OpenBSD 7.3 before errata 014 is missing an argument-count bounds check in console terminal emulation. This could cause incorrect memory access and a kernel crash after receiving crafted DCS or CSI terminal escape sequences.
Max CVSS
5.5
EPSS Score
0.04%
Published
2023-08-10
Updated
2023-08-23
A double free or use after free could occur after SSL_clear in OpenBSD 7.2 before errata 026 and 7.3 before errata 004, and in LibreSSL before 3.6.3 and 3.7.x before 3.7.3. NOTE: OpenSSL is not affected.
Max CVSS
9.8
EPSS Score
0.06%
Published
2023-06-16
Updated
2023-11-06
ascii_load_sockaddr in smtpd in OpenBSD before 7.1 errata 024 and 7.2 before errata 020, and OpenSMTPD Portable before 7.0.0-portable commit f748277, can abort upon a connection from a local, scoped IPv6 address.
Max CVSS
7.8
EPSS Score
0.04%
Published
2023-04-04
Updated
2023-05-26
In OpenBSD 7.2, a TCP packet with destination port 0 that matches a pf divert-to rule can crash the kernel.
Max CVSS
7.5
EPSS Score
0.09%
Published
2023-03-03
Updated
2023-04-06
An issue was discovered in x509/x509_verify.c in LibreSSL before 3.6.1, and in OpenBSD before 7.2 errata 001. x509_verify_ctx_add_chain does not store errors that occur during leaf certificate verification, and therefore an incorrect error is returned. This behavior occurs when there is an installed verification callback that instructs the verifier to continue upon detecting an invalid certificate.
Max CVSS
5.3
EPSS Score
0.05%
Published
2023-04-12
Updated
2023-04-21
slaacd in OpenBSD 6.9 and 7.0 before 2022-03-22 has an integer signedness error and resultant heap-based buffer overflow triggerable by a crafted IPv6 router advertisement. NOTE: privilege separation and pledge can prevent exploitation.
Max CVSS
7.5
EPSS Score
0.18%
Published
2022-03-25
Updated
2022-05-12
x509/x509_verify.c in LibreSSL before 3.4.2, and OpenBSD before 7.0 errata 006, allows authentication bypass because an error for an unverified certificate chain is sometimes discarded.
Max CVSS
9.8
EPSS Score
0.07%
Published
2023-04-15
Updated
2023-05-17
An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets, independent of the network configuration.
Max CVSS
5.3
EPSS Score
0.12%
Published
2021-05-11
Updated
2021-12-03
iked in OpenIKED, as used in OpenBSD through 6.7, allows authentication bypass because ca.c has the wrong logic for checking whether a public key matches.
Max CVSS
9.8
EPSS Score
0.52%
Published
2020-07-28
Updated
2022-01-04

CVE-2019-19726

Public exploit
OpenBSD through 6.6 allows local users to escalate to root because a check for LD_LIBRARY_PATH in setuid programs can be defeated by setting a very small RLIMIT_DATA resource limit. When executing chpass or passwd (which are setuid root), _dl_setup_env in ld.so tries to strip LD_LIBRARY_PATH from the environment, but fails when it cannot allocate memory. Thus, the attacker is able to execute their own library code as root.
Max CVSS
7.8
EPSS Score
0.06%
Published
2019-12-12
Updated
2023-10-06
OpenBSD 6.6, in a non-default configuration where S/Key or YubiKey authentication is enabled, allows local users to become root by leveraging membership in the auth group. This occurs because root's file can be written to /etc/skey or /var/db/yubikey, and need not be owned by root.
Max CVSS
7.8
EPSS Score
0.04%
Published
2019-12-05
Updated
2020-08-24
libc in OpenBSD 6.6 allows authentication bypass via the -schallenge username, as demonstrated by smtpd, ldapd, or radiusd. This is related to gen/auth_subr.c and gen/authenticate.c in libc (and login/login.c and xenocara/app/xenodm/greeter/verify.c).
Max CVSS
9.8
EPSS Score
1.47%
Published
2019-12-05
Updated
2019-12-12
xlock in OpenBSD 6.6 allows local users to gain the privileges of the auth group by providing a LIBGL_DRIVERS_PATH environment variable, because xenocara/lib/mesa/src/loader/loader.c mishandles dlopen.
Max CVSS
7.8
EPSS Score
0.04%
Published
2019-12-05
Updated
2020-08-24
In OpenBSD 6.6, local users can use the su -L option to achieve any login class (often excluding root) because there is a logic error in the main function in su/su.c.
Max CVSS
7.8
EPSS Score
0.04%
Published
2019-12-05
Updated
2021-07-21
A vulnerability was discovered in Linux, FreeBSD, OpenBSD, MacOS, iOS, and Android that allows a malicious access point, or an adjacent user, to determine if a connected user is using a VPN, make positive inferences about the websites they are visiting, and determine the correct sequence and acknowledgement numbers in use, allowing the bad actor to inject data into the TCP stream. This provides everything that is needed for an attacker to hijack active connections inside the VPN tunnel.
Max CVSS
7.4
EPSS Score
0.05%
Published
2019-12-11
Updated
2023-03-01
OpenBSD kernel version <= 6.5 can be forced to create long chains of TCP SACK holes that causes very expensive calls to tcp_sack_option() for every incoming SACK packet which can lead to a denial of service.
Max CVSS
7.5
EPSS Score
0.27%
Published
2019-08-26
Updated
2021-08-02
tss_alloc in sys/arch/i386/i386/gdt.c in OpenBSD 6.2 and 6.3 has a Local Denial of Service (system crash) due to incorrect I/O port access control on the i386 architecture.
Max CVSS
5.5
EPSS Score
0.04%
Published
2018-08-01
Updated
2018-10-03
The OpenBSD qsort() function is recursive, and not randomized, an attacker can construct a pathological input array of N elements that causes qsort() to deterministically recurse N/4 times. This allows attackers to consume arbitrary amounts of stack memory and manipulate stack memory to assist in arbitrary code execution attacks. This affects OpenBSD 6.1 and possibly earlier versions.
Max CVSS
6.5
EPSS Score
1.34%
Published
2017-06-19
Updated
2017-10-24
A flaw exists in OpenBSD's implementation of the stack guard page that allows attackers to bypass it resulting in arbitrary code execution using setuid binaries such as /usr/bin/at. This affects OpenBSD 6.1 and possibly earlier versions.
Max CVSS
9.8
EPSS Score
0.71%
Published
2017-06-19
Updated
2019-10-03
httpd in OpenBSD allows remote attackers to cause a denial of service (memory consumption) via a series of requests for a large file using an HTTP Range header.
Max CVSS
7.8
EPSS Score
1.90%
Published
2017-03-27
Updated
2019-10-03
Integer overflow in the uvm_map_isavail function in uvm/uvm_map.c in OpenBSD 5.9 allows local users to cause a denial of service (kernel panic) via a crafted mmap call, which triggers the new mapping to overlap with an existing mapping.
Max CVSS
5.5
EPSS Score
0.04%
Published
2017-03-07
Updated
2017-03-09
OpenBSD 5.8 and 5.9 allows local users to cause a denial of service (NULL pointer dereference and panic) via a sysctl call with a path starting with 10,9.
Max CVSS
5.5
EPSS Score
0.04%
Published
2017-03-07
Updated
2017-03-09
OpenBSD 5.8 and 5.9 allows certain local users to cause a denial of service (kernel panic) by unmounting a filesystem with an open vnode on the mnt_vnodelist.
Max CVSS
5.5
EPSS Score
0.04%
Published
2017-03-07
Updated
2017-03-09
OpenBSD 5.8 and 5.9 allows certain local users with kern.usermount privileges to cause a denial of service (kernel panic) by mounting a tmpfs with a VNOVAL in the (1) username, (2) groupname, or (3) device name of the root node.
Max CVSS
4.9
EPSS Score
0.04%
Published
2017-03-07
Updated
2017-03-09
OpenBSD 5.8 and 5.9 allows local users to cause a denial of service (kernel panic) via a large size in a getdents system call.
Max CVSS
5.5
EPSS Score
0.04%
Published
2017-03-07
Updated
2017-03-09
185 vulnerabilities found
1 2 3 4 5 6 7 8
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!