CVE-2026-41285 Overview
A denial of service vulnerability exists in OpenBSD through version 7.8 affecting the slaacd and rad network daemons. The vulnerability occurs when these daemons receive a specially crafted ICMPv6 Neighbor Discovery (ND) option with a length field of zero over a local network. Due to improper validation of the nd_opt_len field before performing arithmetic operations, the daemons enter an infinite loop, causing service disruption.
Critical Impact
Attackers on the adjacent network can cause denial of service conditions on OpenBSD systems by sending malformed ICMPv6 packets that trigger an infinite loop in critical network daemons.
Affected Products
- OpenBSD through version 7.8
- slaacd daemon (Stateless Address Autoconfiguration Daemon)
- rad daemon (Router Advertisement Daemon)
Discovery Timeline
- 2026-04-21 - CVE CVE-2026-41285 published to NVD
- 2026-04-21 - Last updated in NVD database
Technical Details for CVE-2026-41285
Vulnerability Analysis
This vulnerability is classified under CWE-1284 (Improper Validation of Specified Quantity in Input). The flaw resides in the ICMPv6 Neighbor Discovery packet processing logic within both the slaacd and rad daemons. When parsing ND options, the code performs an arithmetic calculation using the expression nd_opt_len * 8 - 2 without first validating that nd_opt_len is non-zero.
According to RFC 4861 Section 4.6, the length field in ND options specifies the length of the option in units of 8 octets. A zero-length option is invalid per the specification, but the vulnerable code fails to reject such malformed packets before entering processing loops.
The vulnerability requires adjacent network access, meaning an attacker must be on the same local network segment as the target system. No authentication or user interaction is required to exploit this flaw.
Root Cause
The root cause is a missing bounds check on the nd_opt_len field before it is used in arithmetic operations. When a zero-length ND option is received, the calculation nd_opt_len * 8 - 2 results in an underflow condition or a zero/negative iteration bound that causes the parsing loop to iterate indefinitely. The daemons lack defensive validation to reject options where nd_opt_len == 0 before entering the processing logic.
Attack Vector
The attack vector requires adjacent network access (AV:A), allowing any attacker on the same network segment to exploit this vulnerability. An attacker can craft a malicious ICMPv6 Router Advertisement or Neighbor Advertisement packet containing an ND option with nd_opt_len set to zero. When the target OpenBSD system's slaacd or rad daemon processes this packet, it enters an infinite loop, effectively causing a denial of service.
The attack requires no privileges and no user interaction, making it straightforward to execute from any compromised or malicious device on the local network. The impact is limited to availability (denial of service), with no confidentiality or integrity breach.
The vulnerability mechanism involves the ICMPv6 Neighbor Discovery option parsing routine failing to validate the length field before performing calculations. When a zero-length option is encountered, the expression nd_opt_len * 8 - 2 produces an invalid value that causes infinite iteration. For technical implementation details, refer to the GitHub OpenBSD Commit which addresses this issue.
Detection Methods for CVE-2026-41285
Indicators of Compromise
- Unusual CPU utilization spikes in slaacd or rad daemon processes
- Network service disruptions related to IPv6 address autoconfiguration or router advertisements
- System logs showing slaacd or rad becoming unresponsive
- Process monitoring alerts indicating daemon hangs without normal termination
Detection Strategies
- Monitor for ICMPv6 packets with ND options containing nd_opt_len values of zero at the network perimeter or host level
- Implement process monitoring to detect slaacd and rad daemons entering high CPU states without corresponding network activity
- Deploy network intrusion detection signatures to identify malformed ICMPv6 Neighbor Discovery packets on local network segments
- Enable system call tracing or process state monitoring to detect daemon hangs characteristic of infinite loops
Monitoring Recommendations
- Configure alerts for abnormal CPU consumption by slaacd and rad processes on OpenBSD systems
- Implement ICMPv6 traffic analysis on network segments where OpenBSD systems operate
- Monitor daemon process states and set up automatic restart policies to maintain availability during attack attempts
- Enable logging for IPv6-related network events to assist in post-incident analysis
How to Mitigate CVE-2026-41285
Immediate Actions Required
- Apply the official OpenBSD patch as documented in the OpenBSD Errata Document
- Review the specific code fix in the GitHub OpenBSD Commit
- Audit network segments for potentially malicious devices that could exploit this vulnerability
- Consider disabling IPv6 functionality temporarily on critical systems if patching cannot be immediately applied
Patch Information
OpenBSD has released patches to address this vulnerability. The fix adds proper validation to ensure nd_opt_len is non-zero before performing arithmetic operations in the ND option parsing code. System administrators should apply the relevant errata patch for OpenBSD 7.8 as documented in the official errata. The patch can be applied using the syspatch utility or by manually applying the source code changes from commit 086c5738bcd3c203bcc08d024fcf983cb409115f.
Workarounds
- Implement strict ICMPv6 filtering at network boundaries to block malformed packets before they reach vulnerable systems
- Segment networks to limit adjacent network access to trusted devices only
- Deploy process monitoring with automatic daemon restart capabilities to reduce service disruption duration
- Consider running IPv6-critical services on patched or alternative systems while awaiting maintenance windows for vulnerable OpenBSD hosts
# Example: Apply OpenBSD errata patch using syspatch
syspatch
# Verify patch application
syspatch -l
# Restart affected daemons after patching
rcctl restart slaacd
rcctl restart rad
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
