This article details a remote kernel stack disclosure vulnerability (CVE-2026-56099) found in OpenBSD systems prior to June 18, 2026. The flaw resides in the mpls_do_error() function within sys/netmpls/mpls_input.c, which handles incoming MPLS label stacks. Specifically, an off-by-one error occurs when parsing an MPLS label stack that lacks a Bottom-of-Stack (BoS) bit, causing the system to read one struct shim_hdr (4 bytes) past the intended array boundary.
This buffer over-read leads to 4 bytes of adjacent kernel stack memory being leaked per crafted packet. Attackers can trigger this vulnerability remotely by sending a specially crafted MPLS frame (EtherType 0x8847) containing 16 labels without a BoS bit and an outermost label TTL of 1, ensuring the TTL-exceeded error path is taken. The leaked data is then reflected back to the sender within the generated ICMP/MPLS error response, allowing an attacker to harvest kernel stack information.
The issue was reported by Argus Systems and fixed by OpenBSD developer mvs on 2026-06-18. The patch introduces a guard to drop malformed label stacks that complete without a BoS bit, preventing the nstk variable from reaching MPLS_INKERNEL_LOOP_MAX and thus eliminating the out-of-bounds read. A Python/Scapy Proof of Concept demonstrates the vulnerability by capturing the 17th MPLS shim header in the reply, which contains the leaked kernel stack data.
Top comments (0)