CVE-2019-5597

Name of the Vulnerable Software and Affected Versions FreeBSD versions 11.2 before 11.2-RELEASE-p10 FreeBSD versions 11.3-PRERELEASE FreeBSD versions 12.0 before 12.0-RELEASE-p4 FreeBSD versions 12.0-STABLE before r347591

Description The issue is related to insufficient input validation in the PF IPv6 firewall. It can be exploited by a remote attacker using a specially crafted IPv6 packet, potentially allowing them to bypass existing access control policies or cause a denial of service. The problem lies in the incorrect handling of the last extension header offset from the last received packet instead of the first packet in the pf IPv6 fragment reassembly logic.

Recommendations For FreeBSD versions 11.2 before 11.2-RELEASE-p10, update to 11.2-RELEASE-p10 or later. For FreeBSD versions 11.3-PRERELEASE, update to a version after r347591. For FreeBSD versions 12.0 before 12.0-RELEASE-p4, update to 12.0-RELEASE-p4 or later. For FreeBSD versions 12.0-STABLE before r347591, update to a version after r347591.