CVE-2026-4748

Name of the Vulnerable Software and Affected Versions pf (affected versions not specified)

Description A regression in hash calculation causes rules with the address range syntax (x.x.x.x - y.y.y.y) that only differ in the address range to be silently dropped as duplicates. Only the first such rule is loaded. Rules using the address[/mask-bits] syntax are not affected. Keywords representing actions like 'log', 'return tll', or 'dnpipe' may also be affected, but this is unlikely as such rules are typically redundant. Affected rules are silently ignored, potentially leading to unexpected behavior, including over- and underblocking.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.