Skip to main content

OpenBSD CVE-2026-56099

| EUVDEUVD-2026-37938 MEDIUM
Out-of-bounds Read (CWE-125)
2026-06-18 VulnCheck GHSA-6qv5-f6m3-44g8
6.9
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.3 MEDIUM

Network-accessible with no authentication since MPLS frame delivery is protocol-level; only low confidentiality impact as the read leaks partial kernel stack data with no integrity or availability consequence.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 18, 2026 - 20:06 vuln.today
Analysis Generated
Jun 18, 2026 - 20:06 vuln.today

DescriptionCVE.org

OpenBSD before commit 6a23123 (2026-06-18) contains an out-of-bounds read vulnerability in the mpls_do_error function within sys/netmpls/mpls_input.c that allows remote attackers to disclose kernel stack memory by sending crafted MPLS frames with 16 labels and no Bottom-of-Stack bit set.

AnalysisAI

Kernel stack memory disclosure in OpenBSD's MPLS input processing exposes arbitrary kernel stack contents to unauthenticated remote attackers via crafted MPLS frames. The flaw exists in mpls_do_error within sys/netmpls/mpls_input.c (revision 1.81), where a label-stack iterator lacked an upper-bounds guard, allowing a 16-label frame with no Bottom-of-Stack bit to drive an out-of-bounds read. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify OpenBSD host accepting MPLS frames
Delivery
Craft MPLS frame with 16 labels and no BoS bit set
Exploit
Transmit frame to reachable MPLS-enabled interface
Execution
mpls_do_error iterates nstk past MPLS_INKERNEL_LOOP_MAX
Persist
Out-of-bounds read leaks kernel stack memory
Impact
Attacker captures and analyzes disclosed memory contents

Vulnerability AssessmentAI

Exploitation The target OpenBSD system must be configured to process MPLS traffic - at minimum one network interface must have MPLS enabled and be reachable by the attacker at Layer 2 or Layer 3. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N) scores 6.9, reflecting network-accessible, zero-authentication exploitation with low confidentiality impact limited to partial kernel stack contents. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A remote attacker with network-layer adjacency to an OpenBSD host processing MPLS traffic sends a crafted Ethernet frame containing exactly 16 MPLS label stack entries, with the Bottom-of-Stack bit unset on every label. The `mpls_do_error` function iterates past the end of the valid label array without a bounds check, reading kernel stack memory beyond the allocated region. …
Remediation Apply OpenBSD source commit 6a23123ec05f1eb29cfcaae0f3a468b2e1983cfd (https://github.com/openbsd/src/commit/6a23123ec05f1eb29cfcaae0f3a468b2e1983cfd), which introduces the `nstk >= MPLS_INKERNEL_LOOP_MAX` guard in `mpls_do_error` and rebuilds the kernel. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-56099 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy