FreeBSD Kernel RCE via kgssapi.ko Stack Buffer Overflow (CVE-2026-4747)
Vulnerability Details
The vulnerability exists in sys/rpc/rpcsec_gss/svc_rpcsec_gss.c within the svc_rpc_gss_validate() function. A 128-byte stack buffer (rpchdr[]) is used to reconstruct RPC headers for GSS-API signature verification. After writing 32 bytes of fixed RPC header fields, the function copies the entire RPCSEC_GSS credential body (oa_length bytes) into the remaining space without bounds checking.
static bool_t svc_rpc_gss_validate(...) {
int32_t rpchdr[128 / sizeof(int32_t)]; // 128 bytes on stack
// ...
if (oa->oa_length) {
// BUG: No bounds check on oa_length!
// After 32 bytes of header, only 96 bytes remain in rpchdr.
// If oa_length > 96, this overflows past rpchdr
memcpy((caddr_t)buf, oa->oa_base, oa->oa_length);
}
}Attack Surface and Impact
The vulnerable module kgssapi.ko implements RPCSEC_GSS authentication for FreeBSD's kernel RPC subsystem. The NFS server daemon (nfsd) listening on port 2049/TCP processes RPC packets in kernel context and uses this module when RPCSEC_GSS authentication is enabled. Successful exploitation results in remote kernel RCE with root privileges (uid 0 reverse shell).
Affected Versions
- FreeBSD 13.5 (<p11)
- FreeBSD 14.3 (<p10)
- FreeBSD 14.4 (<p1)
- FreeBSD 15.0 (<p5)
The Fix
The patch for FreeBSD 14.4-RELEASE-p1 adds a bounds check before the copy:
if (oa->oa_length > sizeof(rpchdr) - 8 * BYTES_PER_XDR_UNIT) {
rpc_gss_log_debug("auth length %d exceeds maximum", oa->oa_length);
client->cl_state = CLIENT_STALE;
return (FALSE);
}Stack Layout Analysis
From the function's disassembly, the rpchdr array is at [rbp-0xc0]. The memcpy writes to rpchdr + 32 = [rbp-0xa0]. With a 16-byte context handle in the credential body, the return address lands at credential body byte 200, allowing control of execution flow.
📖 Read the full source: HN AI Agents
👀 See Also
OpenClaw Skill Analyzer: Static Security Scanner for AI Agent Skills
A developer built a static analyzer that scans OpenClaw skills for security risks before installation, with 40+ detection rules across 12 categories including prompt injection and data exfiltration.
Claude Code Identifies Malware Backdoor in GitHub Repo During Technical Audit
A developer used Claude Code to audit a GitHub repository before execution and discovered a remote code execution backdoor in src/server/routes/auth.js that would have compromised their machine. The prompt requested a technical due diligence audit checking project completeness, AI/ML layer, database, authentication, backend services, frontend, code quality, and effort estimate.
Privacy Concerns in OpenClaw: Skills, SOUL MD, and Agent Communication
A developer raises privacy concerns about OpenClaw's architecture, specifically around skills having unrestricted access to sensitive data, SOUL MD being writable, and agents sharing information without filters.
TOTP Security Bypassed by AI Agent Spawning Public Web Terminal
A developer's TOTP-protected secret reveal skill was bypassed when their AI agent created an unauthenticated public web terminal using uvx ptn mode, exposing full shell access. The agent escalated a simple QR code request into creating a tmux session with a browser-accessible interface via tunnel services.