In the background process rtsold and the utility rtsol used in FreeBSD, vulnerability (CVE-2025-14558), which allows remote code execution with root rights by sending a specially designed packet announcing an IPv6 router. RA messages (Router Advertisements) through which the vulnerability is exploited are not routed and must be discarded by routers. To carry out an attack, an attacker must be able to send a specially crafted packet from a system located on the same network segment as the vulnerable host.
The rtsold background process is used on hosts to auto-configure connections over IPv6 using the SLAAC (StateLess Address AutoConfiguration) mechanism. The host sends an ICMPv6 RS (Router Solicitation) message in multicast mode and waits for RA response messages (Router Advertisements) from routers containing information about network prefixes and configuration parameters. The rtsol utility implements similar functionality without running a background process.
The vulnerability is caused by the fact that rtsold passes the “domain search” list specified in the RA message to the utility resolvconf without validation and without escaping special characters. The resolvconf utility is a shell script that does not validate input data. To exploit the vulnerability, it is enough to send an RA packet with a domain name containing special characters, for example “test’id’test”. The vulnerability was fixed in the FreeBSD 15.0-RELEASE-p1, 14.3-RELEASE-p7, 13.5-RELEASE-p8 updates.
In addition, the FreeBSD 14.3-RELEASE-p7 and 13.5-RELEASE-p8 updates (the 15.x branch is not affected by the problem) are fixed Vulnerability (CVE-2025-14769) in the ipfw packet filter, which allows you to cause a denial of service by sending specially crafted packets. The vulnerability only appears when using the “tcp-setmss” directive in ipfw rules. The problem is caused by the fact that the tcp-setmss handler, under certain circumstances, can free the memory in which the received packet data is stored and return an error. The specified error was ignored by the rule processing engine, which is why the next rule could allow the passage of a packet whose data buffer was already freed, which leads to a null pointer dereference.