Severity by source
AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Local syscall access is required (AV:L, PR:L not PR:N), winning a post-tsleep race makes it AC:H, and a kernel UAF yielding root gives full C:H/I:H/A:H within an unchanged scope.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
sys/kern/sysv_sem.c in OpenBSD through 7.9 has a use-after-free allowing local privilege escalation to root. This is a context switch use-after-free after tsleep in sys_semget().
AnalysisAI
Local privilege escalation in OpenBSD through 7.9 stems from a use-after-free in the System V semaphore subsystem (sys/kern/sysv_sem.c), where a context-switch after tsleep() in sys_semget() leaves a dangling reference to a freed semid_ds structure. A local attacker who can win the resulting race can reclaim and corrupt the freed kernel object to escalate to root. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the ability to execute code on the target OpenBSD host (local access) and to invoke the System V semaphore syscalls (semget/semop/semctl), then win a narrow timing race: the dangling pointer is only exploitable when a concurrent thread frees the semid_ds_kern descriptor during the tsleep() blocking window inside sys_semget(). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, 7.4) describes a local-only attack with high complexity but full confidentiality, integrity, and availability impact - consistent with a kernel race yielding root. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A logged-in local user on a multi-user OpenBSD host runs a program that repeatedly calls sys_semget() while a second thread concurrently destroys the same semaphore set, racing to trigger the use-after-free during the tsleep() context switch. By reclaiming the freed semid_ds_kern allocation with attacker-controlled data, the user corrupts kernel memory to gain root. … |
| Remediation | Upstream fix available (PR/commit); released patched version not independently confirmed - apply the OpenBSD source change at https://github.com/openbsd/src/commit/1957873d2063db11dab780eca75b5e629d1e838d (sysv_sem.c rev 1.69 / sem.h rev 1.28), or update to the corresponding OpenBSD syspatch/errata or -stable build once published by the vendor. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Audit and enumerate all systems running OpenBSD 7.9 or earlier; immediately revoke non-essential local user shell access and disable System V IPC (sysctl kern.ipc.semmni) where operationally feasible. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
In OpenBSD 7.6 before errata 006 and OpenBSD 7.5 before errata 015, traffic sent over wg(4) could result in kernel crash
Authentication bypass in OpenBSD's SPPP Password Authentication Protocol handler (`sppp_pap_input` in `sys/net/if_spppsu
Denial-of-service in OpenBSD slaacd and rad daemons allows local network attackers to trigger infinite loops by sending
Same weakness CWE-416 – Use After Free
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39156
GHSA-w3gf-4959-2377