FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- Remote denial of service in IPv6 fragment reassembly

Affected packages
13.2 <= FreeBSD-kernel < 13.2_2
13.1 <= FreeBSD-kernel < 13.1_9
12.4 <= FreeBSD-kernel < 12.4_4


VuXML ID 3dabf5b8-47c0-11ee-8e38-002590c1f29c
Discovery 2023-08-01
Entry 2023-08-31

Problem Description:

Each fragment of an IPv6 packet contains a fragment header which specifies the offset of the fragment relative to the original packet, and each fragment specifies its length in the IPv6 header. When reassembling the packet, the kernel calculates the complete IPv6 payload length. The payload length must fit into a 16-bit field in the IPv6 header.

Due to a bug in the kernel, a set of carefully crafted packets can trigger an integer overflow in the calculation of the reassembled packet's payload length field.


Once an IPv6 packet has been reassembled, the kernel continues processing its contents. It does so assuming that the fragmentation layer has validated all fields of the constructed IPv6 header. This bug violates such assumptions and can be exploited to trigger a remote kernel panic, resulting in a denial of service.


CVE Name CVE-2023-3107
FreeBSD Advisory SA-23:06.ipv6