PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-56099 openbsd CVE debrief

CVE-2026-56099 is an out-of-bounds read vulnerability in the mpls_do_error function within OpenBSD's sys/netmpls/mpls_input.c. This vulnerability allows remote attackers to disclose kernel stack memory by sending crafted MPLS frames with 16 labels and no Bottom-of-Stack bit set. The vulnerability was patched in OpenBSD commit 6a23123 on June 18, 2026. System administrators and security teams responsible for OpenBSD systems, especially those exposed to untrusted networks, should prioritize patching this vulnerability to prevent potential kernel stack memory disclosure.

Vendor
openbsd
Product
src
CVSS
MEDIUM 6.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-18
Original CVE updated
2026-06-27
Advisory published
2026-06-18
Advisory updated
2026-06-27

Who should care

System administrators and security teams responsible for OpenBSD systems, especially those exposed to untrusted networks, should prioritize patching this vulnerability to prevent potential kernel stack memory disclosure. This includes teams managing OpenBSD deployments in cloud environments, data centers, or other settings where network exposure is a concern.

Technical summary

The mpls_do_error function in OpenBSD's sys/netmpls/mpls_input.c is vulnerable to an out-of-bounds read attack. By sending crafted MPLS frames with 16 labels and no Bottom-of-Stack bit set, remote attackers can exploit this vulnerability to disclose kernel stack memory. This issue was addressed in OpenBSD commit 6a23123 on June 18, 2026. The vulnerability affects OpenBSD systems prior to this commit, and system administrators should prioritize patching to prevent potential kernel stack memory disclosure.

Defensive priority

High

Recommended defensive actions

  • Apply the official patch from OpenBSD (commit 6a23123) to vulnerable systems.
  • Restrict access to MPLS services to trusted sources only.
  • Implement network monitoring to detect suspicious MPLS traffic.
  • Consider using network segmentation to limit the impact of a potential exploit.
  • Regularly review and update OpenBSD systems to ensure they have the latest security patches.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

The CVE record was published on June 18, 2026, and last modified on June 27, 2026. The NVD entry is currently Analyzed. The vulnerability was patched in OpenBSD commit 6a23123 on June 18, 2026. Multiple sources, including Vulncheck and Argus Systems, have reported on this vulnerability. The CVE record and NVD entry provide additional context for this vulnerability.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-18T20:16:15.370Z and has not been modified since then. The NVD entry is currently Analyzed.