vulnerability
pfSense: pfSense-SA-23_07.kernel: Denial of Service due to Kernel Panic from Oversize IPv6 Packets
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 8 | (AV:N/AC:L/Au:N/C:N/I:N/A:C) | May 11, 2023 | Jun 23, 2023 | Feb 18, 2025 |
Description
An IPv6 packet larger than the MTU on an interface can lead to a kernel panic in
pf. For example, by generating a large ICMP packet with "ping6 -s 65500
" sent from another host to device running pfSense software.
This problem is present in pfSense Plus version 23.01. It does not affect any
release of pfSense CE, only development snapshots.
While this issue was due to an upstream problem in the FreeBSD 14.x kernel,
which is still under development, it was not present in any released version of
FreeBSD. Thus, this DoS will not have a FreeBSD security advisory.
A kernel panic causes a sudden reboot of the host, rendering it unavailable
until it completes the reboot process, thus causing a denial of service for the
interim period.
On systems using UFS, it is also possible that a kernel panic may require manual
intervention to repair the filesystem after a sudden reboot.
Solution
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.