VYPR
← All advisories
Medium severity5.5NVD Advisory· Published May 18, 2026· Updated May 18, 2026

CVE-2026-32849

CVE-2026-32849

Description

NetBSD prior to commit ec8451e contains a signed integer overflow vulnerability in the cryptodev_op() function in sys/opencrypto/cryptodev.c where the local variable iov_len is declared as a signed int but assigned from an unsigned cop->dst_len value, causing undefined behavior when cop->dst_len exceeds INT_MAX. A local attacker with access to /dev/crypto and a compression session type can exploit this vulnerability by providing a dst_len value exceeding INT_MAX to trigger a kernel panic through NULL pointer dereference when CONFIG_SVS is disabled and corrupted UIO pointer arithmetic.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

NetBSD cryptodev_op() signed integer overflow allows local attacker to cause kernel panic via NULL pointer dereference.

Vulnerability

NetBSD prior to commit ec8451e contains a signed integer overflow vulnerability in the cryptodev_op() function in sys/opencrypto/cryptodev.c. The local variable iov_len is declared as a signed int but assigned from the unsigned cop->dst_len value, causing undefined behavior when cop->dst_len exceeds INT_MAX. This code path is reachable by a local user with access to /dev/crypto and a compression session type [1][2].

Exploitation

An attacker must have local access to the system, the ability to open /dev/crypto, and the ability to create a compression session. By providing a dst_len value exceeding INT_MAX in the CIOCCRYPT ioctl request, the signed integer overflow causes the kernel to bypass critical memory allocations while continuing with data copies. When CONFIG_SVS is disabled, this leads to corrupted UIO pointer arithmetic and a NULL pointer dereference, resulting in a kernel panic [1][2].

Impact

Successful exploitation results in a kernel panic (denial of service) via a NULL pointer dereference. No privilege escalation or information disclosure is described in the available references [1][2].

Mitigation

The vulnerability is fixed in NetBSD commit ec8451e (applied 2026-04-29) [3]. Users should update to a version of NetBSD that includes this commit. No workaround is documented, and the CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [2].

References
  1. [Netbsd - cryptodev] One integer overflow and plenty of UAF
  2. NetBSD Signed Integer Overflow in cryptodev_op via cryptodev.c
  3. Fix: · NetBSD/src@ec8451e

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.