Top
Best
New

Posted by linggen 4 hours ago

OpenBSD has a use-after-free allowing local privilege escalation to root(nvd.nist.gov)
131 points | 60 comments
Tiberium 2 hours ago|
Seems to be found as a part of Patch The Planet [0] which is basically OpenAI giving model access and Trail of Bits using them to find vulnerabilities in OSS projects.

[0] https://openai.com/index/patch-the-planet/

john_strinlai 2 hours ago||
neat, i'm a big fan of trail of bits but apparently missed this announcement. here's their post: https://blog.trailofbits.com/2026/06/22/introducing-patch-th... and a summary of week 1: https://gist.github.com/patch-the-planet/69fd1aa925c8e73edea...
TacticalCoder 11 minutes ago||
Sidenote but... I read this on that link:

dnsmasq: Codex Security independently identified vulnerable patterns corresponding to four of the six dnsmasq CVEs later fixed in 2.92rel2: CVE-2026-4890 (opens in a new window), CVE-2026-4891 (opens in a new window), CVE-2026-4892 (opens in a new window), and CVE-2026-517

dnsmasq has had so many freaking security holes in 2025 and 2026 that atm I decided to just remove that thing from all my machines.

trashb 52 minutes ago||
One bug found is a testament to the great diligence and culture around security of OpenBSD. Especially if you take into account the amount of resources they have been able to achieve this with.
sunshine-o 13 minutes ago|
Exactly, the entire AI industry has been trying to create an AI powered security arm race. I am not necessarily blaming them.

Hard to know how much has been thrown into this but I would bet a lot.

So far I have been very surprised we haven't been flooded by those type of announcements. If you look you will always find something and OpenBSD is the top price.

uticus 2 hours ago||
> Only two remote holes in the default install, in a heck of a long time!

https://www.openbsd.org/

https://en.wikipedia.org/wiki/OpenBSD#Security_record

anonym29 2 hours ago|
LPE (to root) is serious, but it's not a remote hole.
ptx 33 seconds ago||
Is this functionality accessible from sandboxed processes? That would make a remote hole much more dangerous when one is found, anyway. The CVE seems to concern SysV semaphores and the pledge(2) man page doesn't seem to mention those.
Arubis 2 hours ago||
OpenBSD's security stance being the stuff of legend, I'm curious how many vulns have been found over the last couple months while the big model companies are flaunting their ability to find exploits. It'd be super cool to see it remain tiny.
wahern 2 hours ago||
According to https://openai.com/index/patch-the-planet/

Linux: 24 LPEs, plus many additional vulnerabilities.

OpenBSD: 1 LPE.

FreeBSD: 7 LPEs, plus many additional vulnerabilities.

Not sure what that says, though. Perhaps the models are more likely to find Linux issues because of the training.

_flux 1 hour ago|||
I wonder how many of the Linux the LPEs are related to drivers, which I understand there are more of..
dcrazy 1 hour ago||||
Or Linux development is significantly more active.
ori_b 1 hour ago||
This is an external audit. Why would Linux activity make a difference here? Are you theorizing that the churn causes bugs?
asveikau 1 hour ago|||
> Are you theorizing that the churn causes bugs?

Seems to be the case.

How many times do you see a bug investigation and it's determined when the bug was introduced?

Do you ever look at the diff that introduced it to understand what was going on in the project at the time? Often, it's in service to a new feature. Sometimes the original change is questionable when you consider you traded it for a severe bug.

tosti 1 hour ago||||
When more code is written, more bugs are written.

Or, if the act of debugging is removing the bugs from software, then the act of programming is to put the bugs in the software.

dwroberts 1 hour ago||||
Linux is a much larger project receiving changes to tons of systems from lots of different sources. The combined behaviour of those things working together is massively harder to understand and test.

Copyfail being introduced by an optimization made to some random crypto module is a good example of this.

throw-qqqqq 1 hour ago|||
The Linux kernel is generally much larger than OpenBSD which is quite minimal.

But I do agree with you - not directly related to activity.

dcrazy 1 hour ago||
As another commenter said, number of bugs increases with lines of code changed.
kevincox 1 hour ago|||
It is quite possible that Linux is the bigger target so it gets more focus. Vulnerabilities there are generally considered more valuable and notable. It would be very difficult to use these numbers to get a meaningful "more secure" stance as there are tons of variables.
dspillett 12 minutes ago|||
If this is just counting the kernel, than Linux is probably a bigger target both i terms of current code size and the amount of churn in the codebase as things change over time. Some of the LPEs might (I've not checked) be in modules that are not commonly loaded, which mitigates their overall significance somewhat.

In the less likely even that this is counting what laymen would call Linux or BSD, i.e. both the kernel and common libraries & tools, then Linux definitely has a wider attack surface. Though some of that surface is shared as some userland parts are common to both.

As with your assessment, I'd agree that these flat numbers without looking for further context don't really give enough for a one-is-more-or-less-secure statement.

acdha 33 minutes ago|||
Linux also has a ton of extra functionality so I think you’d also have to do some adjustment for “as a user would I be at risk?” versus “can I be a user because it supports my needs?” Some of that would be unfavorable for many users (e.g. a Linux user who is exposed due to a network protocol or file system they’ll never use) but that’s certainly not true of every feature.
hulitu 11 minutes ago||
Linux also has a ton of bloat. Configuring your own kernel has become an exercise in frustration because documentation is worse "There is no help for this kernel option" and a lot of things are enabled "by default".
ectospheno 2 hours ago|||
The commit logs over the last few months have highlighted when an issue was found by a program. They usually name the submitter and the tool.
mmooss 1 hour ago|||
I think of it more as their attention to quality in their code:

Given the 'quality' of most code, especially under commercial pressure, it's no surprise that much more effective tools will find many more vulnerabilities. Did OpenBSDs quality approach work in this respect?

bee_rider 55 minutes ago||
A local escalation in BSD is still apparently worth a front page post here, so that seems pretty good.

I wonder why we don’t see more about local escalations in Windows. Of course, being closed source is a little bit of a barrier, but these tools can read assembly pretty well, right?

acdha 27 minutes ago||
I’ve heard a couple people say that Microsoft has patched a record number of bugs internally this year so it might be the case that it’s simply more opaque because it’s initiated internally and doesn’t involve a public Git repo or a third-party researcher.
JCattheATM 1 hour ago||
> OpenBSD's security stance being the stuff of legend,

More so their marketing.

throwaway27448 55 minutes ago||
What does openbsd marketing look like?
tiffanyh 1 hour ago||
Can anyone find the mailing list thread on this topic (or does it not exist because @security are private mailing list)?

I did find another use-after-free bug from a couple months ago on the mailing list:

https://marc.info/?t=177581065500002&r=1&w=2

jsiepkes 2 hours ago||
If this is a local privilege escalation to root, why can't I find anything on https://www.openbsd.org/security.html ?
justthehuman 2 hours ago||
Best guess, from the commit message alone[0]: It was fixed as a bug, at the time they didn't have evidence it could lead to LPE

The AI security tool then, retroactively discovered that it could have been used for LPE.

Again, just my guess I could be wrong.

[0] https://github.com/openbsd/src/commit/1957873d2063db11dab780...

stackghost 2 hours ago||
OpenBSD has a reputation for being... selective about what they admit is a security-relevant bug.
seethishat 1 hour ago||
They appreciate technical correctness and they do not exaggerate. Most 'security researchers' are not technically correct and they exaggerate a lot (seeking fame and all).

Dismissing their claims is not being selective, it's just the right thing to do.

WhereIsTheTruth 11 minutes ago||
Ah, it was too good to be true, BSD too is becoming rusty.. ahh, what's left?
gjvc 2 hours ago||
from the link:

sys/kern/sysv_sem.c in OpenBSD through 7.9 has a use-after-free allowing local privilege escalation to root. This is a context switch use-after-free after tsleep in sys_semget().

iberator 2 hours ago||
Blasphemy
znpy 2 hours ago|
and yet...
preetham_rangu 2 hours ago|
[dead]
More comments...