CVE intelligence and bounded remediation

CVE-2026-4247 — When a challenge ACK is to be sent tcp_respond() constructs and sends the challenge ACK and consumes the mbuf that is passed in

High CVSS 7.5

When a challenge ACK is to be sent tcp_respond() constructs and sends the challenge ACK and consumes the mbuf that is passed in. When no challenge ACK should be sent the function returns and leaks the mbuf. If an attacker is either on path with an established TCP connection, or can themselves establish a TCP connection, to an affected FreeBSD machine, they can easily craft and send packets which meet the challenge ACK criteria and cause the FreeBSD host to leak an mbuf for each crafted packet in excess of the configured rate limit settings i.e. with default settings, crafted packets in excess of the first 5 sent within a 1s period will leak an mbuf. Technically, off-path attackers can also exploit this problem by guessing the IP addresses, TCP port numbers and in some cases the sequence numbers of established connections and spoofing packets towards a FreeBSD machine, but this is harder to do effectively.

Severity
High
CVSS
7.5 (3.1)
Published
2026-03-26
CISA KEV
Not currently listed
Ecosystem
operating-system
Weaknesses
CWE-401

Affected products

  • freebsd / freebsd / 14.3
  • freebsd / freebsd / 14.4

Showing 2 representative product identities from 17 source matches. Confirm exact affected versions with the linked vendor and NVD evidence.

Matched remediation archetype

Resource exhaustion and denial of service

This catalog composition supplies bounded fallback guidance. Explicitly reviewed curated workflows load with the complete record below.

Check exposure

  • Identify attacker-influenced work factors including input size, nesting, compression, fan-out, regex cost, allocation, recursion, retries, and connection lifetime.
  • Map per-request and shared CPU, memory, disk, descriptor, thread, queue, and downstream-service limits.
  • Determine whether authentication, tenancy, quotas, and rate controls apply before expensive processing begins.

Remediate safely

  • Bound input size, nesting, expansion, work, concurrency, queue depth, retries, and execution time before resource-intensive processing.
  • Release resources on every success, error, cancellation, and timeout path and use backpressure instead of unbounded buffering.
  • Update affected components and add small deterministic tests that assert resource ceilings rather than exhausting a host.

Authoritative sources

Complete CVE record and remediation plan

The detailed catalog view below loads this exact record, its source evidence, and the full seven-phase agentic change plan.