Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
A regression in the way hashes were calculated caused rules containing the address range syntax (x.x.x.x - y.y.y.y) that only differ in the address range(s) involved to be silently dropped as duplicates. Only the first of such rules is actually loaded into pf. Ranges expressed using the address[/mask-bits] syntax were not affected.
Some keywords representing actions taken on a packet-matching rule, such as 'log', 'return tll', or 'dnpipe', may suffer from the same issue. It is unlikely that users have such configurations, as these rules would always be redundant.
Affected rules are silently ignored, which can lead to unexpected behaviour including over- and underblocking.
AnalysisAI
Packet filter (pf) rule hash calculation regression in FreeBSD causes rules with address range syntax (x.x.x.x - y.y.y.y) differing only in address ranges to be silently dropped as duplicates, loading only the first rule and potentially causing unexpected packet filtering behavior including unintended blocking or allowing of traffic. The regression affects pf's duplicate detection mechanism but does not impact rules using CIDR notation (address/mask-bits syntax). Only the first of multiple such rules is loaded, creating a silent configuration failure with no warning to administrators.
Technical ContextAI
This vulnerability affects FreeBSD's packet filter (pf), a stateful firewall implementation that uses rule hashing to detect and eliminate duplicate configurations. The regression occurred in the hash calculation function that processes pf ruleset definitions. CWE-480 (Use of Incorrect Operator) indicates that an incorrect comparison or mathematical operation was introduced during recent changes, causing rules with semantically different address ranges (e.g., '192.168.1.1 - 192.168.1.100' vs '192.168.1.100 - 192.168.1.200') to produce identical hash values. This collision mechanism causes the duplicate detection logic to incorrectly classify distinct rules as identical. The impact is confined to rules using the range syntax; CIDR notation rules (address/mask-bits) hash correctly and are unaffected, suggesting the regression is specific to how the range operator parses or hashes the start and end addresses.
RemediationAI
Apply the patch provided in FreeBSD Security Advisory FreeBSD-SA-26:09.pf via the FreeBSD Update utility (freebsd-update fetch install) or by rebuilding the kernel with the patched pf code. Immediately following patch installation, reload pf rules using 'pfctl -f /etc/pf.conf' and verify that the expected number of rules are loaded (compare 'pfctl -s rules' output against configuration intent). As a temporary mitigation pending patch deployment, convert any address range rules (x.x.x.x - y.y.y.y syntax) to equivalent CIDR notation (address/mask-bits), which are unaffected by the regression, or explicitly verify all intended rules are active via 'pfctl -s rules'. Audit pf configurations for unintentional redundancy in action keywords ('log', 'return ttl', 'dnpipe') which may also be affected.
The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and
The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement mess
The RFC 5011 implementation in rdata.c in ISC BIND 9.7.x and 9.8.x before 9.8.5-P2, 9.8.6b1, 9.9.x before 9.9.3-P2, and
Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot
The vm_map_lookup function in sys/vm/vm_map.c in the mmap implementation in the kernel in FreeBSD 9.0 through 9.1-RELEAS
Integer overflow in the _gd2GetHeader function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.3, as used
The Stream Control Transmission Protocol (SCTP) module in FreeBSD 9.3 before p33, 10.1 before p26, and 10.2 before p9, w
In FreeBSD 12.1-STABLE before r359565, 12.1-RELEASE before p7, 11.4-STABLE before r362975, 11.4-RELEASE before p1, and 1
A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) wa
The SCTP implementation in FreeBSD 8.2 allows remote attackers to cause a denial of service (NULL pointer dereference an
NFS in a BSD derived codebase, as used in OpenBSD through 7.4 and FreeBSD through 14.0-RELEASE, allows remote attackers
Same weakness CWE-480 – Use of Incorrect Operator
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17818
GHSA-2v62-qxwf-qh42