Skip to main content

9front Plan 9 CVE-2026-9054

| EUVDEUVD-2026-31403 CRITICAL
Improper Handling of Length Parameter Inconsistency (CWE-130)
2026-05-22 9front GHSA-ggv5-f87x-rf79
9.2
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
May 22, 2026 - 05:45 vuln.today
Patch available
May 22, 2026 - 04:31 EUVD
CVSS changed
May 22, 2026 - 04:22 NVD
9.2 (CRITICAL)
CVE Published
May 22, 2026 - 03:21 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

An attacker sending tcp, il, rudp, rudp, or gre packets with a length less than the header size would trigger a kernel panic.

AnalysisAI

Remote denial-of-service in 9front (a fork of Plan 9 from Bell Labs) allows unauthenticated network attackers to trigger a kernel panic by sending malformed TCP, IL, RUDP, or GRE packets whose total length is shorter than the protocol header size. The flaw affects 9front Plan 9 4e prior to commit 70c97c334171c715df82774d1a47638abaca2db4 and carries a CVSS 4.0 score of 9.2 driven by high availability impact and automatable exploitation; no public exploit identified at time of analysis.

Technical ContextAI

9front is a community-maintained continuation of the Plan 9 from Bell Labs operating system, where networking protocols including TCP, IL (Internet Link, a Plan 9-specific reliable datagram protocol), RUDP (Reliable UDP), and GRE (Generic Routing Encapsulation) are implemented directly in the kernel. The bug is a missing length validation in the protocol parsers: when an inbound packet's reported or actual length is smaller than the fixed protocol header, the parser dereferences beyond the packet buffer or computes a negative remaining length, panicking the kernel. No CWE was assigned, but the behavior aligns with CWE-130 (improper handling of length parameter inconsistency) or CWE-125 (out-of-bounds read) leading to denial of service. The fix landed across three commits in the 9front repository, with 70c97c33 being the cutoff commit.

RemediationAI

Upstream fix available (commits 70c97c33, 7838d689, and f86917b7 in the 9front repository); released patched version not independently confirmed, so administrators should pull the latest 9front sources and rebuild the kernel from a commit at or after 70c97c334171c715df82774d1a47638abaca2db4 (see https://git.9front.org/plan9front/9front/70c97c334171c715df82774d1a47638abaca2db4/commit.html). Where immediate kernel rebuilding is impractical, compensating controls include placing 9front hosts behind a stateful firewall that drops malformed/runt IP packets (drop TCP/GRE/RUDP/IL fragments shorter than their protocol header sizes), and blocking inbound IL (IP protocol 40), RUDP, and GRE entirely at the network perimeter if those protocols are not in use - the trade-off is loss of any legitimate tunneling or Plan 9 inter-host IL traffic. Restricting 9front systems to trusted management VLANs eliminates the remote-attacker prerequisite at the cost of reachability for remote users.

Share

CVE-2026-9054 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy