What is the severity of CVE-2023-4809?

CVE-2023-4809 has been classified with a severity level that indicates it poses a significant security risk to affected FreeBSD versions.

How do I fix CVE-2023-4809?

To address CVE-2023-4809, users should update to the latest patched version of FreeBSD that resolves the vulnerability.

Which FreeBSD versions are affected by CVE-2023-4809?

CVE-2023-4809 affects FreeBSD versions 12.4 and versions between 13.0 and 13.2.

What is the nature of the vulnerability in CVE-2023-4809?

CVE-2023-4809 involves an issue in pf packet processing where multiple IPv6 fragment headers can be improperly reassembled.

Is there a workaround for CVE-2023-4809 until I can update?

While no specific workarounds are recommended, avoiding the use of affected features until an update can be applied may help mitigate risks.

Vulnerability/
CVE-2023-4809

high

7.5

CWE

167

6/9/2023

13/2/2025

CVE-2023-4809: pf incorrectly handles multiple IPv6 fragment headers

First published: Wed Sep 06 2023(Updated: )

In pf packet processing with a 'scrub fragment reassemble' rule, a packet containing multiple IPv6 fragment headers would be reassembled, and then immediately processed. That is, a packet with multiple fragment extension headers would not be recognized as the correct ultimate payload. Instead a packet with multiple IPv6 fragment headers would unexpectedly be interpreted as a fragmented packet, rather than as whatever the real payload is. As a result, IPv6 fragments may bypass pf firewall rules written on the assumption all fragments have been reassembled and, as a result, be forwarded or processed by the host.

Credit: secteam@freebsd.org

Affected Software	Affected Version	How to fix
FreeBSD Kernel	<12.4
FreeBSD Kernel	>=13.0<13.2
FreeBSD Kernel	=12.4
FreeBSD Kernel	=12.4-p1
FreeBSD Kernel	=12.4-p2
FreeBSD Kernel	=12.4-p3
FreeBSD Kernel	=12.4-p4
FreeBSD Kernel	=12.4-rc2-p1
FreeBSD Kernel	=12.4-rc2-p2
FreeBSD Kernel	=13.2
FreeBSD Kernel	=13.2-p1
FreeBSD Kernel	=13.2-p2

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2023-4809?
CVE-2023-4809 has been classified with a severity level that indicates it poses a significant security risk to affected FreeBSD versions.
How do I fix CVE-2023-4809?
To address CVE-2023-4809, users should update to the latest patched version of FreeBSD that resolves the vulnerability.
Which FreeBSD versions are affected by CVE-2023-4809?
CVE-2023-4809 affects FreeBSD versions 12.4 and versions between 13.0 and 13.2.
What is the nature of the vulnerability in CVE-2023-4809?
CVE-2023-4809 involves an issue in pf packet processing where multiple IPv6 fragment headers can be improperly reassembled.
Is there a workaround for CVE-2023-4809 until I can update?
While no specific workarounds are recommended, avoiding the use of affected features until an update can be applied may help mitigate risks.

collector/oss-sec
alias/CVE-2023-4809
agent/type
agent/first-publish-date
collector/mitre-cve
source/MITRE
agent/severity
agent/references
agent/title
agent/weakness
agent/softwarecombine
agent/event
agent/source
agent/trending
agent/last-modified-date
agent/author
agent/tags
agent/description
collector/nvd-api
source/NVD
agent/software-canonical-lookup
agent/software-canonical-lookup-request
collector/nvd-index
vendor/freebsd
canonical/freebsd kernel
version/freebsd kernel/13.0
version/freebsd kernel/12.4
version/freebsd kernel/12.4-p1
version/freebsd kernel/12.4-p2
version/freebsd kernel/12.4-p3
version/freebsd kernel/12.4-p4
version/freebsd kernel/12.4-rc2-p1
version/freebsd kernel/12.4-rc2-p2
version/freebsd kernel/13.2
version/freebsd kernel/13.2-p1
version/freebsd kernel/13.2-p2