CVE-2026-32849

Name of the Vulnerable Software and Affected Versions NetBSD versions prior to commit ec8451e

Description A signed integer overflow exists in the cryptodev op() function within sys/opencrypto/cryptodev.c. The issue occurs because the local variable iov len is declared as a signed integer but is assigned a value from the unsigned cop->dst len variable, leading to undefined behavior when cop->dst len exceeds INT MAX. A local attacker with access to '/dev/crypto' and a compression session type can exploit this by providing a dst len value exceeding INT MAX. This can result in corrupted UIO pointer arithmetic or a kernel panic via NULL pointer dereference when CONFIG SVS is disabled.

Recommendations Update to the version containing commit ec8451e.