CVE-2026-32849

EUVD-2026-30789

18.05.2026, 18:17

NetBSD prior to commit ec8451e contains a signed integer overflow vulnerability in the cryptodev_op() function in sys/opencrypto/cryptodev.c where the local variable iov_len is declared as a signed int but assigned from an unsigned cop->dst_len value, causing undefined behavior when cop->dst_len exceeds INT_MAX. A local attacker with access to /dev/crypto and a compression session type can exploit this vulnerability by providing a dst_len value exceeding INT_MAX to trigger a kernel panic through NULL pointer dereference when CONFIG_SVS is disabled and corrupted UIO pointer arithmetic.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 1%

Common Weakness Enumeration

CWE-190 - Integer Overflow or Wraparound
The software performs a calculation that can produce an integer overflow or wraparound, when the logic assumes that the resulting value will always be larger than the original value. This can introduce other weaknesses when the calculation is used for resource management or execution control.

Vulnerability Media Exposure

[GERMAN] NetBSD Foundation NetBSD OS: Mehrere Schwachstellen ermöglichen Denial of Service
Ein lokaler Angreifer kann mehrere Schwachstellen in NetBSD Foundation NetBSD OS ausnutzen, um einen Denial of Service Angriff durchzuführen.
Published: 2026-05-18T22:00:00+00:00

References

https://github.com/NetBSD/src/commit/ec8451efc1565516aba9e7047e1a1a1ce7953a2f

https://nasm.re/posts/uaf_netbsd_crypto/

https://www.vulncheck.com/advisories/netbsd-signed-integer-overflow-in-cryptodev-op-via-cryptodev-c