Skip to main content

OpenBSD SPPP CVE-2026-55706

| EUVDEUVD-2026-37521 MEDIUM
Improper Validation of Specified Quantity in Input (CWE-1284)
2026-06-17 mitre
5.8
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
5.8 MEDIUM
AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
vuln.today AI
5.8 MEDIUM

PAP must be explicitly configured on SPPP and attacker must be adjacent on the PPP link, justifying AV:A and AC:H; auth bypass scopes impact beyond the PPP subsystem.

3.1 AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
4.0 AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Patch available
Jun 17, 2026 - 03:01 EUVD
Source Code Evidence Fetched
Jun 17, 2026 - 02:16 vuln.today
Analysis Generated
Jun 17, 2026 - 02:16 vuln.today

DescriptionCVE.org

sppp_pap_input in sys/net/if_spppsubr.c in OpenBSD before 076e2b1 allows authentication bypass via certain zero values for lengths.

AnalysisAI

Authentication bypass in OpenBSD's SPPP Password Authentication Protocol handler (sppp_pap_input in sys/net/if_spppsubr.c) permits a network-adjacent unauthenticated attacker to obtain a fully authenticated PPP session by sending zero-length credential fields, which trivially pass an upper-bound-only length check. This logic flaw - reportedly present for 27 years - affects all OpenBSD releases prior to commit 076e2b1 and is scoped as Changed in CVSS because a successful bypass grants access to whatever network segment the PPP link protects. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain adjacency on target PPP/SPPP link
Delivery
Initiate PAP authentication exchange
Exploit
Send PAP request with zero-length name_len and passwd_len fields
Execution
Zero values pass AUTHMAXLEN upper-bound check in sppp_pap_input()
Persist
PPP session authenticated without valid credentials
Impact
Access network resources protected by the PPP link

Vulnerability AssessmentAI

Exploitation PAP (Password Authentication Protocol) must be explicitly configured and active on an OpenBSD SPPP interface - this requires an administrator to have set `authproto pap` and defined `hisauth` credentials in the PPP configuration; it is not a default state. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L (5.8) is internally consistent and plausible. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with access to the PPP/SPPP link - for example, a malicious peer on a DSL connection or an adversary who has compromised an intermediate device on the point-to-point segment - sends a crafted PAP authentication request to the OpenBSD system with `name_len` and `passwd_len` both set to zero. The `sppp_pap_input()` handler evaluates `0 > AUTHMAXLEN` as false for each field and proceeds as if valid credentials were provided, granting a fully authenticated PPP session without any knowledge of the configured username or password. …
Remediation Apply the upstream kernel patch at https://github.com/openbsd/src/commit/076e2b1c1fc4ac0883a72d3544131ad5cee7adf8, which modifies the two length comparisons in `sppp_pap_input()` in `sys/net/if_spppsubr.c`. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55706 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy