CVE-2025-14769

In some cases, the `tcp-setmss` handler may free the packet data and throw an error without halting the rule processing engine.  A subsequent rule can then allow the traffic after the packet data is gone, resulting in a NULL pointer dereference.

Maliciously crafted packets sent from a remote host may result in a Denial of Service (DoS) if the `tcp-setmss` directive is used and a subsequent rule would allow the traffic to pass.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
UNKNOWN
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Common Weakness Enumeration
References
https://security.freebsd.org/advisories/FreeBSD-SA-25:11.ipfw.asc