Description
A regression in the way hashes were calculated caused rules containing the address range syntax (x.x.x.x - y.y.y.y) that only differ in the address range(s) involved to be silently dropped as duplicates. Only the first of such rules is actually loaded into pf. Ranges expressed using the address[/mask-bits] syntax were not affected.

Some keywords representing actions taken on a packet-matching rule, such as 'log', 'return tll', or 'dnpipe', may suffer from the same issue. It is unlikely that users have such configurations, as these rules would always be redundant.

Affected rules are silently ignored, which can lead to unexpected behaviour including over- and underblocking.
Published: 2026-04-01
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Incorrect firewall rule enforcement
Action: Apply Patch
AI Analysis

Impact

A regression in the FreeBSD packet filter caused rules that use the address range syntax (x.x.x.x - y.y.y.y) to be silently dropped as duplicates. The first rule with a given range pattern is applied, while later, identical rules are ignored. Such silent dropping can lead to over‑blocking or under‑blocking of traffic, potentially disrupting legitimate network flows. Rules expressed using an address[/mask-bits] syntax or certain action keywords are not affected, but many typical firewall configurations may still use the vulnerable syntax.

Affected Systems

The vulnerability impacts the FreeBSD operating system. Versions affected include FreeBSD 14.3 releases 14.3-p1 through 14.3-p9, FreeBSD 14.4 (including release candidate 1), and FreeBSD 15.0 releases 15.0-p1 through 15.0-p4. All other FreeBSD releases are considered unaffected.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, but the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The primary risk is network disruption rather than code execution. Based on the description, the likely attack vector is a privileged local user who can modify pf configuration files. An attacker could introduce duplicate address‑range rules to cause subsequent rules to be ignored. No publicly available remote exploitation is documented.

Generated by OpenCVE AI on April 3, 2026 at 00:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a FreeBSD release that resolves the regression, such as a later 14.3 patch, 14.4, or 15.0 patch level
  • If an immediate upgrade is not possible, review and consolidate pf rules that use address‑range syntax to eliminate duplicates
  • After making configuration changes, run "pfctl -s rules" to verify the effective rule count
  • Monitor firewall logs for unexpected rule filtering or PF restarts that may indicate silent rule dropping
  • Consult the official FreeBSD security advisory for additional guidance

Generated by OpenCVE AI on April 3, 2026 at 00:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:-:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p1:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p2:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p3:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p4:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p5:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p6:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p7:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p8:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.3:p9:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.4:-:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:14.4:rc1:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:-:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p1:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p2:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p3:*:*:*:*:*:*
cpe:2.3:o:freebsd:freebsd:15.0:p4:*:*:*:*:*:*

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Freebsd
Freebsd freebsd
Vendors & Products Freebsd
Freebsd freebsd

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 07:00:00 +0000

Type Values Removed Values Added
Description A regression in the way hashes were calculated caused rules containing the address range syntax (x.x.x.x - y.y.y.y) that only differ in the address range(s) involved to be silently dropped as duplicates. Only the first of such rules is actually loaded into pf. Ranges expressed using the address[/mask-bits] syntax were not affected. Some keywords representing actions taken on a packet-matching rule, such as 'log', 'return tll', or 'dnpipe', may suffer from the same issue. It is unlikely that users have such configurations, as these rules would always be redundant. Affected rules are silently ignored, which can lead to unexpected behaviour including over- and underblocking.
Title pf silently ignores certain rules
Weaknesses CWE-1023
CWE-480
CWE-754
References

Subscriptions

Freebsd Freebsd
cve-icon MITRE

Status: PUBLISHED

Assigner: freebsd

Published:

Updated: 2026-04-01T14:56:02.208Z

Reserved: 2026-03-24T04:14:17.566Z

Link: CVE-2026-4748

cve-icon Vulnrichment

Updated: 2026-04-01T14:54:12.959Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T07:16:02.447

Modified: 2026-04-02T20:47:20.810

Link: CVE-2026-4748

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:19:14Z

Weaknesses