Description
A regression in the way hashes were calculated caused rules containing the address range syntax (x.x.x.x - y.y.y.y) that only differ in the address range(s) involved to be silently dropped as duplicates. Only the first of such rules is actually loaded into pf. Ranges expressed using the address[/mask-bits] syntax were not affected. Some keywords representing actions taken on a packet-matching rule, such as 'log', 'return tll', or 'dnpipe', may suffer from the same issue. It is unlikely that users have such configurations, as these rules would always be redundant. Affected rules are silently ignored, which can lead to unexpected behaviour including over- and underblocking.
References (1)
Core 1
Core References
Vendor Advisory vendor-advisory
https://security.freebsd.org/advisories/FreeBSD-SA-26:09.pf.asc
Scores
CVSS v3
7.5
EPSS
0.0006
EPSS Percentile
18.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-1023
CWE-480
CWE-754
Status
published
Products (7)
freebsd/freebsd
14.3 (10 CPE variants)
freebsd/freebsd
14.4 (2 CPE variants)
freebsd/freebsd
15.0 (5 CPE variants)
freebsd/freebsd
14.0 - 14.4
FreeBSD/FreeBSD
14.3-RELEASE - p10
FreeBSD/FreeBSD
14.4-RELEASE - p1
FreeBSD/FreeBSD
15.0-RELEASE - p5
Published
Apr 01, 2026
Tracked Since
Apr 01, 2026