Skip to main content

Openbsd EUVDEUVD-2026-23996

| CVE-2026-41285 MEDIUM
Improper Validation of Specified Quantity in Input (CWE-1284)
2026-04-21 cve@mitre.org
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Apr 21, 2026 - 00:39 vuln.today
EUVD ID Assigned
Apr 21, 2026 - 00:22 euvd
EUVD-2026-23996
Analysis Generated
Apr 21, 2026 - 00:22 vuln.today
CVE Published
Apr 21, 2026 - 00:16 nvd
MEDIUM 4.3

DescriptionCVE.org

In OpenBSD through 7.8, the slaacd and rad daemons have an infinite loop when they receive a crafted ICMPv6 Neighbor Discovery (ND) option (over a local network) with length zero, because of an "nd_opt_len * 8 - 2" expression with no preceding check for whether nd_opt_len is zero.

AnalysisAI

Denial-of-service in OpenBSD slaacd and rad daemons allows local network attackers to trigger infinite loops by sending crafted ICMPv6 Neighbor Discovery packets with zero-length options, causing affected daemons to hang due to missing validation of the nd_opt_len field before arithmetic operations. OpenBSD versions through 7.8 are affected. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Attacker on local segment
Delivery
Craft malformed ICMPv6 ND packet with zero-length option
Exploit
Send packet to target host
Install
slaacd/rad daemon receives packet
C2
Daemon executes nd_opt_len arithmetic without validation
Execute
Infinite loop triggered
Impact
Daemon hangs and stops processing legitimate ICMPv6 messages

Vulnerability AssessmentAI

Exploitation The attacker must be on the same local network segment as the target (adjacent network access required by AV:A CVSS metric) and able to send ICMPv6 packets to the target host. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 4.3 with AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L indicates a low-impact denial-of-service reachable from adjacent network segments with no special complexity or privileges required. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the same local network segment (e.g., shared Wi-Fi network, switched LAN segment, or VPN) crafts an ICMPv6 Neighbor Discovery packet with a zero-length option field and sends it to a host running OpenBSD 7.8 or earlier. The slaacd or rad daemon receives the packet, enters the vulnerable code path attempting to parse the ND option, and hangs in an infinite loop due to the unchecked arithmetic on nd_opt_len. …
Remediation Apply the OpenBSD errata patch from https://www.openbsd.org/errata78.html, which adds validation to ensure nd_opt_len is non-zero before performing the calculation 'nd_opt_len * 8 - 2'. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-23996 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy