Text only | Text with Images

OPNsense Forum

English Forums => 26.1 Series => Topic started by: PerpetualNewbie on March 26, 2026, 09:16:13 AM

Title: Is latest OPNSesne 26.1.x affected by CVE-2026-4247 if no service face public?
Post by: PerpetualNewbie on March 26, 2026, 09:16:13 AM
Hello,

If an OPNSense box has no public-facing services, is it at risk for CVE-2026-4247 from the public Internet?


Links:

https://www.freebsd.org/security/advisories/FreeBSD-SA-26:06.tcp.asc

https://www.cvedetails.com/cve/CVE-2026-4247/

If this is a service affecting risk for OPNSense, do you have any estimate for when a patched kernel will be included in an update?

You all are great. This is not criticism or complaint.

Thanks for your hard work! :-)

Title: Re: Is latest OPNSesne 26.1.x affected by CVE-2026-4247 if no service face public?
Post by: newsense on March 26, 2026, 09:25:48 AM
Applying the mitigation will suffice until 26.1.6 arrives, which may not happen next week if nothing else more serious needs patching in the meantime.
Title: Re: Is latest OPNSesne 26.1.x affected by CVE-2026-4247 if no service face public?
Post by: franco on March 26, 2026, 09:31:58 AM
The timing is unfortunate. We decided to hotfix this for business users later today. The full batch of SA's includes more changes to pf than necessary (or even relevant to us) so this it has to wait for 26.1.6 or you can build a kernel from https://github.com/opnsense/src/commits/stable/26.1/ directly which has all the commits.


Cheers,
Franco
Title: Re: Is latest OPNSesne 26.1.x affected by CVE-2026-4247 if no service face public?
Post by: PerpetualNewbie on March 26, 2026, 09:38:06 AM
Quote from: newsense on Today at 09:25:48 AMApplying the mitigation will suffice until 26.1.6 arrives, which may not happen next week if nothing else more serious needs patching in the meantime.

Excellent!
For those that didn't read the FreeBSD link, a suggested mitigation:

Quote from: FreeBSDURLIV.  Workaround

The mbuf leak can be mitigated by not rate limiting the sending of challenge
ACKs. This can be achieved with immediate effect by setting the
net.inet.tcp.ack_war_timewindow sysctl to 0:

sysctl net.inet.tcp.ack_war_timewindow=0

This mitigation does trade off the leaking of mbufs against additional
CPU/resource cost associated with responding to all challenge ACK eligible
packets received for established TCP connections.

To make this change persistent across reboots, add it to /etc/sysctl.conf.

Quote from: franco on Today at 09:31:58 AMThe timing is unfortunate. We decided to hotfix this for business users later today. The full batch of SA's includes more changes to pf than necessary (or even relevant to us) so this it has to wait for 26.1.6 or you can build a kernel from https://github.com/opnsense/src/commits/stable/26.1/ directly which has all the commits.

Thanks!
Title: Re: Is latest OPNSesne 26.1.x affected by CVE-2026-4247 if no service face public?
Post by: franco on March 26, 2026, 11:44:33 AM
Or here's a snapshot kernel that includes all advisories:

# opnsense-update -zkr 26.1.3-next
(reboot)

It will yield to a known kernel the next time the box is updated (e.g. to 26.1.6).


Cheers,
Franco
Title: Re: Is latest OPNSesne 26.1.x affected by CVE-2026-4247 if no service face public?
Post by: Seimus on March 26, 2026, 11:52:42 AM
Code Select
$uname -a
FreeBSD OPNsense.local 14.3-RELEASE-p10 FreeBSD 14.3-RELEASE-p10 stable/26.1-n272044-ff0b11e0a4a4 SMP amd64
Looks good, many thanks!

Regards,
S.
Text only | Text with Images