CVE-2026-9054

Vulnerability

In 9front's IP protocol implementations, multiple input handlers (tcp, il, rudp, gre, udp) fail to properly validate that the total packet length is at least as large as the respective protocol header. When a crafted packet with a length smaller than the header size arrives, calculations such as len = nhgets(gre->len) - GRE_IPONLY or len = nhgets(h->ploadlen) - hdrlen produce negative values that are subsequently passed to trimblock or other routines without a bounds check, leading to a kernel panic [1][2][3]. The vulnerable code paths exist in sys/src/9/ip/tcp.c, sys/src/9/ip/il.c, sys/src/9/ip/rudp.c, sys/src/9/ip/udp.c, and sys/src/9/ip/gre.c. All versions of 9front prior to the commits referenced are affected.

Exploitation

An attacker needs network access to send raw IP packets to a target running 9front. No authentication is required. The attacker crafts packets with the correct protocol header type (TCP, IL, RUDP, GRE, or UDP) but sets the length field (e.g., IP total length minus header size, or protocol-specific length) to a value smaller than the header size. For example, a GRE packet with a len below GRE_IPPLUSGRE or a TCP packet with h->ploadlen less than hdrlen will trigger the negative-length path. The kernel processes the packet normally until the arithmetic underflow occurs, at which point the system panics without any user interaction [1][2][3].

Impact

Successful exploitation causes a denial of service (DoS) by crashing the kernel (kernel panic). The entire system becomes unavailable until reboot. There is no indication that code execution or privilege escalation is achievable; the impact is limited to disrupting service. The vulnerability can be triggered remotely without any prior access, making it especially dangerous for exposed systems [1][2][3].

Mitigation

The fixes have been committed to the 9front source tree on 2026-05-22 (the publication date). The relevant commits are [1], [2], and [3], which add proper length checks before performing arithmetic and before calling trimblock. For example, in tcp.c, a Badlen label is introduced and len < 0 is tested before assignment; in il.c, a check ensures dlen >= IL_HDRSIZE before subtraction. Users should update their kernels to include these patches. No workaround is available for unpatched systems; the only mitigation is to block untrusted network traffic at the firewall until the patch is applied. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.