{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4652", "assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109", "state": "PUBLISHED", "assignerShortName": "freebsd", "dateReserved": "2026-03-23T14:35:04.472Z", "datePublished": "2026-03-26T06:15:00.850Z", "dateUpdated": "2026-03-26T13:31:31.356Z"}, "containers": {"cna": {"datePublic": "2026-03-26T05:00:00.000Z", "title": "Remote denial of service via null pointer dereference", "references": [{"tags": ["vendor-advisory"], "url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:07.nvmf.asc"}], "affected": [{"defaultStatus": "unknown", "modules": ["nvmf"], "product": "FreeBSD", "vendor": "FreeBSD", "versions": [{"status": "affected", "versionType": "release", "version": "15.0-RELEASE", "lessThan": "p5"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nikolay Denev <ndenev@gmail.com>"}], "descriptions": [{"lang": "en", "value": "On a system exposing an NVMe/TCP target, a remote client can trigger a kernel panic by sending a CONNECT command for an I/O queue with a bogus or stale CNTLID.\n\nAn attacker with network access to the NVMe/TCP target can trigger an unauthenticated Denial of Service condition on the affected machine."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-476", "description": "CWE-476: NULL Pointer Dereference", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109", "shortName": "freebsd", "dateUpdated": "2026-03-26T06:15:00.850Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T13:31:21.926248Z", "id": "CVE-2026-4652", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T13:31:31.356Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4652", "assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109", "state": "PUBLISHED", "assignerShortName": "freebsd", "dateReserved": "2026-03-23T14:35:04.472Z", "datePublished": "2026-03-26T06:15:00.850Z", "dateUpdated": "2026-03-26T13:31:31.356Z"}, "containers": {"cna": {"datePublic": "2026-03-26T05:00:00.000Z", "title": "Remote denial of service via null pointer dereference", "references": [{"tags": ["vendor-advisory"], "url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:07.nvmf.asc"}], "affected": [{"defaultStatus": "unknown", "modules": ["nvmf"], "product": "FreeBSD", "vendor": "FreeBSD", "versions": [{"status": "affected", "versionType": "release", "version": "15.0-RELEASE", "lessThan": "p5"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nikolay Denev <ndenev@gmail.com>"}], "descriptions": [{"lang": "en", "value": "On a system exposing an NVMe/TCP target, a remote client can trigger a kernel panic by sending a CONNECT command for an I/O queue with a bogus or stale CNTLID.\n\nAn attacker with network access to the NVMe/TCP target can trigger an unauthenticated Denial of Service condition on the affected machine."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-476", "description": "CWE-476: NULL Pointer Dereference", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109", "shortName": "freebsd", "dateUpdated": "2026-03-26T06:15:00.850Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-4652", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T13:31:21.926248Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T13:31:18.276Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "On a system exposing an NVMe/TCP target, a remote client can trigger a kernel panic by sending a CONNECT command for an I/O queue with a bogus or stale CNTLID.\n\nAn attacker with network access to the NVMe/TCP target can trigger an unauthenticated Denial of Service condition on the affected machine."}], "id": "CVE-2026-4652", "lastModified": "2026-03-26T15:13:15.790", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-26T07:16:20.540", "references": [{"source": "secteam@freebsd.org", "url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:07.nvmf.asc"}], "sourceIdentifier": "secteam@freebsd.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "secteam@freebsd.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[15.0-RELEASE,p5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "FreeBSD", "source": "cna", "vendor": "FreeBSD"}, "product": "freebsd", "vendor": "freebsd"}], "analysis": {"en": {"generated_at": "2026-03-26T07:20:16.410438+00:00", "value": {"mitigation_remediation": ["Update FreeBSD to the latest stable release that contains the NVMf patch.", "If an update is not yet available, install the latest security advisory patches for the NVMf subsystem.", "Limit network access to the NVMe/TCP target to trusted hosts using firewall rules.", "Monitor system logs for kernel panic messages and unexpected reboots.Consider disabling the NVMf service if it is not required."], "summary": {"action": "Apply Patch", "impact": "Remote Denial of Service"}, "threat_synthesis": {"affected_systems": "The flaw affects FreeBSD systems that expose an NVMe/TCP target. No specific version scope is listed in the advisory, so all releases that include the vulnerable NVMf implementation may be impacted.", "description_and_impact": "A false CNTLID in a CONNECT command can cause a null pointer dereference in the kernel NVMf subsystem. The kernel then throws a panic, effectively rebooting the system. This action results in a denial of service that can be triggered remotely with no prior authentication.", "risk_and_exploitability": "The vulnerability carries high risk because it allows an unauthenticated attacker with network access to the NVMe/TCP service to bring the host down. The EPSS score is unavailable and the issue has not appeared in the KEV list, but a kernel panic is a severe outcome. Exploitation requires only sending a malformed CONNECT request containing a bogus or stale control identifier."}}}}, "created": "2026-03-26T11:30:17.786688+00:00", "updated": "2026-03-26T12:08:22.075352+00:00", "vendors": ["freebsd", "freebsd$PRODUCT$freebsd"]}