FKIE_CVE-2026-4247

Vulnerability from fkie_nvd - Published: 2026-03-26 07:16 - Updated: 2026-03-26 15:16
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
When a challenge ACK is to be sent tcp_respond() constructs and sends the challenge ACK and consumes the mbuf that is passed in. When no challenge ACK should be sent the function returns and leaks the mbuf. If an attacker is either on path with an established TCP connection, or can themselves establish a TCP connection, to an affected FreeBSD machine, they can easily craft and send packets which meet the challenge ACK criteria and cause the FreeBSD host to leak an mbuf for each crafted packet in excess of the configured rate limit settings i.e. with default settings, crafted packets in excess of the first 5 sent within a 1s period will leak an mbuf. Technically, off-path attackers can also exploit this problem by guessing the IP addresses, TCP port numbers and in some cases the sequence numbers of established connections and spoofing packets towards a FreeBSD machine, but this is harder to do effectively.
References
secteam@freebsd.orghttps://security.freebsd.org/advisories/FreeBSD-SA-26:06.tcp.asc
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "When a challenge ACK is to be sent tcp_respond() constructs and sends the challenge ACK and consumes the mbuf that is passed in.  When no challenge ACK should be sent the function returns and leaks the mbuf.\n\nIf an attacker is either on path with an established TCP connection, or can themselves establish a TCP connection, to an affected FreeBSD machine, they can easily craft and send packets which meet the challenge ACK criteria and cause the FreeBSD host to leak an mbuf for each crafted packet in excess of the configured rate limit settings i.e. with default settings, crafted packets in excess of the first 5 sent within a 1s period will leak an mbuf.\n\nTechnically, off-path attackers can also exploit this problem by guessing the IP addresses, TCP port numbers and in some cases the sequence numbers of established connections and spoofing packets towards a FreeBSD machine, but this is harder to do effectively."
    },
    {
      "lang": "es",
      "value": "Cuando se debe enviar un ACK de desaf\u00edo, tcp_respond() construye y env\u00eda el ACK de desaf\u00edo y consume el mbuf que se le pasa. Cuando no se debe enviar ning\u00fan ACK de desaf\u00edo, la funci\u00f3n retorna y fuga el mbuf.\n\nSi un atacante est\u00e1 en la ruta de una conexi\u00f3n TCP establecida, o puede establecer una conexi\u00f3n TCP por s\u00ed mismo, a una m\u00e1quina FreeBSD afectada, puede f\u00e1cilmente crear y enviar paquetes que cumplen los criterios del ACK de desaf\u00edo y hacer que el host FreeBSD fugue un mbuf por cada paquete creado en exceso de la configuraci\u00f3n del l\u00edmite de velocidad configurado, es decir, con la configuraci\u00f3n predeterminada, los paquetes creados en exceso de los primeros 5 enviados dentro de un per\u00edodo de 1s fugar\u00e1n un mbuf.\n\nT\u00e9cnicamente, los atacantes fuera de ruta tambi\u00e9n pueden explotar este problema adivinando las direcciones IP, los n\u00fameros de puerto TCP y en algunos casos los n\u00fameros de secuencia de las conexiones establecidas y suplantando paquetes hacia una m\u00e1quina FreeBSD, pero esto es m\u00e1s dif\u00edcil de hacer de manera efectiva."
    }
  ],
  "id": "CVE-2026-4247",
  "lastModified": "2026-03-26T15:16:41.263",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-26T07:16:20.387",
  "references": [
    {
      "source": "secteam@freebsd.org",
      "url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:06.tcp.asc"
    }
  ],
  "sourceIdentifier": "secteam@freebsd.org",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-401"
        }
      ],
      "source": "secteam@freebsd.org",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.