Description
NetBSD prior to commit ec8451e contains a signed integer overflow vulnerability in the cryptodev_op() function in sys/opencrypto/cryptodev.c where the local variable iov_len is declared as a signed int but assigned from an unsigned cop->dst_len value, causing undefined behavior when cop->dst_len exceeds INT_MAX. A local attacker with access to /dev/crypto and a compression session type can exploit this vulnerability by providing a dst_len value exceeding INT_MAX to trigger a kernel panic through NULL pointer dereference when CONFIG_SVS is disabled and corrupted UIO pointer arithmetic.
Published: 2026-05-18
Score: 5.7 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

NetBSD's cryptodev_op function has a signed integer overflow when the destination length supplied by an attacker exceeds INT_MAX. This overflow corrupts the value used in subsequent pointer arithmetic, leading to a NULL pointer dereference and a kernel panic. The flaw is classified under CWE‑190 and involves a null pointer dereference (CWE‑476).

Affected Systems

All NetBSD systems running a kernel built from source that predates the commit ec8451e are affected. The vulnerable code resides in sys/opencrypto/cryptodev.c, so any installation that provides the /dev/crypto device and supports compression session types is susceptible.

Risk and Exploitability

The CVSS score of 5.7 reflects a moderate severity. The exploit requires local access to /dev/crypto and an ability to create a compression session; it does not provide remote code execution or persistence. Because the flaw only causes a kernel crash, the main risk is a denial‑of‑service, which can be disruptive in shared or production environments. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on May 18, 2026 at 19:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the NetBSD source tree to include commit ec8451e, rebuild the kernel, and deploy the updated kernel image.
  • Restrict access to the /dev/crypto device by setting file permissions or ACLs so that only trusted users or groups can use it.
  • If the compression session feature is not required, disable its support or remove /dev/crypto from the system to eliminate the attack surface.

Generated by OpenCVE AI on May 18, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 18 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 18 May 2026 18:15:00 +0000

Type Values Removed Values Added
Description NetBSD prior to commit ec8451e contains a signed integer overflow vulnerability in the cryptodev_op() function in sys/opencrypto/cryptodev.c where the local variable iov_len is declared as a signed int but assigned from an unsigned cop->dst_len value, causing undefined behavior when cop->dst_len exceeds INT_MAX. A local attacker with access to /dev/crypto and a compression session type can exploit this vulnerability by providing a dst_len value exceeding INT_MAX to trigger a kernel panic through NULL pointer dereference when CONFIG_SVS is disabled and corrupted UIO pointer arithmetic.
Title NetBSD Signed Integer Overflow in cryptodev_op via cryptodev.c
Weaknesses CWE-190
CWE-476
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 5.7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-18T18:58:07.838Z

Reserved: 2026-03-16T18:11:41.759Z

Link: CVE-2026-32849

cve-icon Vulnrichment

Updated: 2026-05-18T18:57:13.890Z

cve-icon NVD

Status : Deferred

Published: 2026-05-18T18:17:23.377

Modified: 2026-05-18T19:42:03.353

Link: CVE-2026-32849

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T19:30:26Z

Weaknesses