CVE-2026-32848
Race Condition in NetBSD cryptodev_op Leads to Double-Free
Publication date: 2026-05-18
Last updated on: 2026-05-18
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| netbsd | netbsd | to ec8451e (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-362 | The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently. |
| CWE-415 | The product calls free() twice on the same memory address. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in NetBSD versions prior to a specific commit (ec8451e) and involves a race condition in the cryptodev_op() function within the opencrypto subsystem.
Local attackers can exploit this by concurrently issuing CIOCCRYPT operations on the same session identifier on SMP (Symmetric Multiprocessing) systems, which triggers a double-free condition.
This double-free condition allows attackers to corrupt kernel heap memory by exploiting mutable per-operation state embedded in the csession struct.
How can this vulnerability impact me? :
The vulnerability can lead to corruption of kernel heap memory, which may cause system instability or crashes.
Because it involves a double-free condition triggered by local attackers, it could potentially be used to escalate privileges or execute arbitrary code within the kernel context.
However, exploitation requires local access and concurrent operations on SMP systems, which may limit the attack surface.