CVE-2026-32848

NetBSD cryptodev Race Condition Double-Free via cryptodev_op()

CVSS 5.7 MEDIUMEPSS 0.1%CWE-362 CWE-415

Vexday Risk Score

33Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 5.7EPSS 0.1%KEV nãoPoC públicaNuclei —Metasploit —Patch referenciado

Lifecycle

18 May 2026Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

NetBSD prior to commit ec8451e contains a race condition vulnerability in cryptodev_op() within the opencrypto subsystem that allows local attackers to trigger a double-free condition by concurrently issuing CIOCCRYPT operations on the same session identifier on SMP systems. Attackers can exploit mutable per-operation state embedded in the csession struct to corrupt kernel heap memory.

CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected products

NetBSD · src

public PoCs found — 1

cve_referencenasm.re/posts/uaf_netbsd_crypto/unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/NetBSD/src/commit/ec8451efc1565516aba9e7047e1a1a1ce7953a2f https://nasm.re/posts/uaf_netbsd_crypto/https://www.vulncheck.com/advisories/netbsd-cryptodev-race-condition-double-free-via-cryptodev-op