Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:A/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
An attacker sending tcp, il, rudp, rudp, or gre packets with a length less than the header size would trigger a kernel panic.
AnalysisAI
Remote denial-of-service in 9front (a fork of Plan 9 from Bell Labs) allows unauthenticated network attackers to trigger a kernel panic by sending malformed TCP, IL, RUDP, or GRE packets whose total length is shorter than the protocol header size. The flaw affects 9front Plan 9 4e prior to commit 70c97c334171c715df82774d1a47638abaca2db4 and carries a CVSS 4.0 score of 9.2 driven by high availability impact and automatable exploitation; no public exploit identified at time of analysis.
Technical ContextAI
9front is a community-maintained continuation of the Plan 9 from Bell Labs operating system, where networking protocols including TCP, IL (Internet Link, a Plan 9-specific reliable datagram protocol), RUDP (Reliable UDP), and GRE (Generic Routing Encapsulation) are implemented directly in the kernel. The bug is a missing length validation in the protocol parsers: when an inbound packet's reported or actual length is smaller than the fixed protocol header, the parser dereferences beyond the packet buffer or computes a negative remaining length, panicking the kernel. No CWE was assigned, but the behavior aligns with CWE-130 (improper handling of length parameter inconsistency) or CWE-125 (out-of-bounds read) leading to denial of service. The fix landed across three commits in the 9front repository, with 70c97c33 being the cutoff commit.
RemediationAI
Upstream fix available (commits 70c97c33, 7838d689, and f86917b7 in the 9front repository); released patched version not independently confirmed, so administrators should pull the latest 9front sources and rebuild the kernel from a commit at or after 70c97c334171c715df82774d1a47638abaca2db4 (see https://git.9front.org/plan9front/9front/70c97c334171c715df82774d1a47638abaca2db4/commit.html). Where immediate kernel rebuilding is impractical, compensating controls include placing 9front hosts behind a stateful firewall that drops malformed/runt IP packets (drop TCP/GRE/RUDP/IL fragments shorter than their protocol header sizes), and blocking inbound IL (IP protocol 40), RUDP, and GRE entirely at the network perimeter if those protocols are not in use - the trade-off is loss of any legitimate tunneling or Plan 9 inter-host IL traffic. Restricting 9front systems to trusted management VLANs eliminates the remote-attacker prerequisite at the cost of reachability for remote users.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31403
GHSA-ggv5-f87x-rf79