Netgate Blog

pfSense® software and the three CVEs announced today

Netgate has performed an assessment of today’s announced vulnerabilities: CVE-2018-8897, CVE-2018-6920, and CVE-2018-6921. We have determined that most users of pfSense® Software have no reason to be concerned. As with Meltdown and Spectre, most pfSense use cases are unaffected, except those with untrusted local users or a multi-tenant context.

However, snapshots will be available shortly with the patches applied for both 64-bit and 32-bit Intel systems on our 2.4.4-DEVELOPMENT and 2.3.6-DEVELOPMENT branches for those who require immediate access to the corrections.

Release dates - which may include other fixes - are not firm, but are anticipated to be within the next 30-45 days. The planned package-only update releases are:

  • pfSense Software release 2.4.3_1, for 64-bit Intel systems only.
  • pfSense Software release 2.3.5_2, for 32-bit Intel systems.

As more information becomes available we will share it here and on our social media channels.

More information on the vulnerabilities can be found here: