PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-32849 NetBSD CVE debrief

A signed integer overflow vulnerability exists in NetBSD's cryptographic framework prior to commit ec8451e. The `cryptodev_op()` function in `sys/opencrypto/cryptodev.c` declares the local variable `iov_len` as a signed `int`, but assigns it from an unsigned `cop->dst_len` value. When `cop->dst_len` exceeds `INT_MAX`, this causes undefined behavior that can manifest as a kernel panic through NULL pointer dereference when CONFIG_SVS is disabled, due to corrupted UIO pointer arithmetic. Exploitation requires local access to `/dev/crypto` and use of a compression session type. The vulnerability was disclosed on 2026-05-18 and affects NetBSD systems prior to the specified commit.

Vendor
NetBSD
Product
src
CVSS
MEDIUM 5.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-18
Original CVE updated
2026-05-18
Advisory published
2026-05-18
Advisory updated
2026-05-18

Who should care

NetBSD system administrators, security teams operating NetBSD infrastructure, and organizations using NetBSD for cryptographic operations or VPN endpoints

Technical summary

The vulnerability stems from a type mismatch in `sys/opencrypto/cryptodev.c` where `iov_len` is declared as `int` (signed) but populated from `cop->dst_len` (unsigned). When `dst_len` exceeds `INT_MAX` (2,147,483,647), the assignment results in signed integer overflow with undefined behavior. On systems with CONFIG_SVS disabled, this corruption propagates to UIO pointer arithmetic, causing NULL pointer dereference and kernel panic. The attack surface is limited to local users with `/dev/crypto` access using compression session types.

Defensive priority

medium

Recommended defensive actions

  • Apply NetBSD commit ec8451e or later to affected systems
  • Restrict access to /dev/crypto to trusted users only
  • Enable CONFIG_SVS if available as a mitigation against NULL pointer dereference exploitation
  • Monitor for unexpected kernel panics on systems with cryptodev compression sessions enabled
  • Review local user access controls on multi-user NetBSD systems

Evidence notes

Vulnerability disclosed via VulnCheck and NVD on 2026-05-18. Fix commit ec8451efc1565516aba9e7047e1a1a1ce7953a2f addresses the signed integer overflow. CVSS 4.0 vector indicates local attack vector with low attack complexity and high availability impact.

Official resources

2026-05-18