CVE-2025-14769
Published: 09 March 2026
Summary
CVE-2025-14769 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Freebsd Freebsd. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 0.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).
Deeper analysis
CVE-2025-14769 is a NULL pointer dereference vulnerability (CWE-476) in the ipfw firewall component of FreeBSD. In affected versions, the tcp-setmss handler may free packet data and throw an error without halting the rule processing engine. A subsequent rule can then process and allow the traffic despite the packet data being gone, triggering the dereference. The vulnerability was published on 2026-03-09 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A remote, unauthenticated attacker can exploit this by sending maliciously crafted packets to a targeted FreeBSD system configured with ipfw rules that include the tcp-setmss directive followed by a rule allowing the traffic. Successful exploitation results in a Denial of Service (DoS) condition due to the crash from the NULL pointer dereference.
The FreeBSD Security Advisory FreeBSD-SA-25:11.ipfw provides details on the issue and mitigation, available at https://security.freebsd.org/advisories/FreeBSD-SA-25:11.ipfw.asc.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208405
Vulnerability details
In some cases, the `tcp-setmss` handler may free the packet data and throw an error without halting the rule processing engine. A subsequent rule can then allow the traffic after the packet data is gone, resulting in a NULL pointer…
more
dereference. Maliciously crafted packets sent from a remote host may result in a Denial of Service (DoS) if the `tcp-setmss` directive is used and a subsequent rule would allow the traffic to pass.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote packet-based NULL dereference enables exploitation of public-facing firewall (T1190) resulting in system crash via application/system exploitation (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
ipfw implements the boundary protection mechanism whose tcp-setmss rule-processing bug is directly exploited by the crafted packets.
AC-4 enforces the information-flow rules that the flawed tcp-setmss handler fails to terminate, allowing the subsequent allow rule to trigger the NULL dereference.
Directly addresses the FreeBSD-SA-25:11.ipfw flaw by requiring installation of the corrected ipfw code that properly halts rule processing after the packet free.