Description
OpenBSD before commit 6a23123 (2026-06-18) contains an out-of-bounds read vulnerability in the mpls_do_error function within sys/netmpls/mpls_input.c that allows remote attackers to disclose kernel stack memory by sending crafted MPLS frames with 16 labels and no Bottom-of-Stack bit set.
Published: 2026-06-18
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from an out‑of‑bounds read in the mpls_do_error function, triggered by receiving an MPLS frame that contains 16 labels and lacks the Bottom‑of‑Stack bit. This flaw allows an attacker to read portions of the kernel stack, which could expose sensitive kernel data and assist further attacks. The flaw is classified as CWE‑125 and is reflected in a CVSS score of 6.9, indicating a moderate level of risk.

Affected Systems

Any OpenBSD system running the openbsd:src code base prior to the inclusion of commit 6a23123 (dated 2026‑06‑18) is affected. The patch is incorporated in later OpenBSD releases, so all builds before that commit are vulnerable.

Risk and Exploitability

The attack requires network access to the target and the ability to craft MPLS packets. While the exploit does not grant direct code execution, the exposure of kernel stack contents could be leveraged with other vulnerabilities for privilege escalation. The EPSS score is currently unavailable, and the vulnerability is not listed in the CISA KEV catalog, suggesting that it may not yet be widely exploited in the wild. Nonetheless, the moderate CVSS score and the nature of the information disclosed warrant prompt attention.

Generated by OpenCVE AI on June 18, 2026 at 21:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to a patched OpenBSD release that includes commit 6a23123 or later.
  • Until an update is applied, block or filter incoming MPLS traffic that supplies frames with 16 labels and without the Bottom‑of‑Stack bit to mitigate accidental disclosure.
  • Deploy network monitoring to detect anomalous MPLS traffic patterns that match the exploit signature and alert administrators.

Generated by OpenCVE AI on June 18, 2026 at 21:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Description OpenBSD before commit 6a23123 (2026-06-18) contains an out-of-bounds read vulnerability in the mpls_do_error function within sys/netmpls/mpls_input.c that allows remote attackers to disclose kernel stack memory by sending crafted MPLS frames with 16 labels and no Bottom-of-Stack bit set.
Title OpenBSD mpls_do_error Kernel Stack Memory Disclosure via MPLS Input
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-18T19:29:08.271Z

Reserved: 2026-06-18T19:15:10.649Z

Link: CVE-2026-56099

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T21:15:03Z

Weaknesses