Severity by source
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (vulncheck) · only source for this CVE.
CVSS VectorVendor: vulncheck
CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
NetBSD prior to commit ec8451e contains a race condition vulnerability in cryptodev_op() within the opencrypto subsystem that allows local attackers to trigger a double-free condition by concurrently issuing CIOCCRYPT operations on the same session identifier on SMP systems. Attackers can exploit mutable per-operation state embedded in the csession struct to corrupt kernel heap memory.
AnalysisAI
Kernel heap corruption in NetBSD's opencrypto subsystem enables local privilege-adjacent attackers to crash the kernel via a double-free triggered by a race condition in cryptodev_op(). The flaw exists because mutable per-operation state - including tmp_iv, tmp_mac, iovec, and uio - was embedded directly in the shared csession struct rather than isolated per-operation, making it unsafely accessible across concurrent threads on SMP systems. An authenticated local attacker issuing simultaneous CIOCCRYPT ioctl calls on the same session identifier can race the kernel into freeing the same memory region twice, corrupting the kernel heap. No public exploit identified at time of analysis, though a technical writeup is publicly available at nasm.re/posts/uaf_netbsd_crypto/.
Technical ContextAI
The NetBSD opencrypto subsystem exposes cryptographic acceleration hardware and software via the /dev/crypto character device (cryptodev). The vulnerable code path is cryptodev_op() in sys/opencrypto/cryptodev.c, which handles the CIOCCRYPT ioctl. Prior to commit ec8451e, the csession struct embedded mutable per-operation fields - tmp_iv, tmp_mac, iovec[1], uio, and error - directly into the session-level struct. Because a csession is shared across threads by session identifier, two threads executing concurrent CIOCCRYPT on the same session ID raced on this shared mutable state. CWE-362 (Concurrent Execution Using Shared Resource with Improper Synchronization) is the root cause: the absence of reference counting and per-operation isolation on csession allowed one thread's cleanup to free buffers still in use or already freed by a concurrent thread, producing a classic double-free / use-after-free condition. The fix in commit ec8451e introduces a new cryptop_data struct (cod_ctor/cod_dtor) that isolates all per-operation state, adds a kmutex_t and volatile uint32_t refcnt to csession, and implements proper reference counting across fcrypt and csession lifecycles, including CRYPTODEV_OPS_MAX as an operation cap.
RemediationAI
The upstream fix is available in NetBSD src commit ec8451efc1565516aba9e7047e1a1a1ce7953a2f (https://github.com/NetBSD/src/commit/ec8451efc1565516aba9e7047e1a1a1ce7953a2f). Administrators should update to a NetBSD build incorporating this commit or later; a specific tagged release version incorporating the fix has not been independently confirmed from the available data, so tracking -current or checking the NetBSD security advisory pages for a formal release is recommended. As a compensating control on systems that cannot be immediately updated, restricting access to /dev/crypto to trusted users only (e.g., via file permissions or group-based access control) would eliminate untrusted local exploitation - note this may break applications relying on hardware cryptographic acceleration. Disabling SMP (running with a single CPU) would prevent the race from triggering, but this is typically impractical on production servers. The technical writeup at https://nasm.re/posts/uaf_netbsd_crypto/ may contain additional mitigation context.
Same weakness CWE-362 – Race Condition
View allSame technique Race Condition
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30791
GHSA-5qv9-q5h2-c748