An IPv6 packet larger than the MTU on an interface can lead to a kernel panic in
pf. For example, by generating a large ICMP packet with "ping6 -s 65500
<target address>" sent from another host to device running pfSense software.
This problem is present in pfSense Plus version 23.01. It does not affect any
release of pfSense CE, only development snapshots.
While this issue was due to an upstream problem in the FreeBSD 14.x kernel,
which is still under development, it was not present in any released version of
FreeBSD. Thus, this DoS will not have a FreeBSD security advisory.
A kernel panic causes a sudden reboot of the host, rendering it unavailable
until it completes the reboot process, thus causing a denial of service for the
On systems using UFS, it is also possible that a kernel panic may require manual
intervention to repair the filesystem after a sudden reboot.