Executive Summary

CVE-2026-41285 is a vulnerability in OpenBSD versions through 7.8 affecting the slaacd and rad daemons. These daemons enter an infinite loop when they receive a crafted ICMPv6 Neighbor Discovery (ND) option with a length of zero over a local network. The root cause is an expression that calculates based on the ND option length without first checking if the length is zero, leading to improper handling of malformed ND options.

Specifically, the vulnerability causes the affected daemons to spin indefinitely, consuming excessive CPU resources and becoming unresponsive. This happens when they process Router Advertisement messages containing malformed ND options with zero length.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause denial of service on affected OpenBSD systems by making the slaacd and rad daemons enter an infinite loop and consume excessive CPU resources. This can lead to degraded system performance or unresponsiveness, especially on systems relying on these daemons for IPv6 network configuration and routing.

Since the attack vector is local network-based, an attacker on the same local network can send specially crafted ICMPv6 Neighbor Discovery packets to trigger this condition.

The CVSS v3.1 base score of 4.3 reflects a low complexity attack with no privileges required and no user interaction, but the impact is limited to availability (denial of service) without affecting confidentiality or integrity.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability causes the slaacd and rad daemons on OpenBSD through 7.8 to enter an infinite loop and consume excessive CPU resources when they receive a crafted ICMPv6 Neighbor Discovery option with length zero.

Detection can be performed by monitoring the CPU usage of the slaacd and rad processes for unusually high or sustained spikes, which may indicate the infinite loop condition triggered by malformed ND packets.

Additionally, network traffic analysis tools can be used to capture and inspect ICMPv6 Neighbor Discovery packets on the local network to identify any packets containing ND options with a length of zero.

• Use system monitoring commands such as `top` or `ps` on OpenBSD to check for high CPU usage by slaacd or rad daemons.
• Capture ICMPv6 Neighbor Discovery traffic using packet capture tools like `tcpdump` with a filter for ICMPv6 ND packets, for example: `tcpdump -i <interface> icmp6 and ip6[40] == 135` (where 135 is the ICMPv6 type for Neighbor Solicitation).
• Analyze captured packets for ND options with zero length, which are malformed and trigger the vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to apply the official OpenBSD patches that fix this vulnerability.

Specifically, OpenBSD released Patch 029 (dated April 14, 2026) which fixes the infinite spinning in rad(8) and slaacd(8) caused by malformed packets with zero-length ND options.

Users should promptly apply this patch using the syspatch(8) utility or manually apply the patch to ensure the daemons correctly validate ND option lengths and prevent the denial-of-service condition.

Until the patch is applied, consider monitoring and limiting ICMPv6 Neighbor Discovery traffic from untrusted sources on the local network to reduce the risk of exploitation.

Useful 0 Not Useful 0

Compliance Impact

The provided context and resources do not contain information regarding the impact of CVE-2026-41285 on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0