Skip to main content

NetBSD Kernel CVE-2026-32849

| EUVDEUVD-2026-30789 MEDIUM
Integer Overflow or Wraparound (CWE-190)
2026-05-18 disclosure@vulncheck.com GHSA-rf6w-j5hg-8rcv
5.7
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
5.7 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (vulncheck) · only source for this CVE.

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
May 18, 2026 - 18:38 vuln.today
Analysis Generated
May 18, 2026 - 18:38 vuln.today

DescriptionCVE.org

NetBSD prior to commit ec8451e contains a signed integer overflow vulnerability in the cryptodev_op() function in sys/opencrypto/cryptodev.c where the local variable iov_len is declared as a signed int but assigned from an unsigned cop->dst_len value, causing undefined behavior when cop->dst_len exceeds INT_MAX. A local attacker with access to /dev/crypto and a compression session type can exploit this vulnerability by providing a dst_len value exceeding INT_MAX to trigger a kernel panic through NULL pointer dereference when CONFIG_SVS is disabled and corrupted UIO pointer arithmetic.

AnalysisAI

Signed integer overflow in the NetBSD kernel's cryptodev subsystem (sys/opencrypto/cryptodev.c, prior to commit ec8451e) enables a local low-privileged attacker to crash the kernel via a NULL pointer dereference, causing a full denial of service. The type mismatch between a signed int local variable and an unsigned cop->dst_len source value in cryptodev_op() produces undefined behavior when dst_len exceeds INT_MAX, corrupting UIO pointer arithmetic and - when CONFIG_SVS is disabled - triggering a kernel panic. No public exploit identified at time of analysis, though a technical writeup at nasm.re documents related memory-handling issues in this subsystem.

Technical ContextAI

The vulnerability resides in the cryptodev_op() function within sys/opencrypto/cryptodev.c, which is the kernel-side handler for the /dev/crypto character device - a BSD-standard interface exposing hardware-accelerated cryptographic primitives to userspace. The root cause is CWE-190 (Integer Overflow or Wraparound): the local variable iov_len was declared as a signed int but receives its value from cop->dst_len, which is an unsigned type. When cop->dst_len exceeds INT_MAX (2,147,483,647), the assignment causes C undefined behavior - the value wraps or truncates to a negative integer. This corrupted value propagates into UIO (Unix I/O) iovec pointer arithmetic used to manage kernel I/O vectors for the crypto operation. When CONFIG_SVS is disabled in the kernel build, the corrupted iov_len ultimately produces a NULL pointer dereference, triggering a kernel panic. The fix in commit ec8451e refactors cryptodev operations into a new cryptop_data structure (cod_ctor/cod_dtor lifecycle functions) using size_t iov_len - an inherently unsigned, pointer-width type - eliminating the signed/unsigned mismatch entirely. Companion changes in crypto.c also tighten cpuid declarations from u_int to u_int32_t for related type safety. No CPE strings were provided in the available intelligence.

RemediationAI

The upstream fix is available as commit ec8451efc1565516aba9e7047e1a1a1ce7953a2f in the NetBSD source repository (https://github.com/NetBSD/src/commit/ec8451efc1565516aba9e7047e1a1a1ce7953a2f); systems running NetBSD-current should update to a snapshot dated 2026-04-29 or later. No specific patched release version number is independently confirmed from the available data - verify inclusion with the NetBSD Security Team or check for a formal NetBSD-SA advisory at netbsd.org. For systems that cannot be immediately patched, restricting permissions on the /dev/crypto device node (e.g., chmod 600 /dev/crypto, owned by root) eliminates the attack surface for unprivileged users, though this disables kernel-level cryptographic acceleration and will impact performance of IPsec, encrypted filesystems, and any application relying on opencrypto hardware offload. If compression session support is not required operationally, disabling the relevant kernel compression cipher module reduces exposure without fully removing /dev/crypto access. Enabling CONFIG_SVS in the kernel build (if the platform and configuration support it) limits the worst-case impact path from kernel panic to corrupted pointer arithmetic, but does not eliminate the underlying undefined behavior and should not be treated as a full mitigation.

Share

CVE-2026-32849 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy