Aggregates CVE and security vulnerability intelligence across all OpenBSD-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk buffer overflow, vendor risk memory corruption, vendor risk input validation, and vendor risk path handling and related problems; some flaws may lead to vendor impact application crash.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-41285 | In OpenBSD through 7.8, the slaacd and rad daemons have an infinite loop when they receive a crafted ICMPv6 Neighbor Discovery (ND) option (over a local network) with length zero, because of an "nd_opt_len * 8 - 2" expression with no preceding check for whether nd_opt_len is zero. | [email protected] | 4.3 | 0.01% | 2026-04-21 | 2026-04-24 |
| CVE-2026-35414 | OpenSSH before 10.3 mishandles the authorized_keys principals option in uncommon scenarios involving a principals list in conjunction with a Certificate Authority that makes certain use of comma characters. | [email protected] | 4.2 | 0.02% | 2026-04-02 | 2026-04-10 |
| CVE-2026-35388 | OpenSSH before 10.3 omits connection multiplexing confirmation for proxy-mode multiplexing sessions. | [email protected] | 2.5 | 0.01% | 2026-04-02 | 2026-04-27 |
| CVE-2026-35387 | OpenSSH before 10.3 can use unintended ECDSA algorithms. Listing of any ECDSA algorithm in PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms is misinterpreted to mean all ECDSA algorithms. | [email protected] | 3.1 | 0.05% | 2026-04-02 | 2026-04-27 |
| CVE-2026-35386 | In OpenSSH before 10.3, command execution can occur via shell metacharacters in a username within a command line. This requires a scenario where the username on the command line is untrusted, and also requires a non-default configurations of % in ssh_config. | [email protected] | 3.6 | 0.01% | 2026-04-02 | 2026-04-27 |
| CVE-2026-35385 | In OpenSSH before 10.3, a file downloaded by scp may be installed setuid or setgid, an outcome contrary to some users' expectations, if the download is performed as root with -O (legacy scp protocol) and without -p (preserve mode). | [email protected] | 7.5 | 0.06% | 2026-04-02 | 2026-04-27 |
| CVE-2026-3497 | Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself. The usage of sshpkt_disconnect() on an error, which does not terminate the process, allows an attacker to send an unexpected GSSAPI message type during the GSSAPI key exchange to the server, which will call the underlying function and continue the execution of the program with | [email protected] | 6.9 | 0.06% | 2026-03-12 | 2026-06-02 |
| CVE-2025-32728 | In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding. | [email protected] | 4.3 | 0.22% | 2025-04-10 | 2025-05-22 |
| CVE-2025-30334 | In OpenBSD 7.6 before errata 006 and OpenBSD 7.5 before errata 015, traffic sent over wg(4) could result in kernel crash. | 9119a7d8-5eab-497f-8521-727c672e3725 | 7.1 | 0.22% | 2025-03-20 | 2025-09-05 |
| CVE-2025-26466 | A flaw was found in the OpenSSH package. For each ping packet the SSH server receives, a pong packet is allocated in a memory buffer and stored in a queue of packages. It is only freed when the server/client key exchange has finished. A malicious client may keep sending such packages, leading to an uncontrolled increase in memory consumption on the server side. Consequently, the server may become unavailable, resulting in a denial of service attack. | [email protected] | 5.9 | 62.37% | 2025-02-28 | 2026-02-10 |
| CVE-2025-26465 | A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high. | [email protected] | 6.8 | 64.52% | 2025-02-18 | 2026-05-12 |
| CVE-2024-11149 | In OpenBSD 7.4 before errata 014, vmm(4) did not restore GDTR limits properly on Intel (VMX) CPUs. | 9119a7d8-5eab-497f-8521-727c672e3725 | 6.2 | 0.12% | 2024-12-06 | 2025-09-23 |
| CVE-2024-11148 | In OpenBSD 7.4 before errata 006 and OpenBSD 7.3 before errata 020, httpd(8) is vulnerable to a NULL dereference when handling a malformed fastcgi request. | 9119a7d8-5eab-497f-8521-727c672e3725 | 8.7 | 0.22% | 2024-12-05 | 2025-09-23 |
| CVE-2024-10933 | In OpenBSD 7.5 before errata 009 and OpenBSD 7.4 before errata 022, exclude any '/' in readdir name validation to avoid unexpected directory traversal on untrusted file systems. | 9119a7d8-5eab-497f-8521-727c672e3725 | 4.1 | 0.09% | 2024-12-05 | 2025-09-23 |
| CVE-2024-10934 | In OpenBSD 7.5 before errata 008 and OpenBSD 7.4 before errata 021, avoid possible mbuf double free in NFS client and server implementation, do not use uninitialized variable in error handling of NFS server. | 9119a7d8-5eab-497f-8521-727c672e3725 | 9.2 | 0.27% | 2024-11-15 | 2025-10-02 |
| CVE-2024-6387 | A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period. | [email protected] | 8.1 | 63.83% | 2024-07-01 | 2026-05-12 |
| CVE-2021-35000 | OpenBSD Kernel Multicast Routing Uninitialized Memory Information Disclosure Vulnerability. This vulnerability allows local attackers to disclose sensitive information on affected installations of OpenBSD Kernel. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the implementation of multicast routing. The issue results from the lack of proper initialization of memory prior to acc | [email protected] | 3.3 | 0.02% | 2024-05-07 | 2025-08-14 |
| CVE-2021-34999 | OpenBSD Kernel Multicast Routing Uninitialized Memory Information Disclosure Vulnerability. This vulnerability allows local attackers to disclose sensitive information on affected installations of OpenBSD Kernel. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the implementation of multicast routing. The issue results from the lack of proper initialization of memory prior to acc | [email protected] | 5.5 | 0.02% | 2024-05-07 | 2025-08-14 |
| CVE-2024-29937 | NFS in a BSD derived codebase, as used in OpenBSD through 7.4 and FreeBSD through 14.0-RELEASE, allows remote attackers to execute arbitrary code via a bug that is unrelated to memory corruption. | [email protected] | 9.8 | 4.36% | 2024-04-11 | 2025-06-17 |
| CVE-2023-52558 | In OpenBSD 7.4 before errata 002 and OpenBSD 7.3 before errata 019, a network buffer that had to be split at certain length that could crash the kernel after receiving specially crafted escape sequences. | 9119a7d8-5eab-497f-8521-727c672e3725 | 7.5 | 0.07% | 2024-03-01 | 2025-10-10 |