CVE-2025-14769

In some cases, the `tcp-setmss` handler may free the packet data and throw an error without halting the rule processing engine. A subsequent rule can then allow the traffic after the packet data is gone, resulting in a NULL pointer dereference. Maliciously crafted packets sent from a remote host may result in a Denial of Service (DoS) if the `tcp-setmss` directive is used and a subsequent rule would allow the traffic to pass.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://security.freebsd.org/advisories/FreeBSD-SA-25:11.ipfw.asc	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:freebsd:freebsd:13.5:-::::::
	cpe:2.3:o:freebsd:freebsd:13.5:p1::::::
	cpe:2.3:o:freebsd:freebsd:13.5:p2::::::
	cpe:2.3:o:freebsd:freebsd:13.5:p3::::::
	cpe:2.3:o:freebsd:freebsd:13.5:p4::::::
	cpe:2.3:o:freebsd:freebsd:13.5:p5::::::
	cpe:2.3:o:freebsd:freebsd:13.5:p6::::::
	cpe:2.3:o:freebsd:freebsd:13.5:p7::::::
	cpe:2.3:o:freebsd:freebsd:14.3:-::::::
	cpe:2.3:o:freebsd:freebsd:14.3:p1::::::
	cpe:2.3:o:freebsd:freebsd:14.3:p2::::::
	cpe:2.3:o:freebsd:freebsd:14.3:p3::::::
	cpe:2.3:o:freebsd:freebsd:14.3:p4::::::
	cpe:2.3:o:freebsd:freebsd:14.3:p5::::::
	cpe:2.3:o:freebsd:freebsd:14.3:p6::::::

History

No history.

Information

Published : 2026-03-09 12:16

Updated : 2026-03-17 15:55

NVD link : CVE-2025-14769

Mitre link : CVE-2025-14769

CVE.ORG link : CVE-2025-14769

JSON object : View

Products Affected

freebsd

freebsd

CWE

CWE-476

NULL Pointer Dereference

{"id": "CVE-2025-14769", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-03-09T12:16:11.280", "references": [{"url": "https://security.freebsd.org/advisories/FreeBSD-SA-25:11.ipfw.asc", "tags": ["Vendor Advisory"], "source": "secteam@freebsd.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "secteam@freebsd.org", "description": [{"lang": "en", "value": "CWE-476"}]}], "descriptions": [{"lang": "en", "value": "In some cases, the `tcp-setmss` handler may free the packet data and throw an error without halting the rule processing engine. A subsequent rule can then allow the traffic after the packet data is gone, resulting in a NULL pointer dereference.\n\nMaliciously crafted packets sent from a remote host may result in a Denial of Service (DoS) if the `tcp-setmss` directive is used and a subsequent rule would allow the traffic to pass."}, {"lang": "es", "value": "En algunos casos, el gestor `tcp-setmss` puede liberar los datos del paquete y lanzar un error sin detener el motor de procesamiento de reglas. Una regla posterior puede entonces permitir el tr\u00e1fico despu\u00e9s de que los datos del paquete hayan desaparecido, lo que resulta en una desreferencia de puntero NULL.\n\nPaquetes creados maliciosamente enviados desde un host remoto pueden resultar en una Denegaci\u00f3n de Servicio (DoS) si se utiliza la directiva `tcp-setmss` y una regla posterior permitir\u00eda el paso del tr\u00e1fico."}], "lastModified": "2026-03-17T15:55:19.447", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:freebsd:freebsd:13.5:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "947F561E-AD65-43B9-94C1-3109A3D35248"}, {"criteria": "cpe:2.3:o:freebsd:freebsd:13.5:p1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3D1987F1-1E08-4B28-8D16-D25A091D99ED"}, {"criteria": "cpe:2.3:o:freebsd:freebsd:13.5:p2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BEC1E8A0-0402-45F1-938D-FEFDCFC3E747"}, {"criteria": "cpe:2.3:o:freebsd:freebsd:13.5:p3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D94457D6-738F-4ABB-BD46-F2B621531FE2"}, {"criteria": "cpe:2.3:o:freebsd:freebsd:13.5:p4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8C38CB56-B80C-4D1B-9267-16E8F985B170"}, {"criteria": "cpe:2.3:o:freebsd:freebsd:13.5:p5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "13DF1E38-5E8D-42FF-A4C5-092300864F3E"}, {"criteria": "cpe:2.3:o:freebsd:freebsd:13.5:p6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "83A86F81-0965-4600-835A-496756137998"}, {"criteria": "cpe:2.3:o:freebsd:freebsd:13.5:p7:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "987E31A4-7E21-471E-A3EA-4E53FFDB3DFB"}, {"criteria": "cpe:2.3:o:freebsd:freebsd:14.3:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9DC7C54E-58AF-4ADE-84AF-0EF0F325E20E"}, {"criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D3D22B8C-36CF-4800-9673-0B0240558BDD"}, {"criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "242FA2A8-5D7D-4617-A411-2651FF3A3E4C"}, {"criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "40573F60-F3B7-4AEC-846A-B08E5B7D9D00"}, {"criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1FB832CE-0A98-44A2-8BAC-CD38A64279B6"}, {"criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9A785F8E-C218-41AE-8D57-BF06DDAEF7CB"}, {"criteria": "cpe:2.3:o:freebsd:freebsd:14.3:p6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C3909FDD-B2A2-45B6-A40B-1D303A717F15"}], "operator": "OR"}]}], "sourceIdentifier": "secteam@freebsd.org"}