Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-14769

CVE-2025-14769: FreeBSD tcp-setmss DoS Vulnerability

CVE-2025-14769 is a denial of service vulnerability in FreeBSD's tcp-setmss handler that causes NULL pointer dereference. Malicious packets can crash systems using the tcp-setmss directive. This article covers technical details, affected versions, impact, and mitigation.

Updated:

CVE-2025-14769 Overview

CVE-2025-14769 is a NULL pointer dereference vulnerability [CWE-476] in the FreeBSD ipfw packet filter. The flaw resides in the tcp-setmss handler, which can free packet data and raise an error without halting the rule processing engine. When a subsequent rule allows the now-freed traffic, the kernel dereferences a NULL pointer and panics. Remote attackers can trigger the condition by sending maliciously crafted TCP packets to a host that uses the tcp-setmss directive followed by an allow rule. The result is a kernel-level Denial of Service (DoS) against affected FreeBSD 13.5 and 14.3 systems.

Critical Impact

Unauthenticated remote attackers can crash FreeBSD kernels running ipfw rulesets that combine tcp-setmss with subsequent allow rules, causing system-wide outages.

Affected Products

  • FreeBSD 13.5 (releases through patch level p7)
  • FreeBSD 14.3 (releases through patch level p6)
  • Systems using ipfw with the tcp-setmss directive

Discovery Timeline

  • 2026-03-09 - CVE-2025-14769 published to NVD
  • 2026-03-17 - Last updated in NVD database

Technical Details for CVE-2025-14769

Vulnerability Analysis

The ipfw firewall in FreeBSD processes packets through an ordered ruleset. The tcp-setmss action modifies the TCP Maximum Segment Size (MSS) option in matching packets. In certain failure paths, the handler frees the underlying mbuf packet data and returns an error to the caller. The rule processing engine does not abort execution when this occurs. Instead, it continues evaluating subsequent rules against a packet structure whose payload pointer is no longer valid.

If a later rule issues an allow decision for the traffic, the kernel attempts to forward or further process the freed packet. The dereference of the stale pointer produces a kernel NULL pointer access and a panic. The flaw is reachable over the network and requires no authentication or user interaction.

Root Cause

The root cause is a missing post-error control flow check in the tcp-setmss handler. The handler releases packet memory on error but does not signal the rule engine to stop processing or to mark the packet as consumed. This mismatch between handler state and engine state produces the unsafe dereference downstream [CWE-476].

Attack Vector

An attacker sends crafted TCP packets toward a FreeBSD host whose ipfw configuration applies tcp-setmss before any allow rule that would match the same traffic. The malformed packet triggers the error path inside the handler. The subsequent allow rule then routes execution into code paths that read the freed buffer, causing the kernel to panic. The vector is purely network-based and exploitable across any reachable interface filtered by the vulnerable ruleset.

No public proof-of-concept code or exploit is available at this time. Refer to the FreeBSD Security Advisory SA-25:11 for vendor technical details.

Detection Methods for CVE-2025-14769

Indicators of Compromise

  • Unexpected kernel panics on FreeBSD hosts with stack traces referencing ipfw_chk, ipfw_tcp_setmss, or mbuf access functions.
  • Repeated host crashes shortly after receiving anomalous TCP traffic from a single or small set of remote sources.
  • Crash dumps in /var/crash showing NULL pointer faults during packet filter evaluation.

Detection Strategies

  • Audit ipfw rulesets for the presence of tcp-setmss actions followed by any allow rule that could match the same flow.
  • Correlate kernel panic events with inbound network telemetry to identify trigger packets.
  • Monitor system uptime regressions across FreeBSD hosts running identical firewall configurations.

Monitoring Recommendations

  • Ship FreeBSD kernel logs and crash reports to a central logging or SIEM platform for anomaly review.
  • Track ipfw counters for rules invoking tcp-setmss to baseline normal hit volumes.
  • Alert on sudden spikes of malformed TCP packets toward externally exposed FreeBSD firewalls or routers.

How to Mitigate CVE-2025-14769

Immediate Actions Required

  • Apply the FreeBSD security patch from advisory SA-25:11 to all FreeBSD 13.5 and 14.3 systems running ipfw.
  • Inventory all hosts using ipfw and identify rulesets containing tcp-setmss actions.
  • Reboot patched systems to ensure the corrected kernel module is loaded.

Patch Information

FreeBSD has released fixes documented in FreeBSD Security Advisory SA-25:11. Administrators should update to the patched errata level for their supported branch (13.5 or 14.3) using freebsd-update or by rebuilding the kernel from corrected sources.

Workarounds

  • Remove tcp-setmss actions from ipfw rulesets until the patch can be applied.
  • Reorder rules so that allow decisions occur before any tcp-setmss action on the same traffic class.
  • Restrict network exposure of affected hosts using upstream filtering devices until remediation is complete.
bash
# Apply FreeBSD security updates
freebsd-update fetch
freebsd-update install

# Verify kernel patch level
uname -a

# Reboot to load patched kernel
shutdown -r now

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne