NFS in a BSD derived codebase, as used in OpenBSD through 7.4 and FreeBSD through 14.0-RELEASE, allows remote attackers to execute arbitrary code via a bug that is unrelated to memory corruption.
The vulnerability lies in the NFS protocol implementation derived from BSD code, used in OpenBSD and FreeBSD. An attacker can remotely send a crafted NFS request that triggers a logic error — not a memory corruption error (no buffer overflow, use-after-free, etc.) — leading to arbitrary code execution on the vulnerable system. The attack does not require authentication or user interaction.
An attacker can remotely execute arbitrary code on a vulnerable system, potentially gaining full control over it, compromising confidentiality, integrity, and data availability.
Apply patches available from the vendor according to the references. Until the patch is deployed, it is recommended to disable or restrict access to the NFS service using a firewall, especially from untrusted networks.
OpenBSD versions up to and including 7.4 and FreeBSD versions up to and including 14.0-RELEASE — all systems with an active NFS service based on BSD code.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HFreebsd
OSFreebsd14.0Openbsd
OSOpenbsd≤ 7.4
Related vulnerabilities
Double free i niezainicjowana zmienna w implementacji NFS systemu OpenBSD
FreeBSD UMTX_SHM_DESTROY: use-after-free umożliwiający RCE lub ucieczkę z sandboxa
FreeBSD: przepełnienie bufora w obsłudze beacon 802.11s prowadzące do RCE
In versions of FreeBSD 12.4-RELEASE prior to 12.4-RELEASE-p7 and FreeBSD 13.2-RELEASE prior to 13.2-RELEASE-p5...
pam_krb5 authenticates a user by essentially running kinit with the password, getting a ticket-granting ticket...