CVE-2016-6244 Openbsd CVE debrief

Who should care

OpenBSD 5.9 administrators, especially teams running systems with remotely reachable services or environments where an unexpected kernel panic would create outage or recovery risk.

Technical summary

The vulnerability is described as a kernel panic in kern/kern_sig.c within sys_thrsigdivert when a negative ts.tv_sec value is processed. NVD classifies the weakness as CWE-20 (Improper Input Validation) and assigns CVSS 3.0 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a remotely triggerable availability impact with no reported confidentiality or integrity impact.

Defensive priority

High for availability-critical OpenBSD 5.9 systems. The issue is remotely triggerable and can crash the kernel, so exposed systems should be reviewed promptly and protected with vendor guidance or upgrading to a corrected release.

Recommended defensive actions

• Verify whether any assets are running OpenBSD 5.9 or an affected build.
• Apply the vendor fix or upgrade to a supported OpenBSD release that includes the correction.
• Review the OpenBSD security mailing list advisory and the NVD record for remediation guidance.
• Reduce exposure of affected systems to untrusted networks where practical until remediation is complete.
• Prepare operational safeguards for unexpected kernel panics, including reboot and recovery procedures.

Evidence notes

The CVE description states that sys_thrsigdivert in OpenBSD kernel 5.9 can be used by remote attackers to cause a denial of service via a negative ts.tv_sec value. The NVD record lists CPE coverage for openbsd:openbsd:5.9 and classifies the issue as CVSS 3.0 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H with CWE-20. References provided in the source corpus include the OpenBSD-related oss-security mailing list post and a SecurityFocus BID entry. Published date used here is the CVE publishedAt timestamp (2017-03-07T15:59:00.330Z); the later modified timestamp (2026-05-13T00:24:29.033Z) is not treated as the issue date.

Official resources