CVE-2026-4748
Received Received - Intake
Silent Dropping of Duplicate pf Rules Causes Over/Underblocking

Publication date: 2026-04-01

Last updated on: 2026-04-02

Assigner: FreeBSD

Description
A regression in the way hashes were calculated caused rules containing the address range syntax (x.x.x.x - y.y.y.y) that only differ in the address range(s) involved to be silently dropped as duplicates. Only the first of such rules is actually loaded into pf. Ranges expressed using the address[/mask-bits] syntax were not affected. Some keywords representing actions taken on a packet-matching rule, such as 'log', 'return tll', or 'dnpipe', may suffer from the same issue. It is unlikely that users have such configurations, as these rules would always be redundant. Affected rules are silently ignored, which can lead to unexpected behaviour including over- and underblocking.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-01
Last Modified
2026-04-02
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4748
EUVD
EUVD-2026-17818
Affected Vendors & Products
Showing 18 associated CPEs
Vendor Product Version / Range
freebsd freebsd 15.0
freebsd freebsd 15.0
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 14.3
freebsd freebsd 15.0
freebsd freebsd 14.4
freebsd freebsd 15.0
freebsd freebsd From 14.0 (inc) to 14.4 (exc)
freebsd freebsd 14.3
freebsd freebsd 14.4
freebsd freebsd 15.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-754 The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.
CWE-480 The product accidentally uses the wrong operator, which changes the logic in security-relevant ways.
CWE-1023 The product performs a comparison between entities that must consider multiple factors or characteristics of each entity, but the comparison does not include one or more of these factors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a regression in the FreeBSD packet filter (pf) module's hashing mechanism used to detect duplicate rules. Specifically, rules that use the address range syntax (x.x.x.x - y.y.y.y) and differ only in the address ranges are incorrectly treated as duplicates. As a result, only the first such rule is loaded, and the others are silently dropped.

This issue does not affect rules using the address[/mask-bits] syntax. Additionally, some keywords representing actions on packet-matching rules, such as 'log', 'return ttl', or 'dnpipe', may also be affected if they appear in these rules.

Because affected rules are silently ignored, this can lead to unexpected firewall behavior, including both overblocking and underblocking of network traffic.

Compliance Impact

This vulnerability causes certain firewall rules to be silently ignored due to a regression in the hashing mechanism for address range syntax in pf. As a result, the firewall may exhibit unexpected behavior including overblocking or underblocking of network traffic.

Such unexpected firewall behavior can lead to potential security gaps or unintended exposure of sensitive data, which may impact compliance with standards and regulations like GDPR or HIPAA that require strict access controls and data protection.

However, the provided information does not explicitly discuss or analyze the direct impact of this vulnerability on compliance with these or other common standards and regulations.

Impact Analysis

The vulnerability can cause firewall rules to be silently dropped if they differ only in address ranges specified with the address range syntax. This silent omission means that some intended rules may not be enforced.

As a result, network traffic may be improperly filtered, leading to unexpected behavior such as overblocking legitimate traffic or underblocking malicious or unwanted traffic.

Because the failure is silent, it can be difficult to detect without explicit verification, potentially leaving systems exposed or improperly protected.

Detection Guidance

This vulnerability can be detected by reloading the pf configuration verbosely and checking for any rules that are silently dropped as duplicates.

  • Run the command: pfctl -vf /etc/pf.conf | grep already

This command will reveal any rules that are ignored due to the regression in the hashing mechanism, indicating the presence of the vulnerability.

Mitigation Strategies

Immediate mitigation steps include upgrading to a patched FreeBSD version or applying the provided source code patches.

  • Upgrade using package management with: pkg upgrade -r FreeBSD-base (for systems installed from base system packages).
  • Alternatively, use freebsd-update to fetch and install updates: freebsd-update fetch and freebsd-update install (for systems installed from binary distribution sets).
  • Manually apply source patches by fetching the patch and its PGP signature from FreeBSD security servers, verifying the signature, applying the patch to the source tree, recompiling the kernel, and rebooting.

As a workaround before patching, rewrite affected pf rules to avoid using the address range syntax (x.x.x.x - y.y.y.y), for example by using tables or multiple distinct rules, or by adding unique labels to differentiate rules.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4748. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart