CVE-2026-32849

MEDIUM 5.5

NetBSD Signed Integer Overflow in cryptodev_op via cryptodev.c

CVSS Score

5.5

EPSS Score

0.0%

EPSS Percentile

0th

NetBSD prior to commit ec8451e contains a signed integer overflow vulnerability in the cryptodev_op() function in sys/opencrypto/cryptodev.c where the local variable iov_len is declared as a signed int but assigned from an unsigned cop->dst_len value, causing undefined behavior when cop->dst_len exceeds INT_MAX. A local attacker with access to /dev/crypto and a compression session type can exploit this vulnerability by providing a dst_len value exceeding INT_MAX to trigger a kernel panic through NULL pointer dereference when CONFIG_SVS is disabled and corrupted UIO pointer arithmetic.

CWE	CWE-190 CWE-476
Vendor	netbsd
Product	src
Published	May 18, 2026
Last Updated	May 18, 2026

Stay Ahead of the Next One

Get instant alerts for netbsd src

Be the first to know when new medium vulnerabilities affecting netbsd src are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Affected Versions

NetBSD / src

0 < ec8451efc1565516aba9e7047e1a1a1ce7953a2f

References

NVD ↗ CVE.org ↗ EPSS Data ↗

nasm.re: https://nasm.re/posts/uaf_netbsd_crypto/ github.com: https://github.com/NetBSD/src/commit/ec8451efc1565516aba9e7047e1a1a1ce7953a2f vulncheck.com: https://www.vulncheck.com/advisories/netbsd-signed-integer-overflow-in-cryptodev-op-via-cryptodev-c

Credits

nasm VulnCheck