VYPR

Vendor CVEs

OpenBSD

All CVEs

337 total · sorted by risk
  • CVE-2016-6245MedMar 7, 2017
    risk 0.36cvss 5.5epss 0.00

    OpenBSD 5.8 and 5.9 allows local users to cause a denial of service (kernel panic) via a large size in a getdents system call.

  • CVE-2016-6243MedMar 7, 2017
    risk 0.36cvss 5.5epss 0.00

    thrsleep in kern/kern_synch.c in OpenBSD 5.8 and 5.9 allows local users to cause a denial of service (kernel panic) via a crafted value in the tsp parameter of the __thrsleep system call.

  • CVE-2016-6242MedMar 7, 2017
    risk 0.36cvss 5.5epss 0.00

    OpenBSD 5.8 and 5.9 allows local users to cause a denial of service (assertion failure and kernel panic) via a large ident value in a kevent system call.

  • CVE-2016-6239MedMar 7, 2017
    risk 0.36cvss 5.5epss 0.00

    The mmap extension __MAP_NOFAULT in OpenBSD 5.8 and 5.9 allows attackers to cause a denial of service (kernel panic and crash) via a large size value.

  • CVE-2016-1907MedJan 19, 2016
    risk 0.36cvss 5.3epss 0.14

    The ssh_packet_read_poll2 function in packet.c in OpenSSH before 7.1p2 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via crafted network traffic.

  • CVE-2011-4327MedFeb 3, 2014
    risk 0.36cvss 5.5epss 0.00

    ssh-keysign.c in ssh-keysign in OpenSSH before 5.8p2 on certain platforms executes ssh-rand-helper with unintended open file descriptors, which allows local users to obtain sensitive key information via the ptrace system call.

  • CVE-2002-1915MedDec 31, 2002
    risk 0.36cvss 5.5epss 0.00

    tip on multiple BSD-based operating systems allows local users to cause a denial of service (execution prevention) by using flock() to lock the /var/log/acculog file.

  • CVE-2018-15919MedAug 28, 2018
    risk 0.35cvss 5.3epss 0.04

    Remotely observable behaviour in auth-gss2.c in OpenSSH through 7.8 could be used by remote attackers to detect existence of users on a target system when GSS2 is in use. NOTE: the discoverer states 'We understand that the OpenSSH developers do not want to treat such a username…

  • CVE-2017-15906MedOct 26, 2017
    risk 0.35cvss 5.3epss 0.03

    The process_open function in sftp-server.c in OpenSSH before 7.6 does not properly prevent write operations in readonly mode, which allows attackers to create zero-length files.

  • CVE-2017-8301MedApr 27, 2017
    risk 0.35cvss 5.3epss 0.01

    LibreSSL 2.5.1 to 2.5.3 lacks TLS certificate verification if SSL_get_verify_result is relied upon for a later check of a verification result, in a use case where a user-provided verification callback returns 1, as demonstrated by acceptance of invalid certificates by nginx.

  • CVE-2015-6563MedAug 24, 2015
    risk 0.35cvss 6.4epss 0.00

    The monitor component in sshd in OpenSSH before 7.0 on non-OpenBSD platforms accepts extraneous username data in MONITOR_REQ_PAM_INIT_CTX requests, which allows local users to conduct impersonation attacks by leveraging any SSH login access in conjunction with control of the…

  • CVE-2016-10011MedJan 5, 2017
    risk 0.33cvss 6.2epss 0.01

    authfile.c in sshd in OpenSSH before 7.4 does not properly consider the effects of realloc on buffer contents, which might allow local users to obtain sensitive private-key information by leveraging access to a privilege-separated child process.

  • CVE-2018-12434MedJun 15, 2018
    risk 0.31cvss 4.7epss 0.00

    LibreSSL before 2.6.5 and 2.7.x before 2.7.4 allows a memory-cache side-channel attack on DSA and ECDSA signatures, aka the Return Of the Hidden Number Problem or ROHNP. To discover a key, the attacker needs access to either the local machine or a different virtual machine on…

  • CVE-2016-6246MedMar 7, 2017
    risk 0.29cvss 4.4epss 0.00

    OpenBSD 5.8 and 5.9 allows certain local users with kern.usermount privileges to cause a denial of service (kernel panic) by mounting a tmpfs with a VNOVAL in the (1) username, (2) groupname, or (3) device name of the root node.

  • CVE-2016-20012MedSep 15, 2021
    risk 0.28cvss 5.3epss 0.05

    OpenSSH through 8.7 allows remote attackers, who have a suspicion that a certain combination of username and public key is known to an SSH server, to test whether this suspicion is correct. This occurs because a challenge is sent only when that combination could be valid for a…

  • CVE-2014-2532MedMar 18, 2014
    risk 0.28cvss 4.2epss 0.05

    sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv lines in sshd_config, which allows remote attackers to bypass intended environment restrictions by using a substring located before a wildcard character.

  • CVE-2008-5161LowNov 19, 2008
    risk 0.28cvss 3.7epss 0.15

    Error handling in the SSH protocol in (1) SSH Tectia Client and Server and Connector 4.0 through 4.4.11, 5.0 through 5.2.4, and 5.3 through 5.3.8; Client and Server and ConnectSecure 6.0 through 6.0.4; Server for Linux on IBM System z 6.0.4; Server for IBM z/OS 5.5.1 and…

  • CVE-2026-35414MedApr 2, 2026
    risk 0.27cvss 4.2epss 0.00

    OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters.

  • CVE-2026-35386LowApr 2, 2026
    risk 0.23cvss 3.6epss 0.00

    In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config.

  • CVE-2020-7247KEVJan 29, 2020
    risk 0.23cvss epss 0.99

    smtp_mailaddr in smtp_session.c in OpenSMTPD 6.6, as used in OpenBSD 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented"…

  • CVE-2026-41285MedApr 21, 2026
    risk 0.21cvss 4.3epss 0.00

    In OpenBSD through 7.8, the slaacd and rad daemons have an infinite loop when they receive a crafted ICMPv6 Neighbor Discovery (ND) option (over a local network) with length zero, because of an "nd_opt_len * 8 - 2" expression with no preceding check for whether nd_opt_len is…

  • CVE-2026-35387LowApr 2, 2026
    risk 0.20cvss 3.1epss 0.00

    OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms.

  • CVE-2026-35388LowApr 2, 2026
    risk 0.16cvss 2.5epss 0.00

    OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions.

  • CVE-2020-8794Feb 25, 2020
    risk 0.10cvss epss 0.89

    OpenSMTPD before 6.6.4 allows remote code execution because of an out-of-bounds read in mta_io in mta_session.c for multi-line replies. Although this vulnerability affects the client side of OpenSMTPD, it is possible to attack a server because the server code launches the client…

  • CVE-2005-0356May 31, 2005
    risk 0.10cvss epss 0.83

    Multiple TCP implementations with Protection Against Wrapped Sequence Numbers (PAWS) with the timestamps option enabled allow remote attackers to cause a denial of service (connection loss) via a spoofed packet with a large timer value, which causes the host to discard later…

  • CVE-2007-5365Oct 11, 2007
    risk 0.09cvss epss 0.80

    Stack-based buffer overflow in the cons_options function in options.c in dhcpd in OpenBSD 4.0 through 4.2, and some other dhcpd implementations based on ISC dhcp-2, allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a DHCP request…

  • CVE-2003-0190May 12, 2003
    risk 0.09cvss epss 0.77

    OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack.

  • CVE-2019-6110Jan 31, 2019
    risk 0.08cvss epss 0.21

    In OpenSSH 7.9, due to accepting and displaying arbitrary stderr output from the server, a malicious server (or Man-in-The-Middle attacker) can manipulate the client output, for example to use ANSI control codes to hide additional files being transferred.

  • CVE-2000-0574Jul 7, 2000
    risk 0.08cvss epss 0.59

    FTP servers such as OpenBSD ftpd, NetBSD ftpd, ProFTPd and Opieftpd do not properly cleanse untrusted format strings that are used in the setproctitle function (sometimes called by set_proc_title), which allows remote attackers to cause a denial of service or execute arbitrary…

  • CVE-2019-6111Jan 31, 2019
    risk 0.07cvss epss 0.58

    An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal…

  • CVE-2006-5229Oct 10, 2006
    risk 0.07cvss epss 0.54

    OpenSSH portable 4.1 on SUSE Linux, and possibly other platforms and versions, and possibly under limited configurations, allows remote attackers to determine valid usernames via timing discrepancies in which responses take longer for valid usernames than invalid ones, as…

  • CVE-2006-4924Sep 27, 2006
    risk 0.06cvss epss 0.35

    sshd in OpenSSH before 4.4, when using the version 1 SSH protocol, allows remote attackers to cause a denial of service (CPU consumption) via an SSH packet that contains duplicate blocks, which is not properly handled by the CRC compensation attack detector.

  • CVE-2001-0554Aug 14, 2001
    risk 0.06cvss epss 0.38

    Buffer overflow in BSD-based telnetd telnet daemon on various operating systems allows remote attackers to execute arbitrary commands via a set of options including AYT (Are You There), which is not properly handled by the telrcv function.

  • CVE-2001-0144Mar 12, 2001
    risk 0.06cvss epss 0.32

    CORE SDI SSH1 CRC-32 compensation attack detector allows remote attackers to execute arbitrary commands on an SSH server or client via an integer overflow.

  • CVE-2025-26466Feb 28, 2025
    risk 0.05cvss epss 0.38

    A flaw was found in the OpenSSH package. For each ping packet the SSH server receives, a pong packet is allocated in a memory buffer and stored in a queue of packages. It is only freed when the server/client key exchange has finished. A malicious client may keep sending such…

  • CVE-2011-0419May 16, 2011
    risk 0.05cvss epss 0.30

    Stack consumption vulnerability in the fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library before 1.4.3 and the Apache HTTP Server before 2.2.18, and in fnmatch.c in libc in NetBSD 5.1, OpenBSD 4.8, FreeBSD, Apple Mac OS X 10.6, Oracle Solaris…

  • CVE-2009-0689Jul 1, 2009
    risk 0.05cvss epss 0.28

    Array index error in the (1) dtoa implementation in dtoa.c (aka pdtoa.c) and the (2) gdtoa (aka new dtoa) implementation in gdtoa/misc.c in libc, as used in multiple operating systems and products including in FreeBSD 6.4 and 7.2, NetBSD 5.0, OpenBSD 4.5, Mozilla Firefox 3.0.x…

  • CVE-2004-0083Mar 3, 2004
    risk 0.05cvss epss 0.21

    Buffer overflow in ReadFontAlias from dirfile.c of XFree86 4.1.0 through 4.3.0 allows local users and remote attackers to execute arbitrary code via a font alias file (font.alias) with a long token, a different vulnerability than CVE-2004-0084 and CVE-2004-0106.

  • CVE-2004-0084Mar 3, 2004
    risk 0.05cvss epss 0.25

    Buffer overflow in the ReadFontAlias function in XFree86 4.1.0 to 4.3.0, when using the CopyISOLatin1Lowered function, allows local or remote authenticated users to execute arbitrary code via a malformed entry in the font alias (font.alias) file, a different vulnerability than…

  • CVE-2003-0681Oct 6, 2003
    risk 0.05cvss epss 0.20

    A "potential buffer overflow in ruleset parsing" for Sendmail 8.12.9, when using the nonstandard rulesets (1) recipient (2), final, or (3) mailer-specific envelope recipients, has unknown consequences.

  • CVE-2001-0247Jun 18, 2001
    risk 0.05cvss epss 0.19

    Buffer overflows in BSD-based FTP servers allows remote attackers to execute arbitrary commands via a long pattern string containing a {} sequence, as seen in (1) g_opendir, (2) g_lstat, (3) g_stat, and (4) the glob0 buffer as used in the glob functions glob2 and glob3.

  • CVE-2019-19726Dec 12, 2019
    risk 0.04cvss epss 0.04

    OpenBSD through 6.6 allows local users to escalate to root because a check for LD_LIBRARY_PATH in setuid programs can be defeated by setting a very small RLIMIT_DATA resource limit. When executing chpass or passwd (which are setuid root), _dl_setup_env in ld.so tries to strip…

  • CVE-2009-0687Aug 11, 2009
    risk 0.04cvss epss 0.10

    The pf_test_rule function in OpenBSD Packet Filter (PF), as used in OpenBSD 4.2 through 4.5, NetBSD 5.0 before RC3, MirOS 10 and earlier, and MidnightBSD 0.3-current allows remote attackers to cause a denial of service (panic) via crafted IP packets that trigger a NULL pointer…

  • CVE-2007-1365Mar 10, 2007
    risk 0.04cvss epss 0.18

    Buffer overflow in kern/uipc_mbuf2.c in OpenBSD 3.9 and 4.0 allows remote attackers to execute arbitrary code via fragmented IPv6 packets due to "incorrect mbuf handling for ICMP6 packets." NOTE: this was originally reported as a denial of service.

  • CVE-2004-1471Dec 31, 2004
    risk 0.04cvss epss 0.08

    Format string vulnerability in wrapper.c in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16 allows remote attackers with CVSROOT commit access to cause a denial of service (application crash) and possibly execute arbitrary code via format string specifiers in a wrapper…

  • CVE-2004-0416Aug 6, 2004
    risk 0.04cvss epss 0.13

    Double free vulnerability for the error_prog_name string in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, may allow remote attackers to execute arbitrary code.

  • CVE-2003-0078Mar 3, 2003
    risk 0.04cvss epss 0.14

    ssl3_get_record in s3_pkt.c for OpenSSL before 0.9.7a and 0.9.6 before 0.9.6i does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely…

  • CVE-2002-1220Nov 29, 2002
    risk 0.04cvss epss 0.10

    BIND 8.3.x through 8.3.3 allows remote attackers to cause a denial of service (termination due to assertion failure) via a request for a subdomain that does not exist, with an OPT resource record with a large UDP payload size.

  • CVE-2001-0053Feb 12, 2001
    risk 0.04cvss epss 0.18

    One-byte buffer overflow in replydirname function in BSD-based ftpd allows remote attackers to gain root privileges.

  • CVE-2020-8793Feb 25, 2020
    risk 0.03cvss epss 0.01

    OpenSMTPD before 6.6.4 allows local users to read arbitrary files (e.g., on some Linux distributions) because of a combination of an untrusted search path in makemap.c and race conditions in the offline functionality in smtpd.c.

Page 2 of 7