FreeBSD TCP Challenge ACK Mbuf Leak Vulnerability Allowing Remote Denial-of-Service

A denial-of-service vulnerability has been identified in the TCP stack of FreeBSD versions 14.x and 15.0. When the tcp_respond() function processes challenge ACKs, it sends the ACK and consumes the associated mbuf. However, if no ACK is sent, the mbuf is leaked. This vulnerability allows an attacker with an established TCP connection to the affected FreeBSD machine to craft packets that trigger the challenge ACK response, causing the system to leak mbufs beyond the default rate limit of 5 packets per second. Off-path attackers can also exploit this by spoofing packets, but this is less effective.

Impact

Exploitation of this vulnerability leads to a memory leak of mbufs, which can cause resource exhaustion on the affected FreeBSD system.

Remediation

Users can upgrade to a supported FreeBSD version that includes the patch for this vulnerability. Instructions for updating via pkg, freebsd-update, or applying a source code patch are available in the FreeBSD security advisory.