FreeBSD Network Alert: Malicious IPv6 Packets Can Trigger Remote Code Execution via resolvconf (CVE-2025-14558)
Ddos 
A high-severity vulnerability has been uncovered in the FreeBSD networking stack, allowing attackers to execute arbitrary code on vulnerable systems simply by sending a malicious IPv6 router advertisement. Tracked as CVE-2025-14558, the flaw exposes a dangerous lack of input sanitization in how the operating system processes network configuration data.
The vulnerability resides in the rtsol and rtsold programs—daemons responsible for handling IPv6 stateless address autoconfiguration (SLAAC). While designed to help computers automatically configure their network settings, these tools were found to be blindly trusting input from the network.
The core of the issue lies in a chain reaction between two system components. When rtsold receives a router advertisement packet, it extracts various options, including the “domain search list.” However, the advisory reveals that the program “do[es] not validate the domain search list options provided in router advertisement messages”.
Instead, it passes this data unmodified to resolvconf, a shell script used to manage DNS information. This is where the security breakdown occurs.
“resolvconf(8) is a shell script which does not validate its input. A lack of quoting meant that shell commands pass as input to resolvconf(8) may be executed,” the advisory explains.
In practice, this means an attacker on the same network can craft a specialized packet containing shell commands disguised as a domain name. When the victim’s machine processes the packet, it inadvertently runs the attacker’s commands with system privileges.
While the vulnerability allows for Remote Code Execution (RCE), the attack vector is limited by the nature of the protocol. Router advertisements are local network traffic and are generally not forwarded across the internet by routers.
“Systems running rtsol(8) or rtsold(8) are vulnerable to remote code execution from systems on the same network segment,” the report clarifies. “In particular, router advertisement messages are not routable and should be dropped by routers, so the attack does not cross network boundaries” .
This makes the flaw particularly dangerous in untrusted local environments, such as public Wi-Fi networks, shared colocation subnets, or compromised corporate LANs.
While users who have completely disabled IPv6 or configured their interfaces to ignore router advertisements (lacking the ACCEPT_RTADV flag) are safe, those relying on standard IPv6 configurations must patch immediately .
Administrators are urged to upgrade to a supported FreeBSD stable or release branch dated after the correction.
- Run freebsd-update fetch followed by freebsd-update install.
- Apply the patch from the official security advisory and recompile the system using buildworld and installworld.
Donate