{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4247", "assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109", "state": "PUBLISHED", "assignerShortName": "freebsd", "dateReserved": "2026-03-16T03:51:53.368Z", "datePublished": "2026-03-26T06:09:08.446Z", "dateUpdated": "2026-03-26T14:41:24.333Z"}, "containers": {"cna": {"datePublic": "2026-03-26T05:00:00.000Z", "title": "TCP: remotely exploitable DoS vector (mbuf leak)", "references": [{"tags": ["vendor-advisory"], "url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:06.tcp.asc"}], "affected": [{"defaultStatus": "unknown", "modules": ["tcp"], "product": "FreeBSD", "vendor": "FreeBSD", "versions": [{"status": "affected", "versionType": "release", "version": "15.0-RELEASE", "lessThan": "p5"}, {"status": "affected", "versionType": "release", "version": "14.4-RELEASE", "lessThan": "p1"}, {"status": "affected", "versionType": "release", "version": "14.3-RELEASE", "lessThan": "p10"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Michael Tuexen (Netflix)"}], "descriptions": [{"lang": "en", "value": "When a challenge ACK is to be sent tcp_respond() constructs and sends the challenge ACK and consumes the mbuf that is passed in. When no challenge ACK should be sent the function returns and leaks the mbuf.\n\nIf an attacker is either on path with an established TCP connection, or can themselves establish a TCP connection, to an affected FreeBSD machine, they can easily craft and send packets which meet the challenge ACK criteria and cause the FreeBSD host to leak an mbuf for each crafted packet in excess of the configured rate limit settings i.e. with default settings, crafted packets in excess of the first 5 sent within a 1s period will leak an mbuf.\n\nTechnically, off-path attackers can also exploit this problem by guessing the IP addresses, TCP port numbers and in some cases the sequence numbers of established connections and spoofing packets towards a FreeBSD machine, but this is harder to do effectively."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-401", "description": "CWE-401: Missing Release of Memory after Effective Lifetime", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109", "shortName": "freebsd", "dateUpdated": "2026-03-26T06:35:09.969Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T14:40:37.721602Z", "id": "CVE-2026-4247", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T14:41:24.333Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-4247", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T14:40:37.721602Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T14:38:47.013Z"}}], "cna": {"title": "TCP: remotely exploitable DoS vector (mbuf leak)", "credits": [{"lang": "en", "type": "finder", "value": "Michael Tuexen (Netflix)"}], "affected": [{"vendor": "FreeBSD", "modules": ["tcp"], "product": "FreeBSD", "versions": [{"status": "affected", "version": "15.0-RELEASE", "lessThan": "p5", "versionType": "release"}, {"status": "affected", "version": "14.4-RELEASE", "lessThan": "p1", "versionType": "release"}, {"status": "affected", "version": "14.3-RELEASE", "lessThan": "p10", "versionType": "release"}], "defaultStatus": "unknown"}], "datePublic": "2026-03-26T05:00:00.000Z", "references": [{"url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:06.tcp.asc", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "When a challenge ACK is to be sent tcp_respond() constructs and sends the challenge ACK and consumes the mbuf that is passed in. When no challenge ACK should be sent the function returns and leaks the mbuf.\n\nIf an attacker is either on path with an established TCP connection, or can themselves establish a TCP connection, to an affected FreeBSD machine, they can easily craft and send packets which meet the challenge ACK criteria and cause the FreeBSD host to leak an mbuf for each crafted packet in excess of the configured rate limit settings i.e. with default settings, crafted packets in excess of the first 5 sent within a 1s period will leak an mbuf.\n\nTechnically, off-path attackers can also exploit this problem by guessing the IP addresses, TCP port numbers and in some cases the sequence numbers of established connections and spoofing packets towards a FreeBSD machine, but this is harder to do effectively."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-401", "description": "CWE-401: Missing Release of Memory after Effective Lifetime"}]}], "providerMetadata": {"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109", "shortName": "freebsd", "dateUpdated": "2026-03-26T06:35:09.969Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4247", "state": "PUBLISHED", "dateUpdated": "2026-03-26T14:41:24.333Z", "dateReserved": "2026-03-16T03:51:53.368Z", "assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109", "datePublished": "2026-03-26T06:09:08.446Z", "assignerShortName": "freebsd"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "When a challenge ACK is to be sent tcp_respond() constructs and sends the challenge ACK and consumes the mbuf that is passed in. When no challenge ACK should be sent the function returns and leaks the mbuf.\n\nIf an attacker is either on path with an established TCP connection, or can themselves establish a TCP connection, to an affected FreeBSD machine, they can easily craft and send packets which meet the challenge ACK criteria and cause the FreeBSD host to leak an mbuf for each crafted packet in excess of the configured rate limit settings i.e. with default settings, crafted packets in excess of the first 5 sent within a 1s period will leak an mbuf.\n\nTechnically, off-path attackers can also exploit this problem by guessing the IP addresses, TCP port numbers and in some cases the sequence numbers of established connections and spoofing packets towards a FreeBSD machine, but this is harder to do effectively."}], "id": "CVE-2026-4247", "lastModified": "2026-03-26T15:16:41.263", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-26T07:16:20.387", "references": [{"source": "secteam@freebsd.org", "url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:06.tcp.asc"}], "sourceIdentifier": "secteam@freebsd.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-401"}], "source": "secteam@freebsd.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[15.0-RELEASE,p5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[14.4-RELEASE,p1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[14.3-RELEASE,p10)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "FreeBSD", "source": "cna", "vendor": "FreeBSD"}, "product": "freebsd", "vendor": "freebsd"}], "analysis": {"en": {"generated_at": "2026-03-26T07:50:22.779227+00:00", "value": {"mitigation_remediation": ["Apply the latest FreeBSD security update that fixes the TCP mbuf leak", "Verify that the patch has been applied successfully", "Regularly check the FreeBSD security advisory page for updates and maintain the system at the latest stable release"], "summary": {"action": "Immediate Patch", "impact": "Remote Denial of Service via mbuf leak"}, "threat_synthesis": {"affected_systems": "The affected systems are FreeBSD operating systems. The advisory does not list specific version numbers, so any machine running the vulnerable FreeBSD kernel could be impacted.", "description_and_impact": "The vulnerability occurs when the kernel function tcp_respond() processes a challenge ACK packet; it consumes the mbuf only if an ACK is sent, and otherwise returns without freeing the mbuf, leaking memory. An attacker can repeatedly send crafted TCP packets that meet the challenge ACK criteria, causing the FreeBSD host to leak one mbuf for each packet beyond the configured rate limit. This memory leak can quickly exhaust the mbuf pool and lead to a denial of service.", "risk_and_exploitability": "The risk is significant because an on\u2011path attacker or any entity that can establish a TCP connection can exploit the flaw. Off\u2011path exploitation is possible by spoofing packets, but it requires guessing IP addresses, ports, and sequence numbers. With the default limit of five packets per second, an attacker can trigger the leak rapidly. No EPSS score is available, and the vulnerability is not listed in CISA\u2019s KEV catalog, but the clear DoS potential raises the likelihood of exploitation in high\u2011traffic environments."}}}}, "created": "2026-03-26T11:30:19.096494+00:00", "updated": "2026-03-26T12:08:23.117215+00:00", "vendors": ["freebsd", "freebsd$PRODUCT$freebsd"]}