Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
4DescriptionCVE.org
In OpenBSD through 7.8, the slaacd and rad daemons have an infinite loop when they receive a crafted ICMPv6 Neighbor Discovery (ND) option (over a local network) with length zero, because of an "nd_opt_len * 8 - 2" expression with no preceding check for whether nd_opt_len is zero.
AnalysisAI
Denial-of-service in OpenBSD slaacd and rad daemons allows local network attackers to trigger infinite loops by sending crafted ICMPv6 Neighbor Discovery packets with zero-length options, causing affected daemons to hang due to missing validation of the nd_opt_len field before arithmetic operations. OpenBSD versions through 7.8 are affected. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must be on the same local network segment as the target (adjacent network access required by AV:A CVSS metric) and able to send ICMPv6 packets to the target host. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 4.3 with AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L indicates a low-impact denial-of-service reachable from adjacent network segments with no special complexity or privileges required. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker on the same local network segment (e.g., shared Wi-Fi network, switched LAN segment, or VPN) crafts an ICMPv6 Neighbor Discovery packet with a zero-length option field and sends it to a host running OpenBSD 7.8 or earlier. The slaacd or rad daemon receives the packet, enters the vulnerable code path attempting to parse the ND option, and hangs in an infinite loop due to the unchecked arithmetic on nd_opt_len. … |
| Remediation | Apply the OpenBSD errata patch from https://www.openbsd.org/errata78.html, which adds validation to ensure nd_opt_len is non-zero before performing the calculation 'nd_opt_len * 8 - 2'. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Local privilege escalation in OpenBSD through 7.9 stems from a use-after-free in the System V semaphore subsystem (sys/k
In OpenBSD 7.6 before errata 006 and OpenBSD 7.5 before errata 015, traffic sent over wg(4) could result in kernel crash
Authentication bypass in OpenBSD's SPPP Password Authentication Protocol handler (`sppp_pap_input` in `sys/net/if_spppsu
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23996