Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible with no authentication since MPLS frame delivery is protocol-level; only low confidentiality impact as the read leaks partial kernel stack data with no integrity or availability consequence.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
OpenBSD before commit 6a23123 (2026-06-18) contains an out-of-bounds read vulnerability in the mpls_do_error function within sys/netmpls/mpls_input.c that allows remote attackers to disclose kernel stack memory by sending crafted MPLS frames with 16 labels and no Bottom-of-Stack bit set.
AnalysisAI
Kernel stack memory disclosure in OpenBSD's MPLS input processing exposes arbitrary kernel stack contents to unauthenticated remote attackers via crafted MPLS frames. The flaw exists in mpls_do_error within sys/netmpls/mpls_input.c (revision 1.81), where a label-stack iterator lacked an upper-bounds guard, allowing a 16-label frame with no Bottom-of-Stack bit to drive an out-of-bounds read. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target OpenBSD system must be configured to process MPLS traffic - at minimum one network interface must have MPLS enabled and be reachable by the attacker at Layer 2 or Layer 3. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N) scores 6.9, reflecting network-accessible, zero-authentication exploitation with low confidentiality impact limited to partial kernel stack contents. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A remote attacker with network-layer adjacency to an OpenBSD host processing MPLS traffic sends a crafted Ethernet frame containing exactly 16 MPLS label stack entries, with the Bottom-of-Stack bit unset on every label. The `mpls_do_error` function iterates past the end of the valid label array without a bounds check, reading kernel stack memory beyond the allocated region. … |
| Remediation | Apply OpenBSD source commit 6a23123ec05f1eb29cfcaae0f3a468b2e1983cfd (https://github.com/openbsd/src/commit/6a23123ec05f1eb29cfcaae0f3a468b2e1983cfd), which introduces the `nstk >= MPLS_INKERNEL_LOOP_MAX` guard in `mpls_do_error` and rebuilds the kernel. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37938
GHSA-6qv5-f6m3-44g8