Skip to main content

OpenBSD EUVDEUVD-2026-39156

| CVE-2026-57589 HIGH
Use After Free (CWE-416)
2026-06-25 mitre GHSA-w3gf-4959-2377
7.4
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
7.4 HIGH
AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local syscall access is required (AV:L, PR:L not PR:N), winning a post-tsleep race makes it AC:H, and a kernel UAF yielding root gives full C:H/I:H/A:H within an unchanged scope.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 25, 2026 - 00:59 vuln.today
Analysis Generated
Jun 25, 2026 - 00:59 vuln.today

DescriptionCVE.org

sys/kern/sysv_sem.c in OpenBSD through 7.9 has a use-after-free allowing local privilege escalation to root. This is a context switch use-after-free after tsleep in sys_semget().

AnalysisAI

Local privilege escalation in OpenBSD through 7.9 stems from a use-after-free in the System V semaphore subsystem (sys/kern/sysv_sem.c), where a context-switch after tsleep() in sys_semget() leaves a dangling reference to a freed semid_ds structure. A local attacker who can win the resulting race can reclaim and corrupt the freed kernel object to escalate to root. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local user shell on OpenBSD
Delivery
Invoke sys_semget with racing semaphore destroy
Exploit
Trigger tsleep context-switch use-after-free
Execution
Reclaim freed semid_ds_kern allocation
Impact
Corrupt kernel memory, escalate to root

Vulnerability AssessmentAI

Exploitation Exploitation requires the ability to execute code on the target OpenBSD host (local access) and to invoke the System V semaphore syscalls (semget/semop/semctl), then win a narrow timing race: the dangling pointer is only exploitable when a concurrent thread frees the semid_ds_kern descriptor during the tsleep() blocking window inside sys_semget(). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, 7.4) describes a local-only attack with high complexity but full confidentiality, integrity, and availability impact - consistent with a kernel race yielding root. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A logged-in local user on a multi-user OpenBSD host runs a program that repeatedly calls sys_semget() while a second thread concurrently destroys the same semaphore set, racing to trigger the use-after-free during the tsleep() context switch. By reclaiming the freed semid_ds_kern allocation with attacker-controlled data, the user corrupts kernel memory to gain root. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - apply the OpenBSD source change at https://github.com/openbsd/src/commit/1957873d2063db11dab780eca75b5e629d1e838d (sysv_sem.c rev 1.69 / sem.h rev 1.28), or update to the corresponding OpenBSD syspatch/errata or -stable build once published by the vendor. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit and enumerate all systems running OpenBSD 7.9 or earlier; immediately revoke non-essential local user shell access and disable System V IPC (sysctl kern.ipc.semmni) where operationally feasible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39156 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy