Vulnerability Summary: FreeBSD pf Rules Silently Ignored Due to Hash Collision (FreeBSD-SA-26:09.pf) 1. Vulnerability Overview The FreeBSD packet filter (pf) contains a regression in its hash calculation logic when loading configurations. When rules are defined using address range syntax ( ), if different address ranges produce identical hash values, pf silently discards all rules following the first one. This results in certain firewall rules becoming ineffective, potentially leading to unexpected network behavior such as excessive blocking or insufficient filtering. 2. Scope of Impact Affected Systems: FreeBSD 14.x series and FreeBSD 15.0. Affected Component: pf (Packet Filter). CVE Identifier: CVE-2026-4748. 3. Remediation It is recommended to upgrade the system to FreeBSD 15.0-RELEASE or the FreeBSD 14.x releng/14.4 branch (post-fix date). Method 1: Update via Base System Packages Method 2: Update via Binary Distribution Sets Method 3: Update via Source Code Patches Download and verify the patch files: Apply the patch and recompile the kernel: Workarounds Reload the configuration: Check for duplicate rules: Rewrite rules: Use tables or multiple individual rules instead of address ranges, or assign unique labels to rules.