FreeBSD TCP Challenge ACK mbuf Leak via Crafted Packets
CVE-2026-4247 Published on March 26, 2026
TCP: remotely exploitable DoS vector (mbuf leak)
When a challenge ACK is to be sent tcp_respond() constructs and sends the challenge ACK and consumes the mbuf that is passed in. When no challenge ACK should be sent the function returns and leaks the mbuf.
If an attacker is either on path with an established TCP connection, or can themselves establish a TCP connection, to an affected FreeBSD machine, they can easily craft and send packets which meet the challenge ACK criteria and cause the FreeBSD host to leak an mbuf for each crafted packet in excess of the configured rate limit settings i.e. with default settings, crafted packets in excess of the first 5 sent within a 1s period will leak an mbuf.
Technically, off-path attackers can also exploit this problem by guessing the IP addresses, TCP port numbers and in some cases the sequence numbers of established connections and spoofing packets towards a FreeBSD machine, but this is harder to do effectively.
Vulnerability Analysis
CVE-2026-4247 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.
Weakness Type
What is a Memory Leak Vulnerability?
The software does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory. This is often triggered by improper handling of malformed data or unexpectedly interrupted sessions. In some languages, developers are responsible for tracking memory allocation and releasing the memory. If there are no more pointers or references to the memory, then it can no longer be tracked and identified for release.
CVE-2026-4247 has been classified to as a Memory Leak vulnerability or weakness.
Products Associated with CVE-2026-4247
Want to know whenever a new CVE is published for FreeBSD? stack.watch will email you.
Affected Versions
FreeBSD:- Version 15.0-RELEASE and below p5 is affected.
- Version 14.4-RELEASE and below p1 is affected.
- Version 14.3-RELEASE and below p10 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.