{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-41285", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-21T13:27:42.310Z", "dateReserved": "2026-04-20T00:00:00.000Z", "datePublished": "2026-04-20T00:00:00.000Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "OpenBSD", "vendor": "OpenBSD", "versions": [{"lessThanOrEqual": "7.8", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "In OpenBSD through 7.8, the slaacd and rad daemons have an infinite loop when they receive a crafted ICMPv6 Neighbor Discovery (ND) option (over a local network) with length zero, because of an \"nd_opt_len * 8 - 2\" expression with no preceding check for whether nd_opt_len is zero."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1284", "description": "CWE-1284 Improper Validation of Specified Quantity in Input", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-20T23:27:57.468Z"}, "references": [{"url": "https://www.rfc-editor.org/rfc/rfc4861#section-4.6"}, {"url": "https://github.com/openbsd/src/commit/086c5738bcd3c203bcc08d024fcf983cb409115f"}, {"url": "https://www.openbsd.org/errata78.html"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openbsd:openbsd:*:*:*:*:*:*:*:*", "versionEndIncluding": "7.8"}]}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T13:27:20.927005Z", "id": "CVE-2026-41285", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T13:27:42.310Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41285", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T13:27:20.927005Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T13:27:37.961Z"}}], "cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}}], "affected": [{"vendor": "OpenBSD", "product": "OpenBSD", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "7.8"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.rfc-editor.org/rfc/rfc4861#section-4.6"}, {"url": "https://github.com/openbsd/src/commit/086c5738bcd3c203bcc08d024fcf983cb409115f"}, {"url": "https://www.openbsd.org/errata78.html"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "descriptions": [{"lang": "en", "value": "In OpenBSD through 7.8, the slaacd and rad daemons have an infinite loop when they receive a crafted ICMPv6 Neighbor Discovery (ND) option (over a local network) with length zero, because of an \"nd_opt_len * 8 - 2\" expression with no preceding check for whether nd_opt_len is zero."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1284", "description": "CWE-1284 Improper Validation of Specified Quantity in Input"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openbsd:openbsd:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "7.8"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-20T23:27:57.468Z"}}}, "cveMetadata": {"cveId": "CVE-2026-41285", "state": "PUBLISHED", "dateUpdated": "2026-04-21T13:27:42.310Z", "dateReserved": "2026-04-20T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-20T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:openbsd:openbsd:*:*:*:*:*:*:*:*", "matchCriteriaId": "3F720762-1801-4CB9-827D-2D7F670BFC6B", "versionEndIncluding": "7.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In OpenBSD through 7.8, the slaacd and rad daemons have an infinite loop when they receive a crafted ICMPv6 Neighbor Discovery (ND) option (over a local network) with length zero, because of an \"nd_opt_len * 8 - 2\" expression with no preceding check for whether nd_opt_len is zero."}], "id": "CVE-2026-41285", "lastModified": "2026-04-24T18:59:03.117", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-21T00:16:29.480", "references": [{"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/openbsd/src/commit/086c5738bcd3c203bcc08d024fcf983cb409115f"}, {"source": "cve@mitre.org", "tags": ["Product", "Release Notes"], "url": "https://www.openbsd.org/errata78.html"}, {"source": "cve@mitre.org", "tags": ["Not Applicable"], "url": "https://www.rfc-editor.org/rfc/rfc4861#section-4.6"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1284"}], "source": "cve@mitre.org", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-835"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,7.8]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "OpenBSD", "source": "cna", "vendor": "OpenBSD"}, "product": "openbsd", "vendor": "openbsd"}], "analysis": {"en": {"generated_at": "2026-04-22T03:29:11.962085+00:00", "value": {"mitigation_remediation": ["Update your system to OpenBSD 7.9 or later, where the patch is integrated.", "Apply the cherry\u2011pick commit 086c5738bcd3c203bcc08d024fcf983cb409115f manually to your source tree and rebuild the daemons if you cannot jump to a newer release.", "Restart slaacd and rad to ensure the updated binaries are in use.", "As a temporary measure, configure local firewall rules to drop malformed ICMPv6 ND options that have a length field of zero."], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "This flaw affects the OpenBSD operating system, specifically the SLAACD and RAD network daemons in releases up to 7.8. Network hosts running these daemons are vulnerable. No specific hardware vendors are listed; all OpenBSD installations in this version range are potentially impacted.", "description_and_impact": "The slaacd and rad daemons in OpenBSD versions up through 7.8 process crafted ICMPv6 Neighbor Discovery options. If an option of length zero is received, the unvalidated calculation of nd_opt_len * 8 - 2 causes the parsing loop to never terminate, resulting in an infinite loop that stalls the daemon. The flaw is a classic example of unchecked input leading to an unbounded loop, classified as CWE\u20111284.", "risk_and_exploitability": "The vulnerability does not carry an inherent network\u2011wide lateral movement requirement; an attacker only needs local or lateral network access to send a crafted packet to the target host. Because the flaw leads to a denial of service of the affected daemons, any system relying on SLAACD or RAD for address configuration can experience network disruption. The EPSS score is < 1% and the flaw is not listed in KEV, indicating limited known exploitation at this time. Nevertheless, the lack of mitigations beyond the infinite loop makes patching essential."}}}}, "created": "2026-04-21T00:30:22.739174+00:00", "title": "Infinite Loop in OpenBSD SLAACD and RAD Daemons Due to Zero-Length ICMPv6 ND Option", "updated": "2026-04-22T03:30:06.692768+00:00", "vendors": ["openbsd", "openbsd$PRODUCT$openbsd"]}