Skip to main content

Openbsd

4 CVEs product

Monthly

CVE-2026-57589 HIGH This Week

Local privilege escalation in OpenBSD through 7.9 stems from a use-after-free in the System V semaphore subsystem (sys/kern/sysv_sem.c), where a context-switch after tsleep() in sys_semget() leaves a dangling reference to a freed semid_ds structure. A local attacker who can win the resulting race can reclaim and corrupt the freed kernel object to escalate to root. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; exploitation requires winning a timing-sensitive race, reflected in the high attack complexity.

Privilege Escalation Use After Free Memory Corruption Openbsd
NVD GitHub VulDB
CVSS 3.1
7.4
EPSS
0.1%
CVE-2026-55706 MEDIUM PATCH This Month

Authentication bypass in OpenBSD's SPPP Password Authentication Protocol handler (`sppp_pap_input` in `sys/net/if_spppsubr.c`) permits a network-adjacent unauthenticated attacker to obtain a fully authenticated PPP session by sending zero-length credential fields, which trivially pass an upper-bound-only length check. This logic flaw - reportedly present for 27 years - affects all OpenBSD releases prior to commit 076e2b1 and is scoped as Changed in CVSS because a successful bypass grants access to whatever network segment the PPP link protects. No public exploit code has been confirmed and no CISA KEV listing exists, but the Argus Systems research blog suggests the issue has been fully analyzed.

Authentication Bypass Openbsd
NVD GitHub VulDB
CVSS 3.1
5.8
EPSS
0.2%
CVE-2026-41285 MEDIUM This Month

Denial-of-service in OpenBSD slaacd and rad daemons allows local network attackers to trigger infinite loops by sending crafted ICMPv6 Neighbor Discovery packets with zero-length options, causing affected daemons to hang due to missing validation of the nd_opt_len field before arithmetic operations. OpenBSD versions through 7.8 are affected. No evidence of active exploitation has been identified.

Denial Of Service Openbsd
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-30334 HIGH PATCH This Week

In OpenBSD 7.6 before errata 006 and OpenBSD 7.5 before errata 015, traffic sent over wg(4) could result in kernel crash. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Openbsd
NVD GitHub
CVSS 4.0
7.1
EPSS
0.1%
EPSS 0% CVSS 7.4
HIGH This Week

Local privilege escalation in OpenBSD through 7.9 stems from a use-after-free in the System V semaphore subsystem (sys/kern/sysv_sem.c), where a context-switch after tsleep() in sys_semget() leaves a dangling reference to a freed semid_ds structure. A local attacker who can win the resulting race can reclaim and corrupt the freed kernel object to escalate to root. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; exploitation requires winning a timing-sensitive race, reflected in the high attack complexity.

Privilege Escalation Use After Free Memory Corruption +1
NVD GitHub VulDB
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

Authentication bypass in OpenBSD's SPPP Password Authentication Protocol handler (`sppp_pap_input` in `sys/net/if_spppsubr.c`) permits a network-adjacent unauthenticated attacker to obtain a fully authenticated PPP session by sending zero-length credential fields, which trivially pass an upper-bound-only length check. This logic flaw - reportedly present for 27 years - affects all OpenBSD releases prior to commit 076e2b1 and is scoped as Changed in CVSS because a successful bypass grants access to whatever network segment the PPP link protects. No public exploit code has been confirmed and no CISA KEV listing exists, but the Argus Systems research blog suggests the issue has been fully analyzed.

Authentication Bypass Openbsd
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Denial-of-service in OpenBSD slaacd and rad daemons allows local network attackers to trigger infinite loops by sending crafted ICMPv6 Neighbor Discovery packets with zero-length options, causing affected daemons to hang due to missing validation of the nd_opt_len field before arithmetic operations. OpenBSD versions through 7.8 are affected. No evidence of active exploitation has been identified.

Denial Of Service Openbsd
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

In OpenBSD 7.6 before errata 006 and OpenBSD 7.5 before errata 015, traffic sent over wg(4) could result in kernel crash. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Openbsd
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy