vulnerability
FreeBSD: VID-d35373ae-4d34-11ee-8e38-002590c1f29c (CVE-2023-4809): FreeBSD -- pf incorrectly handles multiple IPv6 fragment headers
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 8 | (AV:N/AC:L/Au:N/C:N/I:C/A:N) | Sep 7, 2023 | Sep 7, 2023 | Dec 10, 2025 |
Severity
8
CVSS
(AV:N/AC:L/Au:N/C:N/I:C/A:N)
Published
Sep 7, 2023
Added
Sep 7, 2023
Modified
Dec 10, 2025
Description
Problem Description: With a 'scrub fragment reassemble' rule, a packet containing multiple IPv6 fragment headers would be reassembled, and then immediately processed. That is, a packet with multiple fragment extension headers would not be recognized as the correct ultimate payload. Instead a packet with multiple IPv6 fragment headers would unexpectedly be interpreted as a fragmented packet, rather than as whatever the real payload is. Impact: IPv6 fragments may bypass firewall rules written on the assumption all fragments have been reassembled and, as a result, be forwarded or processed by the host.
Solutions
freebsd-upgrade-base-13_2-release-p3freebsd-upgrade-base-12_4-release-p5
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.