Description
sppp_pap_input in sys/net/if_spppsubr.c in OpenBSD before 076e2b1 allows authentication bypass via certain zero values for lengths.
Published: 2026-06-17
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the sppp_pap_input function in OpenBSD’s networking subsystem permits an attacker to bypass PAP authentication when the packet contains certain zero values for length fields. This oversight allows an unauthorized user to gain unauthenticated access to PPP connections, potentially compromising the confidentiality and integrity of data transmitted over those links.

Affected Systems

The vulnerability exists in all OpenBSD releases prior to the commit identified by 076e2b1c1fc4ac0883a72d3544131ad5cee7adf8. Systems running those earlier versions of OpenBSD are susceptible, while any installation containing the fixed code is not affected.

Risk and Exploitability

The CVSS score of 5.8 categorizes the weakness as moderate, yet the EPSS score of less than 1% suggests a low probability of exploitation in the wild. It is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote; an adversary could send specially crafted PPP packets containing zero-length fields to trigger the bypass. Without some form of authentication, an attacker could then establish a PPP session and potentially access network services or data.

Generated by OpenCVE AI on June 17, 2026 at 17:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the system to a recent OpenBSD release that incorporates the commit 076e2b1c1fc4ac0883a72d3544131ad5cee7adf8, or apply the corresponding patch to the sppp subsystem.
  • If an immediate OS upgrade is not possible, mitigate by disabling or tightly restricting the use of PAP authentication on all PPP interfaces until the fix is applied.
  • Continuously monitor authentication attempts on PPP links and audit logs for signs of unauthorized access, ensuring that any anomalous activity is investigated promptly.

Generated by OpenCVE AI on June 17, 2026 at 17:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Authentication Bypass via Zero-Length Input in sppp_pap
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Description sppp_pap_input in sys/net/if_spppsubr.c in OpenBSD before 076e2b1 allows authentication bypass via certain zero values for lengths.
First Time appeared Openbsd
Openbsd openbsd
Weaknesses CWE-1284
CPEs cpe:2.3:o:openbsd:openbsd:*:*:*:*:*:*:*:*
Vendors & Products Openbsd
Openbsd openbsd
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L'}

Subscriptions

Openbsd Openbsd
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-17T14:33:01.050Z

Reserved: 2026-06-17T00:53:22.791Z

Link: CVE-2026-55706

cve-icon Vulnrichment

Updated: 2026-06-17T14:32:37.796Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T18:00:04Z

Weaknesses
  • CWE-1284

    Improper Validation of Specified Quantity in Input