Skip to main content

FreeBSD pf CVE-2026-7164

| EUVDEUVD-2026-26352 HIGH
Uncontrolled Recursion (CWE-674)
2026-04-30 freebsd
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Analysis Generated
Apr 30, 2026 - 14:23 vuln.today
CVSS changed
Apr 30, 2026 - 14:22 NVD
7.5 (HIGH)
EUVD ID Assigned
Apr 30, 2026 - 08:15 euvd
EUVD-2026-26352
Analysis Generated
Apr 30, 2026 - 08:15 vuln.today
CVE Published
Apr 30, 2026 - 07:23 nvd
HIGH 7.5

DescriptionCVE.org

Incorrect packet validation allowed unbounded recursion parsing SCTP chunk parameters. This can eventually result in a stack overflow and panic.

Remote attackers can craft packets which cause affected systems to panic. This affects any system where pf is configured to process traffic, independent of the configured ruleset.

AnalysisAI

Remote denial-of-service in FreeBSD packet filter (pf) allows unauthenticated attackers to crash systems via malformed SCTP packets. Unbounded recursion in SCTP chunk parameter parsing triggers stack overflow, causing kernel panic on any FreeBSD system with pf enabled, regardless of firewall ruleset configuration. EPSS score of 0.06% (17th percentile) suggests low broad exploitation probability, but impact is critical for exposed FreeBSD firewalls. Official patch released by FreeBSD covering versions 13.5, 14.3, 14.4, and 15.0.

Technical ContextAI

The vulnerability resides in FreeBSD's packet filter (pf) SCTP (Stream Control Transmission Protocol) parsing code. SCTP is a transport-layer protocol used for reliable message-oriented communication, commonly in telecommunications and signaling applications. The pf firewall parses SCTP chunk parameters to perform stateful inspection and filtering. The flaw (CWE-674: Uncontrolled Recursion) allows specially crafted SCTP packets with malicious chunk parameter structures to trigger unbounded recursive function calls during validation. Unlike typical buffer overflows that corrupt heap or stack data through sequential writes, this recursion exhaustion consumes stack space with each recursive call until the kernel stack is depleted. When stack space is exhausted, the FreeBSD kernel panics (crashes), causing complete system unavailability. The affected component is the kernel-level pf firewall module, meaning exploitation occurs in privileged kernel context. The CPE identifier cpe:2.3:a:freebsd:freebsd confirms this affects the FreeBSD operating system itself, specifically the integrated pf packet filtering subsystem inherited from OpenBSD.

RemediationAI

Apply FreeBSD security patches immediately: upgrade to FreeBSD 13.5-RELEASE-p13, 14.3-RELEASE-p12, 14.4-RELEASE-p3, or 15.0-RELEASE-p7 as appropriate for your release branch. Patching instructions and binary updates available at https://security.freebsd.org/advisories/FreeBSD-SA-26:14.pf.asc following FreeBSD's standard security update procedures via freebsd-update or source rebuild. For systems unable to patch immediately, implement compensating controls with understanding of operational impact: disable pf entirely if not required for security policy (removes firewall protection entirely), or configure upstream network devices to block SCTP protocol (IP protocol 132) at network perimeter before reaching vulnerable FreeBSD systems (breaks legitimate SCTP applications like SIP, Diameter, or SS7 signaling). If SCTP filtering is feasible, use access control lists on border routers or IDS/IPS to drop malformed SCTP packets, though deep packet inspection for recursive parameter structures may not be reliable. None of these workarounds substitute for patching, as they either eliminate critical firewall functionality or may impact legitimate SCTP-based services.

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2025-14558 HIGH POC
7.2 Mar 09

The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement mess

CVE-2013-4854 HIGH POC
7.8 Jul 29

The RFC 5011 implementation in rdata.c in ISC BIND 9.7.x and 9.8.x before 9.8.5-P2, 9.8.6b1, 9.9.x before 9.9.3-P2, and

CVE-2024-6387 HIGH POC
8.1 Jul 01

Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to

CVE-2023-48795 MEDIUM POC
5.9 Dec 18

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot

CVE-2013-2171 MEDIUM POC
6.9 Jul 02

The vm_map_lookup function in sys/vm/vm_map.c in the mmap implementation in the kernel in FreeBSD 9.0 through 9.1-RELEAS

CVE-2016-5766 HIGH POC
8.8 Aug 07

Integer overflow in the _gd2GetHeader function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.3, as used

CVE-2016-1879 HIGH POC
7.5 Jan 29

The Stream Control Transmission Protocol (SCTP) module in FreeBSD 9.3 before p33, 10.1 before p26, and 10.2 before p9, w

CVE-2020-7457 HIGH POC
8.1 Jul 09

In FreeBSD 12.1-STABLE before r359565, 12.1-RELEASE before p7, 11.4-STABLE before r362975, 11.4-RELEASE before p1, and 1

CVE-2018-8897 HIGH POC
7.8 May 08

A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) wa

CVE-2012-3549 HIGH POC
7.8 Oct 09

The SCTP implementation in FreeBSD 8.2 allows remote attackers to cause a denial of service (NULL pointer dereference an

CVE-2024-29937 CRITICAL POC
9.8 Apr 11

NFS in a BSD derived codebase, as used in OpenBSD through 7.4 and FreeBSD through 14.0-RELEASE, allows remote attackers

Share

CVE-2026-7164 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy