Back to Home

CVE-2026-4247 FreeBSD TCP DoS Vulnerability

CVE-2026-4247 vulnerability in FreeBSD allows remote DoS through mbuf leak when processing TCP Challenge ACK. Vectors described, temporary sysctl fix and patches for branches 14/15. Considering changes in releases, update to 64-bit versions is recommended.

FreeBSD: DoS via TCP Challenge ACK (CVE-2026-4247)
Advertisement 728x90

# CVE-2026-4247 Vulnerability in FreeBSD: mbuf Leak During TCP Challenge ACK Processing

The FreeBSD team published details of CVE-2026-4247 on March 26, 2026—a vulnerability that enables remote DoS attacks through mbuf leaks in TCP connections. The issue affects the handling of unexpected TCP segments in established connections.

The TCP protocol generates Challenge ACKs when receiving unexpected packets to verify their legitimacy. The generation rate is limited by sysctl parameters: net.inet.tcp.ack_war_timewindow (default 1000 ms) and net.inet.tcp.ack_war_cnt (5). Within this interval, only the first 5 packets are processed; the rest are ignored.

The tcp_respond() function in tcp_subr.c forms the Challenge ACK and consumes an mbuf. If the ACK isn't needed, the mbuf is freed. An attacker spoofing packets triggers mbuf loss for packets beyond the limit—one per packet.

Google AdInline article slot

All FreeBSD TCP stacks are vulnerable: the base stack, RACK, BBR. The base stack sends more ACKs, amplifying the effect.

Attack Vectors and Exploitation Conditions

Attack is possible under these conditions:

  • Positioning on the path of a TCP connection (MITM).
  • Establishing your own connection to the target.

External attackers must guess IP addresses, ports, and sequence numbers for spoofing. Success rate is low due to the complexity.

Google AdInline article slot

Each spoofed packet beyond the limit (5/sec) causes an mbuf leak, depleting the pool and triggering DoS.

Temporary Protection Measures

Disable the ACK rate limit:

sysctl net.inet.tcp.ack_war_timewindow=0

Add it to /etc/sysctl.conf for persistence.

Google AdInline article slot

This eliminates the leak but increases CPU load due to processing all packets.

Permanent Fix and Branches

Update to branches with patches (commits and revisions):

  • stable/15/ 1fddb5435315 (stable/15-n282699)
  • releng/15.0/ de9e5d82581e (releng/15.0-n281011)
  • stable/14/ b45e7530ffb9 (stable/14-n273839)
  • releng/14.4/ 44dd8b58394b (releng/14.4-n273676)
  • releng/14.3/ a9cba5321021 (releng/14.3-n271476)

FreeBSD Release Schedule

FreeBSD 15.0 was released on December 2, 2025. Branch support shortened to 4 years, with new branches every 2 years. Intermediate releases every 6 months per branch, overall cycle—3 months with parallel development of two branches.

FreeBSD 14.4—March 10, 2026. The 14.x branch is the last for 32-bit platforms. FreeBSD 15+ is 64-bit only, with COMPAT_FREEBSD32 for legacy applications.

Key Points

  • Vulnerability exploitable remotely via TCP packet spoofing, leading to mbuf exhaustion.
  • Affects all FreeBSD TCP stacks; default ACK limit amplifies the leak.
  • Temporary fix: sysctl net.inet.tcp.ack_war_timewindow=0 (trades off CPU usage).
  • Patches in stable/15, releng/15.0, stable/14, and releng/14.x.
  • FreeBSD 14.x marks the end of 32-bit support; migrate to 64-bit.

— Editorial Team

Advertisement 728x90

Read Next