The vulnerability could have been exploited to crash the utility or run arbitrary code.
The FreeBSD developers have released updates to fix a critical vulnerability in the ping utility, which is being tracked as CVE-2022-23093 and could be used for remote code execution. The security flaw is caused by a buffer overflow while processing incoming ICMP messages. As the FreeBSD developers found out, the pr_pack() function, which copies the extracted IP and ICMP headers into stack buffers for further processing. At the same time, it does not take into account that additional extended headers may be present in the packet after the IP header. If there are, then pr_pack() will overwrite up to 40 bytes on the stack.
Successful exploitation of the vulnerability could cause the utility to malfunction and also allow a remote hacker to execute arbitrary code with root privileges. This works because ping uses raw sockets to send and receive ICMP messages and runs with elevated privileges (the utility comes with the setuid root flag).
According to the FreeBSD maintainers, the CVE-2022-23093 threat greatly reduces the fact that ping is run in a system call isolation state, which makes it difficult to access the system after exploiting the vulnerability.
All existing versions of FreeBSD are known to be affected by the vulnerability. The fix is included in the 13.1-RELEASE-p5, 12.4-RC2-p2 and 12.3-RELEASE-p10 updates.