{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4748", "assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109", "state": "PUBLISHED", "assignerShortName": "freebsd", "dateReserved": "2026-03-24T04:14:17.566Z", "datePublished": "2026-04-01T06:18:52.097Z", "dateUpdated": "2026-04-01T14:56:02.208Z"}, "containers": {"cna": {"datePublic": "2026-03-26T05:00:00.000Z", "title": "pf silently ignores certain rules", "references": [{"tags": ["vendor-advisory"], "url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:09.pf.asc"}], "affected": [{"defaultStatus": "unknown", "modules": ["pf"], "product": "FreeBSD", "vendor": "FreeBSD", "versions": [{"status": "affected", "versionType": "release", "version": "15.0-RELEASE", "lessThan": "p5"}, {"status": "affected", "versionType": "release", "version": "14.4-RELEASE", "lessThan": "p1"}, {"status": "affected", "versionType": "release", "version": "14.3-RELEASE", "lessThan": "p10"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Michael Gmelin"}], "descriptions": [{"lang": "en", "value": "A regression in the way hashes were calculated caused rules containing the address range syntax (x.x.x.x - y.y.y.y) that only differ in the address range(s) involved to be silently dropped as duplicates. Only the first of such rules is actually loaded into pf. Ranges expressed using the address[/mask-bits] syntax were not affected.\n\nSome keywords representing actions taken on a packet-matching rule, such as 'log', 'return tll', or 'dnpipe', may suffer from the same issue. It is unlikely that users have such configurations, as these rules would always be redundant.\n\nAffected rules are silently ignored, which can lead to unexpected behaviour including over- and underblocking."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-480", "description": "CWE-480: Use of Incorrect Operator", "lang": "en", "type": "CWE"}, {"cweId": "CWE-754", "description": "CWE-754: Improper Check for Unusual or Exceptional Conditions", "lang": "en", "type": "CWE"}, {"cweId": "CWE-1023", "description": "CWE-1023: Incomplete Comparison with Missing Factors", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109", "shortName": "freebsd", "dateUpdated": "2026-04-01T06:18:52.097Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T14:55:44.105033Z", "id": "CVE-2026-4748", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T14:56:02.208Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4748", "assignerOrgId": "63664ac6-956c-4cba-a5d0-f46076e16109", "state": "PUBLISHED", "assignerShortName": "freebsd", "dateReserved": "2026-03-24T04:14:17.566Z", "datePublished": "2026-04-01T06:18:52.097Z", "dateUpdated": "2026-04-01T14:56:02.208Z"}, "containers": {"cna": {"datePublic": "2026-03-26T05:00:00.000Z", "title": "pf silently ignores certain rules", "references": [{"tags": ["vendor-advisory"], "url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:09.pf.asc"}], "affected": [{"defaultStatus": "unknown", "modules": ["pf"], "product": "FreeBSD", "vendor": "FreeBSD", "versions": [{"status": "affected", "versionType": "release", "version": "15.0-RELEASE", "lessThan": "p5"}, {"status": "affected", "versionType": "release", "version": "14.4-RELEASE", "lessThan": "p1"}, {"status": "affected", "versionType": "release", "version": "14.3-RELEASE", "lessThan": "p10"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Michael Gmelin"}], "descriptions": [{"lang": "en", "value": "A regression in the way hashes were calculated caused rules containing the address range syntax (x.x.x.x - y.y.y.y) that only differ in the address range(s) involved to be silently dropped as duplicates. Only the first of such rules is actually loaded into pf. Ranges expressed using the address[/mask-bits] syntax were not affected.\n\nSome keywords representing actions taken on a packet-matching rule, such as 'log', 'return tll', or 'dnpipe', may suffer from the same issue. It is unlikely that users have such configurations, as these rules would always be redundant.\n\nAffected rules are silently ignored, which can lead to unexpected behaviour including over- and underblocking."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-480", "description": "CWE-480: Use of Incorrect Operator", "lang": "en", "type": "CWE"}, {"cweId": "CWE-754", "description": "CWE-754: Improper Check for Unusual or Exceptional Conditions", "lang": "en", "type": "CWE"}, {"cweId": "CWE-1023", "description": "CWE-1023: Incomplete Comparison with Missing Factors", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "63664ac6-956c-4cba-a5d0-f46076e16109", "shortName": "freebsd", "dateUpdated": "2026-04-01T06:18:52.097Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-4748", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-01T14:55:44.105033Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T14:54:12.959Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*", "matchCriteriaId": "B18512F3-168B-42C3-9579-58A44E18B50B", "versionEndExcluding": "14.4", "versionStartIncluding": "14.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:14.3:-:*:*:*:*:*:*", "matchCriteriaId": "9DC7C54E-58AF-4ADE-84AF-0EF0F325E20E", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p1:*:*:*:*:*:*", "matchCriteriaId": "D3D22B8C-36CF-4800-9673-0B0240558BDD", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p2:*:*:*:*:*:*", "matchCriteriaId": "242FA2A8-5D7D-4617-A411-2651FF3A3E4C", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p3:*:*:*:*:*:*", "matchCriteriaId": "40573F60-F3B7-4AEC-846A-B08E5B7D9D00", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p4:*:*:*:*:*:*", "matchCriteriaId": "1FB832CE-0A98-44A2-8BAC-CD38A64279B6", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p5:*:*:*:*:*:*", "matchCriteriaId": "9A785F8E-C218-41AE-8D57-BF06DDAEF7CB", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p6:*:*:*:*:*:*", "matchCriteriaId": "C3909FDD-B2A2-45B6-A40B-1D303A717F15", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p7:*:*:*:*:*:*", "matchCriteriaId": "720597A2-F181-46E1-8A0D-097E17ADC4FB", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p8:*:*:*:*:*:*", "matchCriteriaId": "DC8A75D0-148A-427A-9783-45477EABED21", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p9:*:*:*:*:*:*", "matchCriteriaId": "F5D39FC9-6DBA-46C8-BB80-A6188E6A8527", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:14.4:-:*:*:*:*:*:*", "matchCriteriaId": "8F3856BE-666F-4FA1-A6AD-FE179CEBF1E4", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:14.4:rc1:*:*:*:*:*:*", "matchCriteriaId": "0342A715-E211-4AF6-97ED-32EB9EBB947D", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:15.0:-:*:*:*:*:*:*", "matchCriteriaId": "368CFE5D-C5C2-42AF-AAF4-28DFE1A59C3B", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:15.0:p1:*:*:*:*:*:*", "matchCriteriaId": "AA4AAA57-70A7-4717-ACF2-A253E757FF2C", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:15.0:p2:*:*:*:*:*:*", "matchCriteriaId": "E24ABFA6-4D12-4DE5-832B-438502C7D188", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:15.0:p3:*:*:*:*:*:*", "matchCriteriaId": "C1C9869C-494B-4628-9AA3-4AA5B989C377", "vulnerable": true}, {"criteria": "cpe:2.3:o:freebsd:freebsd:15.0:p4:*:*:*:*:*:*", "matchCriteriaId": "002AA2FE-C7BA-471A-9434-0E56A878ACBF", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A regression in the way hashes were calculated caused rules containing the address range syntax (x.x.x.x - y.y.y.y) that only differ in the address range(s) involved to be silently dropped as duplicates. Only the first of such rules is actually loaded into pf. Ranges expressed using the address[/mask-bits] syntax were not affected.\n\nSome keywords representing actions taken on a packet-matching rule, such as 'log', 'return tll', or 'dnpipe', may suffer from the same issue. It is unlikely that users have such configurations, as these rules would always be redundant.\n\nAffected rules are silently ignored, which can lead to unexpected behaviour including over- and underblocking."}], "id": "CVE-2026-4748", "lastModified": "2026-04-02T20:47:20.810", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-01T07:16:02.447", "references": [{"source": "secteam@freebsd.org", "tags": ["Vendor Advisory"], "url": "https://security.freebsd.org/advisories/FreeBSD-SA-26:09.pf.asc"}], "sourceIdentifier": "secteam@freebsd.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-480"}, {"lang": "en", "value": "CWE-754"}, {"lang": "en", "value": "CWE-1023"}], "source": "secteam@freebsd.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[15.0-RELEASE,p5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[14.4-RELEASE,p1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[14.3-RELEASE,p10)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "FreeBSD", "source": "cna", "vendor": "FreeBSD"}, "product": "freebsd", "vendor": "freebsd"}], "analysis": {"en": {"generated_at": "2026-04-03T00:50:44.392017+00:00", "value": {"mitigation_remediation": ["Upgrade to a FreeBSD release that resolves the regression, such as a later 14.3 patch, 14.4, or 15.0 patch level", "If an immediate upgrade is not possible, review and consolidate pf rules that use address\u2011range syntax to eliminate duplicates", "After making configuration changes, run \"pfctl -s rules\" to verify the effective rule count", "Monitor firewall logs for unexpected rule filtering or PF restarts that may indicate silent rule dropping", "Consult the official FreeBSD security advisory for additional guidance"], "summary": {"action": "Apply Patch", "impact": "Incorrect firewall rule enforcement"}, "threat_synthesis": {"affected_systems": "The vulnerability impacts the FreeBSD operating system. Versions affected include FreeBSD 14.3 releases 14.3-p1 through 14.3-p9, FreeBSD 14.4 (including release candidate 1), and FreeBSD 15.0 releases 15.0-p1 through 15.0-p4. All other FreeBSD releases are considered unaffected.", "description_and_impact": "A regression in the FreeBSD packet filter caused rules that use the address range syntax (x.x.x.x - y.y.y.y) to be silently dropped as duplicates. The first rule with a given range pattern is applied, while later, identical rules are ignored. Such silent dropping can lead to over\u2011blocking or under\u2011blocking of traffic, potentially disrupting legitimate network flows. Rules expressed using an address[/mask-bits] syntax or certain action keywords are not affected, but many typical firewall configurations may still use the vulnerable syntax.", "risk_and_exploitability": "The CVSS score of 7.5 indicates high severity, but the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The primary risk is network disruption rather than code execution. Based on the description, the likely attack vector is a privileged local user who can modify pf configuration files. An attacker could introduce duplicate address\u2011range rules to cause subsequent rules to be ignored. No publicly available remote exploitation is documented."}}}}, "created": "2026-04-02T07:49:50.117582+00:00", "updated": "2026-04-03T09:19:14.299152+00:00", "vendors": ["freebsd", "freebsd$PRODUCT$freebsd"]}