CVE-2026-4748
Published: 01 April 2026
Summary
CVE-2026-4748 is a high-severity Use of Incorrect Operator (CWE-480) vulnerability in Freebsd Freebsd. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Disable or Modify System Firewall (T1562.004); ranked at the 14.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-6 (Security and Privacy Function Verification).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Flaw remediation directly addresses the pf regression by applying vendor patches to fix hash calculation errors that silently drop duplicate address range rules.
Verification of security functions ensures pf firewall rules are loaded and operating correctly, identifying silent drops of intended address range rules.
Configuration settings enforce use of unaffected address[/mask-bits] syntax and validated firewall rules to avoid triggering the hash collision and rule-dropping issue.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability causes specific pf firewall rules (using address range syntax) to be silently dropped as duplicates during loading, resulting in under-blocking and ineffective filtering. This directly facilitates impairing or bypassing system firewall defenses without requiring active modification by the attacker.
NVD Description
A regression in the way hashes were calculated caused rules containing the address range syntax (x.x.x.x - y.y.y.y) that only differ in the address range(s) involved to be silently dropped as duplicates. Only the first of such rules is actually…
more
loaded into pf. Ranges expressed using the address[/mask-bits] syntax were not affected. Some keywords representing actions taken on a packet-matching rule, such as 'log', 'return tll', or 'dnpipe', may suffer from the same issue. It is unlikely that users have such configurations, as these rules would always be redundant. Affected rules are silently ignored, which can lead to unexpected behaviour including over- and underblocking.
Deeper analysisAI
CVE-2026-4748 is a vulnerability in the pf (packet filter) component of FreeBSD, arising from a regression in hash calculation for firewall rules. Rules using the address range syntax (x.x.x.x - y.y.y.y) that differ only in the address ranges are silently dropped as duplicates, with only the first such rule loaded into pf. Rules using the address[/mask-bits] syntax are unaffected. Certain action keywords on packet-matching rules, such as 'log', 'return ttl', or 'dnpipe', may experience the same issue, though such configurations are unlikely as they would be redundant. Affected rules are silently ignored, potentially causing unexpected behavior including over- and under-blocking. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is associated with CWEs 480, 754, and 1023.
Remote attackers require only network access with no privileges, low attack complexity, and no user interaction to exploit this issue. By leveraging the silent dropping of intended firewall rules, attackers can achieve high confidentiality impact through under-blocking, allowing unauthorized access to sensitive data that administrators believed was protected. Over-blocking may also occur, but the primary risk is gaps in filtering leading to data exposure.
The FreeBSD Security Advisory at https://security.freebsd.org/advisories/FreeBSD-SA-26:09.pf.asc details mitigation steps for this vulnerability in pf.
Details
- CWE(s)