Medium severity4.3NVD Advisory· Published Apr 21, 2026· Updated Apr 24, 2026
CVE-2026-41285
CVE-2026-41285
Description
In OpenBSD through 7.8, the slaacd and rad daemons have an infinite loop when they receive a crafted ICMPv6 Neighbor Discovery (ND) option (over a local network) with length zero, because of an "nd_opt_len * 8 - 2" expression with no preceding check for whether nd_opt_len is zero.
Affected products
1Patches
1086c5738bcd3These programs spin if they receive a RA from the local network with
2 files changed · +8 −2
sbin/slaacd/engine.c+5 −1 modified@@ -1,4 +1,4 @@ -/* $OpenBSD: engine.c,v 1.99 2024/11/21 13:35:20 claudio Exp $ */ +/* $OpenBSD: engine.c,v 1.100 2026/04/12 23:57:31 deraadt Exp $ */ /* * Copyright (c) 2017 Florian Obser <florian@openbsd.org> @@ -1474,6 +1474,8 @@ parse_ra(struct slaacd_iface *iface, struct imsg_ra *ra) struct in6_addr *in6; int i; + if (nd_opt_hdr->nd_opt_len == 0) + goto err; len -= sizeof(struct nd_opt_hdr); p += sizeof(struct nd_opt_hdr); @@ -1760,6 +1762,8 @@ debug_log_ra(struct imsg_ra *ra) struct in6_addr *in6; int i; + if (nd_opt_hdr->nd_opt_len == 0) + return; len -= sizeof(struct nd_opt_hdr); p += sizeof(struct nd_opt_hdr); if (nd_opt_hdr->nd_opt_len * 8 - 2 > len) {
usr.sbin/rad/engine.c+3 −1 modified@@ -1,4 +1,4 @@ -/* $OpenBSD: engine.c,v 1.29 2025/04/27 16:23:04 florian Exp $ */ +/* $OpenBSD: engine.c,v 1.30 2026/04/12 23:57:27 deraadt Exp $ */ /* * Copyright (c) 2018 Florian Obser <florian@openbsd.org> @@ -541,6 +541,8 @@ parse_rs(struct imsg_ra_rs *rs) while ((size_t)len >= sizeof(struct nd_opt_hdr)) { struct nd_opt_hdr *nd_opt_hdr = (struct nd_opt_hdr *)p; + if (nd_opt_hdr->nd_opt_len == 0) + return; len -= sizeof(struct nd_opt_hdr); p += sizeof(struct nd_opt_hdr);
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/openbsd/src/commit/086c5738bcd3c203bcc08d024fcf983cb409115fnvdPatch
- www.openbsd.org/errata78.htmlnvdProductRelease Notes
- www.rfc-editor.org/rfc/rfc4861nvdNot Applicable
News mentions
0No linked articles in our index yet.