TCP: remotely exploitable DoS vector (mbuf leak)
Summary
| CVE | CVE-2026-4247 |
|---|---|
| State | PUBLISHED |
| Assigner | freebsd |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-03-26 07:16:20 UTC |
| Updated | 2026-04-30 18:55:51 UTC |
| Description | When a challenge ACK is to be sent tcp_respond() constructs and sends the challenge ACK and consumes the mbuf that is passed in. When no challenge ACK should be sent the function returns and leaks the mbuf. If an attacker is either on path with an established TCP connection, or can themselves establish a TCP connection, to an affected FreeBSD machine, they can easily craft and send packets which meet the challenge ACK criteria and cause the FreeBSD host to leak an mbuf for each crafted packet in excess of the configured rate limit settings i.e. with default settings, crafted packets in excess of the first 5 sent within a 1s period will leak an mbuf. Technically, off-path attackers can also exploit this problem by guessing the IP addresses, TCP port numbers and in some cases the sequence numbers of established connections and spoofing packets towards a FreeBSD machine, but this is harder to do effectively. |
Risk And Classification
Primary CVSS: v3.1 7.5 HIGH from ADP
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS: 0.000270000 probability, percentile 0.075600000 (date 2026-05-05)
Problem Types: CWE-401 | CWE-401 CWE-401: Missing Release of Memory after Effective Lifetime
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | DECLARED | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
NoneAvailability
HighCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Freebsd | Freebsd | 14.3 | - | All | All |
| Operating System | Freebsd | Freebsd | 14.3 | p1 | All | All |
| Operating System | Freebsd | Freebsd | 14.3 | p2 | All | All |
| Operating System | Freebsd | Freebsd | 14.3 | p3 | All | All |
| Operating System | Freebsd | Freebsd | 14.3 | p4 | All | All |
| Operating System | Freebsd | Freebsd | 14.3 | p5 | All | All |
| Operating System | Freebsd | Freebsd | 14.3 | p6 | All | All |
| Operating System | Freebsd | Freebsd | 14.3 | p7 | All | All |
| Operating System | Freebsd | Freebsd | 14.3 | p8 | All | All |
| Operating System | Freebsd | Freebsd | 14.3 | p9 | All | All |
| Operating System | Freebsd | Freebsd | 14.4 | - | All | All |
| Operating System | Freebsd | Freebsd | 14.4 | rc1 | All | All |
| Operating System | Freebsd | Freebsd | 15.0 | - | All | All |
| Operating System | Freebsd | Freebsd | 15.0 | p1 | All | All |
| Operating System | Freebsd | Freebsd | 15.0 | p2 | All | All |
| Operating System | Freebsd | Freebsd | 15.0 | p3 | All | All |
| Operating System | Freebsd | Freebsd | 15.0 | p4 | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| security.freebsd.org/advisories/FreeBSD-SA-26:06.tcp.asc | [email protected] | security.freebsd.org | Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Michael Tuexen (Netflix) (en)
There are currently no legacy QID mappings associated with this CVE.