Home

Description

NetBSD prior to commit ec8451e contains a race condition vulnerability in cryptodev_op() within the opencrypto subsystem that allows local attackers to trigger a double-free condition by concurrently issuing CIOCCRYPT operations on the same session identifier on SMP systems. Attackers can exploit mutable per-operation state embedded in the csession struct to corrupt kernel heap memory.

PUBLISHED Reserved 2026-03-16 | Published 2026-05-18 | Updated 2026-05-19 | Assigner VulnCheck




MEDIUM: 5.7CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

MEDIUM: 4.7CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Problem types

Double Free

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Product status

Default status
affected

Any version before ec8451efc1565516aba9e7047e1a1a1ce7953a2f
affected

Credits

nasm finder

VulnCheck finder

References

nasm.re/posts/uaf_netbsd_crypto/ technical-description exploit

github.com/...ommit/ec8451efc1565516aba9e7047e1a1a1ce7953a2f patch

www.vulncheck.com/...-condition-double-free-via-cryptodev-op third-party-advisory

cve.org (CVE-2026-32848)

nvd.nist.gov (CVE-2026-32848)

Download JSON