diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c
--- a/sys/netpfil/pf/pf.c
+++ b/sys/netpfil/pf/pf.c
@@ -8946,6 +8946,14 @@
 	pd.af = AF_INET6;
 	pd.act.rtableid = -1;
 
+	if (__predict_false(m->m_len < sizeof(struct ip6_hdr)) &&
+	    (m = *m0 = m_pullup(*m0, sizeof(struct ip6_hdr))) == NULL) {
+		DPFPRINTF(PF_DEBUG_URGENT,
+		    ("pf_test6: m_len < sizeof(struct ip6_hdr)"
+		     ", pullup failed\n"));
+		PF_RULES_RUNLOCK();
+		return (PF_DROP);
+	}
 	h = mtod(m, struct ip6_hdr *);
 	off = ((caddr_t)h - m->m_data) + sizeof(struct ip6_hdr);
 
diff --git a/tests/sys/netpfil/pf/mbuf.sh b/tests/sys/netpfil/pf/mbuf.sh
--- a/tests/sys/netpfil/pf/mbuf.sh
+++ b/tests/sys/netpfil/pf/mbuf.sh
@@ -91,7 +91,68 @@
 	pft_cleanup
 }
 
+atf_test_case "inet6_in_mbuf_len" "cleanup"
+inet6_in_mbuf_len_head()
+{
+	atf_set descr 'Test that pf can handle inbound with the first mbuf with m_len < sizeof(struct ip6_hdr)'
+	atf_set require.user root
+}
+inet6_in_mbuf_len_body()
+{
+	pft_init
+	dummymbuf_init
+
+	epair=$(vnet_mkepair)
+	ifconfig ${epair}a inet6 2001:db8::1/64 up no_dad
+
+	# Set up a simple jail with one interface
+	vnet_mkjail alcatraz ${epair}b
+	jexec alcatraz ifconfig ${epair}b inet6 2001:db8::2/64 up no_dad
+
+	# Sanity check
+	atf_check -s exit:0 -o ignore ping -c1 2001:db8::2
+
+	# Should be denied
+	jexec alcatraz pfctl -e
+	pft_set_rules alcatraz \
+		"block" \
+		"pass quick inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }"
+	atf_check -s not-exit:0 -o ignore ping -c1 -t1 2001:db8::2
+
+	# Should be allowed by from/to addresses
+	pft_set_rules alcatraz \
+		"block" \
+		"pass quick inet6 proto icmp6 icmp6-type { neighbrsol, neighbradv }" \
+		"pass in inet6 from 2001:db8::1 to 2001:db8::2"
+	atf_check -s exit:0 -o ignore ping -c1 2001:db8::2
+
+	# Should still work for m_len=0
+	jexec alcatraz pfilctl link -i dummymbuf:inet6 inet6
+	jexec alcatraz sysctl net.dummymbuf.rules="inet6 in ${epair}b pull-head 0;"
+	atf_check_equal "0" "$(jexec alcatraz sysctl -n net.dummymbuf.hits)"
+	atf_check -s exit:0 -o ignore ping -c1 2001:db8::2
+	atf_check_equal "1" "$(jexec alcatraz sysctl -n net.dummymbuf.hits)"
+
+	# m_len=1
+	jexec alcatraz sysctl net.dummymbuf.rules="inet6 in ${epair}b pull-head 1;"
+	jexec alcatraz sysctl net.dummymbuf.hits=0
+	atf_check -s exit:0 -o ignore ping -c1 2001:db8::2
+	atf_check_equal "1" "$(jexec alcatraz sysctl -n net.dummymbuf.hits)"
+
+	# m_len=39
+	# provided IPv6 basic header is 40 bytes long, it should impact the dst addr
+	jexec alcatraz sysctl net.dummymbuf.rules="inet6 in ${epair}b pull-head 39;"
+	jexec alcatraz sysctl net.dummymbuf.hits=0
+	atf_check -s exit:0 -o ignore ping -c1 2001:db8::2
+	atf_check_equal "1" "$(jexec alcatraz sysctl -n net.dummymbuf.hits)"
+}
+inet6_in_mbuf_len_cleanup()
+{
+	pft_cleanup
+}
+
 atf_init_test_cases()
 {
 	atf_add_test_case "inet_in_mbuf_len"
+	atf_add_test_case "inet6_in_mbuf_len"
 }