgssapi.ko is loaded into the kernel. In userspace, applications which have librpcgss_sec loaded and run an RPC server are vulnerable to remote code execution from any client able to send it packets. We are not aware of any such applications in the FreeBSD base system. Added CWE CWE-121 Added Reference https://security.freebsd.org/advisories/FreeBSD-SA-26:08.rpcsec_gss.asc