FreeBSD Kernel RCE via kgssapi.ko Stack Buffer Overflow (CVE-2026-4747)
Vulnerability Details
The vulnerability exists in sys/rpc/rpcsec_gss/svc_rpcsec_gss.c within the svc_rpc_gss_validate() function. A 128-byte stack buffer (rpchdr[]) is used to reconstruct RPC headers for GSS-API signature verification. After writing 32 bytes of fixed RPC header fields, the function copies the entire RPCSEC_GSS credential body (oa_length bytes) into the remaining space without bounds checking.
static bool_t svc_rpc_gss_validate(...) {
int32_t rpchdr[128 / sizeof(int32_t)]; // 128 bytes on stack
// ...
if (oa->oa_length) {
// BUG: No bounds check on oa_length!
// After 32 bytes of header, only 96 bytes remain in rpchdr.
// If oa_length > 96, this overflows past rpchdr
memcpy((caddr_t)buf, oa->oa_base, oa->oa_length);
}
}Attack Surface and Impact
The vulnerable module kgssapi.ko implements RPCSEC_GSS authentication for FreeBSD's kernel RPC subsystem. The NFS server daemon (nfsd) listening on port 2049/TCP processes RPC packets in kernel context and uses this module when RPCSEC_GSS authentication is enabled. Successful exploitation results in remote kernel RCE with root privileges (uid 0 reverse shell).
Affected Versions
- FreeBSD 13.5 (<p11)
- FreeBSD 14.3 (<p10)
- FreeBSD 14.4 (<p1)
- FreeBSD 15.0 (<p5)
The Fix
The patch for FreeBSD 14.4-RELEASE-p1 adds a bounds check before the copy:
if (oa->oa_length > sizeof(rpchdr) - 8 * BYTES_PER_XDR_UNIT) {
rpc_gss_log_debug("auth length %d exceeds maximum", oa->oa_length);
client->cl_state = CLIENT_STALE;
return (FALSE);
}Stack Layout Analysis
From the function's disassembly, the rpchdr array is at [rbp-0xc0]. The memcpy writes to rpchdr + 32 = [rbp-0xa0]. With a 16-byte context handle in the credential body, the return address lands at credential body byte 200, allowing control of execution flow.
📖 Read the full source: HN AI Agents
👀 See Also
Claude Code --dangerously-skip-permissions vulnerability and open-source defense tool
Lasso Security published research showing indirect prompt injection vulnerabilities in Claude Code when using --dangerously-skip-permissions flag, with attack vectors including poisoned README files, malicious web content, and MCP server outputs. They released an open-source PostToolUse hook that scans tool outputs against 50+ detection patterns.
Essential File Blocking for AI Coding Assistants: A Practical Security Checklist
AI coding assistants read from your local disk, not just your repository, exposing files that .gitignore protects from GitHub but not from the agent. A Reddit discussion identifies critical files to block including AI assistant configs with API keys, service credentials, SSH keys, and environment files.
The Human Root of Trust: Establishing Accountability for Autonomous AI Agents
The Human Root of Trust is a public domain framework addressing the lack of accountability for autonomous AI agents through cryptographic means.
Using FastAPI Guard to secure OpenClaw instances against attacks
FastAPI Guard provides middleware that adds 17 security checks including IP filtering, geoblocking, rate limiting, and penetration detection. The tool blocks attacks like those documented in OpenClaw security audits showing 512 vulnerabilities and 40,000+ exposed instances.