Description
sys/kern/sysv_sem.c in OpenBSD through 7.9 has a use-after-free allowing local privilege escalation to root. This is a context switch use-after-free after tsleep in sys_semget().
Published: 2026-06-25
Score: 7.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The kernel source file sys/kern/sysv_sem.c contains a use‑after‑free bug that is triggered during a context switch after a tsleep call in sys_semget(). The flaw allows a local user to free a memory region and subsequently reference it, enabling execution of arbitrary code with kernel privileges. The result is privilege escalation to the root user with full system control. This weakness is classified as CWE‑416.

Affected Systems

All OpenBSD releases up to and including 7.9 are affected. The vulnerability resides in the sysv_sem.c component of the kernel, meaning any system built from OpenBSD 7.9 or earlier code is at risk. Versions 7.10 and later contain the patch that fixes the use‑after‑free.

Risk and Exploitability

The CVSS score of 7.4 indicates a high‑severity local privilege escalation. EPSS is not available, so the current exploitation probability remains unknown. The vulnerability is not listed in the CISA KEV catalog, but the high severity and local nature suggest that an attacker with local access could exploit it. The likely attack vector requires a local user account that can invoke the sys_semget() system call, such as running a custom program or a legitimate application that uses semaphore operations.

Generated by OpenCVE AI on June 25, 2026 at 01:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch from the OpenBSD commit 1957873d20, which addresses the use‑after‑free in sys_semget().
  • Upgrade the operating system to OpenBSD 7.10 or later once a patched release is available.
  • If upgrading is delayed, restrict semaphore operations by limiting which users can call sys_semget(), for example by adjusting file permissions or using capability‑based controls.

Generated by OpenCVE AI on June 25, 2026 at 01:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Title OpenBSD Kernel Use‑After‑Free Enables Local Privilege Escalation

Thu, 25 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
Description sys/kern/sysv_sem.c in OpenBSD through 7.9 has a use-after-free allowing local privilege escalation to root. This is a context switch use-after-free after tsleep in sys_semget().
First Time appeared Openbsd
Openbsd openbsd
Weaknesses CWE-416
CPEs cpe:2.3:o:openbsd:openbsd:*:*:*:*:*:*:*:*
Vendors & Products Openbsd
Openbsd openbsd
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Openbsd Openbsd
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-25T00:33:04.749Z

Reserved: 2026-06-25T00:33:04.330Z

Link: CVE-2026-57589

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T05:45:02Z

Weaknesses