The FreeBSD Security Team has published FreeBSD Security Advisory FreeBSD-SA-26:04.nfsclient documenting CVE-2026-42511, a vulnerability in FreeBSD’s NFS client implementation. The vulnerability is distinct from CVE-2026-4747 (the NFSv4 server daemon RCE disclosed in April 2026) — CVE-2026-42511 targets the NFS client, making it exploitable by a malicious or compromised NFS server against hosts connecting to that server.
The vulnerability is present in FreeBSD 13.x and 14.x NFS client code and affects the parsing of specific NFSv4 response attribute structures. A malicious NFS server can send a crafted response that triggers a memory corruption condition in the connecting client’s kernel NFS client code, potentially resulting in kernel panic (denial of service) or arbitrary code execution in kernel context.
The NFS Client Attack Model
While most NFS security discussions focus on the server side — who can mount exported filesystems — CVE-2026-42511 represents the less commonly considered threat where the attacker controls the NFS server and the victim is the NFS client.
This threat model applies in several realistic enterprise scenarios:
Compromised storage infrastructure: If a NAS device or NFS server within an enterprise environment is compromised, it can attack all FreeBSD-based clients that mount its filesystems — including other storage appliances, network equipment, and servers.
Rogue NFS servers on internal networks: An attacker with internal network access who can intercept or redirect NFS mount traffic — via ARP spoofing, DNS hijacking, or rogue advertisement of NFS services — can serve malicious responses to legitimate FreeBSD NFS clients.
Automated cloud provisioning: FreeBSD instances in cloud environments that mount NFS-based network storage during provisioning are exposed to a compromised storage endpoint during their initialisation.
NetApp and BSD-based NAS products: FreeBSD’s NFS client code is incorporated into multiple commercial storage and network appliance products. Vendors shipping embedded FreeBSD must issue their own advisories and patches — the upstream FreeBSD fix alone does not address these vendor-specific implementations.
Affected Versions and Patch
FreeBSD 13.3 and 13.4: Fixed in 13.4-RELEASE-p2
FreeBSD 14.1 and 14.2: Fixed in 14.2-RELEASE-p3
Patches are available via FreeBSD’s standard update mechanism:
freebsd-update fetch installFor systems running FreeBSD RELEASE versions, the patch is delivered via freebsd-update. For systems running FreeBSD STABLE or CURRENT, the patch is available as source errata.
Enterprise Actions
Identify FreeBSD-based infrastructure: Beyond standalone FreeBSD servers, identify network appliances, storage systems, and embedded devices in your environment that ship with FreeBSD — including TrueNAS (iXsystems), Isilon/PowerScale (Dell/EMC), certain NetApp platforms, and various network switches and firewalls built on FreeBSD.
Check vendor patch availability: For embedded FreeBSD products, contact the vendor for patch availability timelines. The FreeBSD upstream fix does not automatically update vendor firmware. Given CVE-2026-4747’s April 2026 disclosure, FreeBSD NFS security is already under active review — CVE-2026-42511 vendor patches may follow more quickly than a new standalone disclosure.
Network-level mitigation: Restrict NFS client connectivity to trusted NFS server IP addresses via firewall rules. FreeBSD hosts that should only mount NFS from known internal storage servers should have firewall rules blocking NFS server responses from any other source. This limits the malicious server attack surface significantly.
CVE-2026-42511’s client-side nature is a reminder that storage protocol security operates in both directions — the server that clients trust is itself an attack surface that requires the same patch management attention as the clients connecting to it.
Share this article