CVE-2025-14769 (GCVE-0-2025-14769)
Vulnerability from cvelistv5 – Published: 2026-03-09 11:34 – Updated: 2026-03-09 13:30
VLAI?
Title
ipfw denial of service
Summary
In some cases, the `tcp-setmss` handler may free the packet data and throw an error without halting the rule processing engine. A subsequent rule can then allow the traffic after the packet data is gone, resulting in a NULL pointer dereference.
Maliciously crafted packets sent from a remote host may result in a Denial of Service (DoS) if the `tcp-setmss` directive is used and a subsequent rule would allow the traffic to pass.
Severity ?
7.5 (High)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
Date Public ?
2025-12-17 02:00
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-14769",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T13:29:55.593430Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T13:30:18.204Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"modules": [
"ipfw"
],
"product": "FreeBSD",
"vendor": "FreeBSD",
"versions": [
{
"lessThan": "p7",
"status": "affected",
"version": "14.3-RELEASE",
"versionType": "release"
},
{
"lessThan": "p8",
"status": "affected",
"version": "13.5-RELEASE",
"versionType": "release"
}
]
}
],
"datePublic": "2025-12-17T02:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In some cases, the `tcp-setmss` handler may free the packet data and throw an error without halting the rule processing engine. A subsequent rule can then allow the traffic after the packet data is gone, resulting in a NULL pointer dereference.\n\nMaliciously crafted packets sent from a remote host may result in a Denial of Service (DoS) if the `tcp-setmss` directive is used and a subsequent rule would allow the traffic to pass."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476: NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T11:34:52.386Z",
"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"shortName": "freebsd"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://security.freebsd.org/advisories/FreeBSD-SA-25:11.ipfw.asc"
}
],
"title": "ipfw denial of service",
"x_generator": {
"engine": "cvelib 1.8.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109",
"assignerShortName": "freebsd",
"cveId": "CVE-2025-14769",
"datePublished": "2026-03-09T11:34:52.386Z",
"dateReserved": "2025-12-16T02:00:18.446Z",
"dateUpdated": "2026-03-09T13:30:18.204Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-14769",
"date": "2026-04-16",
"epss": "9e-05",
"percentile": "0.00939"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-14769\",\"sourceIdentifier\":\"secteam@freebsd.org\",\"published\":\"2026-03-09T12:16:11.280\",\"lastModified\":\"2026-03-17T15:55:19.447\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In some cases, the `tcp-setmss` handler may free the packet data and throw an error without halting the rule processing engine. A subsequent rule can then allow the traffic after the packet data is gone, resulting in a NULL pointer dereference.\\n\\nMaliciously crafted packets sent from a remote host may result in a Denial of Service (DoS) if the `tcp-setmss` directive is used and a subsequent rule would allow the traffic to pass.\"},{\"lang\":\"es\",\"value\":\"En algunos casos, el gestor `tcp-setmss` puede liberar los datos del paquete y lanzar un error sin detener el motor de procesamiento de reglas. Una regla posterior puede entonces permitir el tr\u00e1fico despu\u00e9s de que los datos del paquete hayan desaparecido, lo que resulta en una desreferencia de puntero NULL.\\n\\nPaquetes creados maliciosamente enviados desde un host remoto pueden resultar en una Denegaci\u00f3n de Servicio (DoS) si se utiliza la directiva `tcp-setmss` y una regla posterior permitir\u00eda el paso del tr\u00e1fico.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"secteam@freebsd.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-476\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:13.5:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"947F561E-AD65-43B9-94C1-3109A3D35248\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:13.5:p1:*:*:*:*:*:*\",\"matchCriteriaId\":\"3D1987F1-1E08-4B28-8D16-D25A091D99ED\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:13.5:p2:*:*:*:*:*:*\",\"matchCriteriaId\":\"BEC1E8A0-0402-45F1-938D-FEFDCFC3E747\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:13.5:p3:*:*:*:*:*:*\",\"matchCriteriaId\":\"D94457D6-738F-4ABB-BD46-F2B621531FE2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:13.5:p4:*:*:*:*:*:*\",\"matchCriteriaId\":\"8C38CB56-B80C-4D1B-9267-16E8F985B170\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:13.5:p5:*:*:*:*:*:*\",\"matchCriteriaId\":\"13DF1E38-5E8D-42FF-A4C5-092300864F3E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:13.5:p6:*:*:*:*:*:*\",\"matchCriteriaId\":\"83A86F81-0965-4600-835A-496756137998\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:13.5:p7:*:*:*:*:*:*\",\"matchCriteriaId\":\"987E31A4-7E21-471E-A3EA-4E53FFDB3DFB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:14.3:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"9DC7C54E-58AF-4ADE-84AF-0EF0F325E20E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:14.3:p1:*:*:*:*:*:*\",\"matchCriteriaId\":\"D3D22B8C-36CF-4800-9673-0B0240558BDD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:14.3:p2:*:*:*:*:*:*\",\"matchCriteriaId\":\"242FA2A8-5D7D-4617-A411-2651FF3A3E4C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:14.3:p3:*:*:*:*:*:*\",\"matchCriteriaId\":\"40573F60-F3B7-4AEC-846A-B08E5B7D9D00\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:14.3:p4:*:*:*:*:*:*\",\"matchCriteriaId\":\"1FB832CE-0A98-44A2-8BAC-CD38A64279B6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:14.3:p5:*:*:*:*:*:*\",\"matchCriteriaId\":\"9A785F8E-C218-41AE-8D57-BF06DDAEF7CB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:freebsd:freebsd:14.3:p6:*:*:*:*:*:*\",\"matchCriteriaId\":\"C3909FDD-B2A2-45B6-A40B-1D303A717F15\"}]}]}],\"references\":[{\"url\":\"https://security.freebsd.org/advisories/FreeBSD-SA-25:11.ipfw.asc\",\"source\":\"secteam@freebsd.org\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-14769\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-09T13:29:55.593430Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-09T13:29:47.428Z\"}}], \"cna\": {\"title\": \"ipfw denial of service\", \"affected\": [{\"vendor\": \"FreeBSD\", \"modules\": [\"ipfw\"], \"product\": \"FreeBSD\", \"versions\": [{\"status\": \"affected\", \"version\": \"14.3-RELEASE\", \"lessThan\": \"p7\", \"versionType\": \"release\"}, {\"status\": \"affected\", \"version\": \"13.5-RELEASE\", \"lessThan\": \"p8\", \"versionType\": \"release\"}], \"defaultStatus\": \"unknown\"}], \"datePublic\": \"2025-12-17T02:00:00.000Z\", \"references\": [{\"url\": \"https://security.freebsd.org/advisories/FreeBSD-SA-25:11.ipfw.asc\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"cvelib 1.8.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In some cases, the `tcp-setmss` handler may free the packet data and throw an error without halting the rule processing engine. A subsequent rule can then allow the traffic after the packet data is gone, resulting in a NULL pointer dereference.\\n\\nMaliciously crafted packets sent from a remote host may result in a Denial of Service (DoS) if the `tcp-setmss` directive is used and a subsequent rule would allow the traffic to pass.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-476\", \"description\": \"CWE-476: NULL Pointer Dereference\"}]}], \"providerMetadata\": {\"orgId\": \"63664ac6-956c-4cba-a5d0-f46076e16109\", \"shortName\": \"freebsd\", \"dateUpdated\": \"2026-03-09T11:34:52.386Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-14769\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-09T13:30:18.204Z\", \"dateReserved\": \"2025-12-16T02:00:18.446Z\", \"assignerOrgId\": \"63664ac6-956c-4cba-a5d0-f46076e16109\", \"datePublished\": \"2026-03-09T11:34:52.386Z\", \"assignerShortName\": \"freebsd\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…