Compliance Impact

The CVE-2026-56099 vulnerability allows remote attackers to disclose kernel stack memory by sending crafted MPLS frames. This memory disclosure could potentially expose sensitive information residing in kernel memory.

Such unauthorized disclosure of information may impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding sensitive data against unauthorized access and leaks.

However, the provided information does not specify the exact nature of the leaked data or whether it includes personal or protected health information, so the direct compliance impact cannot be fully determined from the available data.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-56099 is a vulnerability in OpenBSD's MPLS (Multiprotocol Label Switching) stack parsing code, specifically in the mpls_do_error function within sys/netmpls/mpls_input.c. The flaw occurs when the system processes an MPLS label stack containing 16 labels without the Bottom-of-Stack (BoS) bit set. This causes an out-of-bounds read because the code attempts to read one more label than the fixed-size 16-entry array can hold.

As a result, the system reads adjacent kernel stack memory beyond the intended boundary and includes this leaked data in an ICMP/MPLS error response sent back to the attacker. This allows a remote attacker to disclose kernel stack memory by sending specially crafted MPLS frames.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows a remote attacker to disclose sensitive kernel stack memory by sending crafted MPLS frames. The attacker can repeatedly exploit this flaw to gradually harvest kernel memory contents without causing a system crash.

The disclosed kernel memory could potentially contain sensitive information, which may aid further attacks or compromise system security. However, this vulnerability does not allow direct code execution or denial of service by itself.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for incoming MPLS frames that contain 16 labels without the Bottom-of-Stack (BoS) bit set and an outermost TTL of 1. Such crafted packets trigger the vulnerability and cause the kernel to leak stack memory in ICMP/MPLS error responses.

To detect this on your network, you can capture and analyze MPLS traffic using packet capture tools like tcpdump or Wireshark, filtering for MPLS label stacks of length 16 without the BoS bit set.

• Use tcpdump to capture MPLS packets: tcpdump -i <interface> 'mpls and (mpls_label_stack_length == 16) and not mpls_bos'
• Analyze captured packets in Wireshark to inspect MPLS label stacks and verify if any have 16 labels without the BoS bit set.

Additionally, monitoring for unusual ICMP/MPLS error responses containing leaked kernel stack memory can indicate exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to update OpenBSD to the fixed version that includes the patch committed on June 18, 2026 (commit 6a23123). This patch adds validation to drop MPLS packets with label stacks exceeding the maximum allowed depth, preventing the out-of-bounds read.

If updating immediately is not possible, consider implementing network-level filtering to block MPLS frames with 16 labels and no Bottom-of-Stack bit set, especially those with an outermost TTL of 1, to prevent exploitation.

Monitoring network traffic for suspicious MPLS packets and ICMP/MPLS error responses can also help in early detection and response.

Useful 0 Not Useful 0