Severity by source
AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
PAP must be explicitly configured on SPPP and attacker must be adjacent on the PPP link, justifying AV:A and AC:H; auth bypass scopes impact beyond the PPP subsystem.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
sppp_pap_input in sys/net/if_spppsubr.c in OpenBSD before 076e2b1 allows authentication bypass via certain zero values for lengths.
AnalysisAI
Authentication bypass in OpenBSD's SPPP Password Authentication Protocol handler (sppp_pap_input in sys/net/if_spppsubr.c) permits a network-adjacent unauthenticated attacker to obtain a fully authenticated PPP session by sending zero-length credential fields, which trivially pass an upper-bound-only length check. This logic flaw - reportedly present for 27 years - affects all OpenBSD releases prior to commit 076e2b1 and is scoped as Changed in CVSS because a successful bypass grants access to whatever network segment the PPP link protects. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | PAP (Password Authentication Protocol) must be explicitly configured and active on an OpenBSD SPPP interface - this requires an administrator to have set `authproto pap` and defined `hisauth` credentials in the PPP configuration; it is not a default state. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L (5.8) is internally consistent and plausible. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with access to the PPP/SPPP link - for example, a malicious peer on a DSL connection or an adversary who has compromised an intermediate device on the point-to-point segment - sends a crafted PAP authentication request to the OpenBSD system with `name_len` and `passwd_len` both set to zero. The `sppp_pap_input()` handler evaluates `0 > AUTHMAXLEN` as false for each field and proceeds as if valid credentials were provided, granting a fully authenticated PPP session without any knowledge of the configured username or password. … |
| Remediation | Apply the upstream kernel patch at https://github.com/openbsd/src/commit/076e2b1c1fc4ac0883a72d3544131ad5cee7adf8, which modifies the two length comparisons in `sppp_pap_input()` in `sys/net/if_spppsubr.c`. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Local privilege escalation in OpenBSD through 7.9 stems from a use-after-free in the System V semaphore subsystem (sys/k
In OpenBSD 7.6 before errata 006 and OpenBSD 7.5 before errata 015, traffic sent over wg(4) could result in kernel crash
Denial-of-service in OpenBSD slaacd and rad daemons allows local network attackers to trigger infinite loops by sending
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37521