Description
NetBSD prior to commit ec8451e contains a race condition vulnerability in cryptodev_op() within the opencrypto subsystem that allows local attackers to trigger a double-free condition by concurrently issuing CIOCCRYPT operations on the same session identifier on SMP systems. Attackers can exploit mutable per-operation state embedded in the csession struct to corrupt kernel heap memory.
Published: 2026-05-18
Score: 5.7 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from a race condition in the cryptodev_op() function of the NetBSD OpenCrypto subsystem, allowing a local attacker to trigger a double‑free by submitting concurrent CIOCCRYPT operations on the same session identifier. The double‑free corrupts kernel heap memory, potentially leading to a crash or escalation of privileges to the kernel level. This weakness is classified as a concurrency flaw (CWE‑362) and a double‑free vulnerability (CWE‑415).

Affected Systems

Any NetBSD version before the commit ec8451efc1565516aba9e7047e1a1a1ce7953a2f in the NetBSD:src repository is vulnerable. The issue resides in the cryptodev component of the OpenCrypto subsystem.

Risk and Exploitability

The CVSS score of 5.7 indicates a moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV. Exploitation requires a local user with the ability to issue encrypted operations on an SMP system concurrently on the same cryptographic session. Successful exploitation would corrupt kernel memory, potentially enabling privilege escalation or denial of service. Given the local nature and requirement for concurrent requests, the attack is not trivial but feasible for a privileged local attacker.

Generated by OpenCVE AI on May 18, 2026 at 19:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NetBSD to a release that includes commit ec8451efc1565516aba9e7047e1a1a1ce7953a2f or apply the patch from the NetBSD source repository
  • Rebuild and reboot the kernel with the patched source
  • If an upgrade is not yet available, restrict or serialize concurrent CIOCCRYPT operations on a single session until a patch can be applied

Generated by OpenCVE AI on May 18, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 18 May 2026 18:15:00 +0000

Type Values Removed Values Added
Description NetBSD prior to commit ec8451e contains a race condition vulnerability in cryptodev_op() within the opencrypto subsystem that allows local attackers to trigger a double-free condition by concurrently issuing CIOCCRYPT operations on the same session identifier on SMP systems. Attackers can exploit mutable per-operation state embedded in the csession struct to corrupt kernel heap memory.
Title NetBSD cryptodev Race Condition Double-Free via cryptodev_op()
Weaknesses CWE-362
CWE-415
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 5.7, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-18T17:52:55.753Z

Reserved: 2026-03-16T18:11:41.758Z

Link: CVE-2026-32848

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-18T18:17:23.207

Modified: 2026-05-18T19:42:03.353

Link: CVE-2026-32848

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T19:30:26Z

Weaknesses