Openbsd
Monthly
Local privilege escalation in OpenBSD through 7.9 stems from a use-after-free in the System V semaphore subsystem (sys/kern/sysv_sem.c), where a context-switch after tsleep() in sys_semget() leaves a dangling reference to a freed semid_ds structure. A local attacker who can win the resulting race can reclaim and corrupt the freed kernel object to escalate to root. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; exploitation requires winning a timing-sensitive race, reflected in the high attack complexity.
Authentication bypass in OpenBSD's SPPP Password Authentication Protocol handler (`sppp_pap_input` in `sys/net/if_spppsubr.c`) permits a network-adjacent unauthenticated attacker to obtain a fully authenticated PPP session by sending zero-length credential fields, which trivially pass an upper-bound-only length check. This logic flaw - reportedly present for 27 years - affects all OpenBSD releases prior to commit 076e2b1 and is scoped as Changed in CVSS because a successful bypass grants access to whatever network segment the PPP link protects. No public exploit code has been confirmed and no CISA KEV listing exists, but the Argus Systems research blog suggests the issue has been fully analyzed.
Denial-of-service in OpenBSD slaacd and rad daemons allows local network attackers to trigger infinite loops by sending crafted ICMPv6 Neighbor Discovery packets with zero-length options, causing affected daemons to hang due to missing validation of the nd_opt_len field before arithmetic operations. OpenBSD versions through 7.8 are affected. No evidence of active exploitation has been identified.
In OpenBSD 7.6 before errata 006 and OpenBSD 7.5 before errata 015, traffic sent over wg(4) could result in kernel crash. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity.
Local privilege escalation in OpenBSD through 7.9 stems from a use-after-free in the System V semaphore subsystem (sys/kern/sysv_sem.c), where a context-switch after tsleep() in sys_semget() leaves a dangling reference to a freed semid_ds structure. A local attacker who can win the resulting race can reclaim and corrupt the freed kernel object to escalate to root. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; exploitation requires winning a timing-sensitive race, reflected in the high attack complexity.
Authentication bypass in OpenBSD's SPPP Password Authentication Protocol handler (`sppp_pap_input` in `sys/net/if_spppsubr.c`) permits a network-adjacent unauthenticated attacker to obtain a fully authenticated PPP session by sending zero-length credential fields, which trivially pass an upper-bound-only length check. This logic flaw - reportedly present for 27 years - affects all OpenBSD releases prior to commit 076e2b1 and is scoped as Changed in CVSS because a successful bypass grants access to whatever network segment the PPP link protects. No public exploit code has been confirmed and no CISA KEV listing exists, but the Argus Systems research blog suggests the issue has been fully analyzed.
Denial-of-service in OpenBSD slaacd and rad daemons allows local network attackers to trigger infinite loops by sending crafted ICMPv6 Neighbor Discovery packets with zero-length options, causing affected daemons to hang due to missing validation of the nd_opt_len field before arithmetic operations. OpenBSD versions through 7.8 are affected. No evidence of active exploitation has been identified.
In OpenBSD 7.6 before errata 006 and OpenBSD 7.5 before errata 015, traffic sent over wg(4) could result in kernel crash. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity.