惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

小众软件
小众软件
IT之家
IT之家
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Security Archives - TechRepublic
Security Archives - TechRepublic
P
Proofpoint News Feed
C
CERT Recently Published Vulnerability Notes
阮一峰的网络日志
阮一峰的网络日志
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
The Cloudflare Blog
P
Palo Alto Networks Blog
Know Your Adversary
Know Your Adversary
D
Darknet – Hacking Tools, Hacker News & Cyber Security
Cisco Talos Blog
Cisco Talos Blog
L
Lohrmann on Cybersecurity
AWS News Blog
AWS News Blog
J
Java Code Geeks
博客园_首页
Scott Helme
Scott Helme
WordPress大学
WordPress大学
有赞技术团队
有赞技术团队
T
The Exploit Database - CXSecurity.com
Security Latest
Security Latest
V
Visual Studio Blog
Cloudbric
Cloudbric
Jina AI
Jina AI
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
博客园 - 叶小钗
Apple Machine Learning Research
Apple Machine Learning Research
博客园 - 聂微东
人人都是产品经理
人人都是产品经理
A
Arctic Wolf
C
Cybersecurity and Infrastructure Security Agency CISA
S
SegmentFault 最新的问题
The Last Watchdog
The Last Watchdog
SecWiki News
SecWiki News
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
W
WeLiveSecurity
K
Kaspersky official blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Hacker News: Ask HN
Hacker News: Ask HN
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
宝玉的分享
宝玉的分享
Hugging Face - Blog
Hugging Face - Blog
量子位
Google Online Security Blog
Google Online Security Blog
博客园 - Franky
Simon Willison's Weblog
Simon Willison's Weblog
博客园 - 三生石上(FineUI控件)
Recent Commits to openclaw:main
Recent Commits to openclaw:main

Full Disclosure

[NotCVE-2026-0001] Cloudflare Universal SSL CAA augmentation weakens RFC 8657 account binding — CVE-2026-14440 assigned 163 days after public no-CVE disclosure Full Disclosure: Subject: Advisory Submission: EZ Game Booster Full Disclosure: CVE-2026-56877 - Skillable SCORM userId authorisation bypass Full Disclosure: [REVIVE-SA-2026-003] Revive Adserver Vulnerabilities Full Disclosure: OPNsense XPATH Injection (CVE-2026-53582) Authentication Bypass for SafeLine SL6 and SL6+ confidentiality and anonymity leakage to third parties Full Disclosure: OpenBlow Multiple Deanonymization Vulnerabilities Site-access password exposed in web server access logs via GET query string Full Disclosure: APPLE-SA-06-29-2026-3 Safari 26.5.2 Full Disclosure: APPLE-SA-06-29-2026-2 macOS Tahoe 26.5.2 APPLE-SA-06-29-2026-1 iOS 26.5.2 and iPadOS 26.5.2 symlink following and TOCTOU in privileged upload handler allow arbitrary file write as root [KIS-2026-12] Control Web Panel <= 0.9.8.1224 (userRes) SQL Injection Vulnerability Full Disclosure: [fulldis] CVE-2026-58451 - Horde Groupware IMP path traversal vuln Full Disclosure: Samsung Galaxy Buds – Zero-Click HFP/A2DP Takeover via L2CAP Session Preemption (Vendor Response: Working as Intended) Full Disclosure: Asterisk Security Release 23.4.1 Full Disclosure: Asterisk Security Release 22.10.1 Full Disclosure: Asterisk Security Release 21.12.3 Full Disclosure: Asterisk Security Release 20.20.1 Certified Asterisk Security Release certified-22.8-cert3 Certified Asterisk Security Release certified-20.7-cert11 Zig std.http chunked reader integer overflow -> unauthenticated remote DoS Full Disclosure: OpenBSD sppp_pap_input: PAP authentication bypass Full Disclosure: SEC Consult SA-20260618-0 :: Hardcoded Root Cloud Credentials in Application Binaries in Silver Leaf Technologies Full Disclosure: SEC Consult SA-20260617-1 :: Multiple Vulnerabilities in Quanos Content Solutions Multiple Critical Vulnerabilities in Sprecher Automation SPRECON-E-C/-E-P/-E-T3 Full Disclosure: SEC Consult SA-20260616-0 :: Broken Access Control in syracom AG Secure Login (2FA) for Atlassian Jira / Confluence APPLE-SA-06-16-2026-1 Beats Firmware Update 1B211 PHP 8.5.7 `levenshtein()` signed-integer overflow Full Disclosure: PHP 8.5.7 `dom_xml_serialization_algorithm()` stack-overflow PHP 8.5.7 `mb_substr()` 'SJIS-mac' size_t underflow PHP 8.5.7 `FILTER_SANITIZE_ENCODED` uninitialized read Cross-Tenant Authentication Bypass by Spoofing in N-able Mail Assure Multiple Vulnerabilities in Wertheim SafeController Hardware for VAULT ROOMS (Safe Deposit Locker System – Microcontroller) Multiple Critical Vulnerabilities in Wertheim SafeController Software for VAULT ROOMS (Safe Deposit Locker System) Local Privilege Escalation in Slate Digital Connect (macOS) Full Disclosure: SEC Consult SA-20260609-0 :: Multiple Local Privilege Escalation Vulnerabilities in Waves Audio [KIS-2026-11] Discuz! <= X5.0 (enable_disable.php) Local File Inclusion Vulnerability [KIS-2026-10] Discuz! <= X5.0 OCR-based CAPTCHA Bypass Vulnerability [KIS-2026-09] Discuz! X5.0 (UC_KEY) Cross-Context Token Reuse Vulnerability Privilege Escalation via Binary Planting in Genetec-provided RabbitMQ in multiple Genetec products [SYSS-2026-004] SAP NetWeaver SAML XML Signature Wrapping Full Disclosure: [REVIVE-SA-2026-002] Revive Adserver Vulnerabilities Full Disclosure: CyberDanube Security Research 20260528-0 four vulnerabilities — two unfixed, GHSA without a CVE Full Disclosure: Re: Dovecot Security Advisory OXDC-2026-0002 SSRF in Anthropic mcp-server-fetch and Microsoft playwright-mcp — publicly disclosed via GitHub issues Full Disclosure: [SECURITY ADVISORY] CVE-2021-21735 Full Disclosure: [SECURITY ADVISORY] CVE-2026-34474 Full Disclosure: [SECURITY ADVISORY] CVE-2026-34472 Full Disclosure: [SECURITY ADVISORY] CVE-2026-34473 Multiple vulnerabilities in Sparx Pro Cloud Server and Enterprise Architect Full Disclosure: APPLE-SA-05-13-2026-1 Safari 26.5 Full Disclosure: APPLE-SA-05-11-2026-11 visionOS 26.5 Full Disclosure: APPLE-SA-05-11-2026-10 watchOS 26.5 Full Disclosure: APPLE-SA-05-11-2026-9 tvOS 26.5 Full Disclosure: APPLE-SA-05-11-2026-8 macOS Sonoma 14.8.7 Full Disclosure: APPLE-SA-05-11-2026-7 macOS Sequoia 15.7.7 APPLE-SA-05-11-2026-5 iOS 15.8.8 and iPadOS 15.8.8 APPLE-SA-05-11-2026-4 iOS 16.7.16 and iPadOS 16.7.16 Full Disclosure: APPLE-SA-05-11-2026-3 iPadOS 17.7.11 APPLE-SA-05-11-2026-2 iOS 18.7.9 and iPadOS 18.7.9 APPLE-SA-05-11-2026-1 iOS 26.5 and iPadOS 26.5 Impersonation attacks on Edupage portal Edupage web and mobile application authorization bypass leaks PII and IBAN codes Full Disclosure: Dovecot Security Advisory OXDC-2026-0002 Arbitrary File Read and Server Side Request Forgery via XML External Entities in Lobster_pro (CVE-2024-13971) Arbitrary File Read and Server Side Request Forgery via XML External Entities in 4D Server SOAP (CVE-2024-39847) ESP-RFID-Tool v2 PRO — Full Public Disclosure DLL Hijacking in EfficientLab Controlio (cloud-based employee monitoring service) Broken Access Control in Config Endpoint in LiteLLM Exposed Private Key of X.509 Certificate in SAP HANA Cockpit & SAP HANA Database Explorer APPLE-SA-04-22-2026-2 iOS 18.7.8 and iPadOS 18.7.8 APPLE-SA-04-22-2026-1 iOS 26.4.2 and iPadOS 26.4.2 When Trusted Tools Become Attack Primitives [KIS-2026-08] SocialEngine <= 7.8.0 (get-memberall) SQL Injection Vulnerability [KIS-2026-07] SocialEngine <= 7.8.0 Blind Server-Side Request Forgery Vulnerability Full Disclosure: Trojan-Spy.Win32.Small / Remote Command Execution Full Disclosure: [IWCC 2026] CfP: 15th International Workshop on Cyber Crime GoAnywhere MFT Email HTML Injection Full Disclosure: CyberDanube Security Research 20260408-1 Full Disclosure: CyberDanube Security Research 20260408-0 Improper Enforcement of Locked Accounts in WebUI (SSO) in Kiuwan SAST on-premise (KOP) & cloud/SaaS Broken Access Control in Open WebUI Full Disclosure: SEC Consult SA-20260326-0 :: Local Privilege Escalation in Vienna Assistant (MacOS) 14 Third-Party Endpoints, 6 Countries, Zero User Visibility [KIS-2026-06] MetInfo CMS <= 8.1 (weixinreply.class.php) PHP Code Injection Vulnerability [CVE-2026-33691] OWASP CRS whitespace padding bypass vulnerability Full Disclosure: APPLE-SA-03-24-2026-10 Xcode 26.4 Full Disclosure: APPLE-SA-03-24-2026-9 Safari 26.4 Full Disclosure: APPLE-SA-03-24-2026-8 visionOS 26.4 Full Disclosure: APPLE-SA-03-24-2026-7 watchOS 26.4 Full Disclosure: APPLE-SA-03-24-2026-6 tvOS 26.4 Full Disclosure: APPLE-SA-03-24-2026-5 macOS Sonoma 14.8.5 Full Disclosure: APPLE-SA-03-24-2026-4 macOS Sequoia 15.7.5 Full Disclosure: APPLE-SA-03-24-2026-3 macOS Tahoe 26.4 APPLE-SA-03-24-2026-2 iOS 18.7.7 and iPadOS 18.7.7 APPLE-SA-03-24-2026-1 iOS 26.4 and iPadOS 26.4
Remote Kernel Stack Disclosure via MPLS Label Stack Over-read
shj · 2026-06-21 · via Full Disclosure
fulldisclosure logo

Full Disclosure mailing list archives

OpenBSD mpls_do_error: Remote Kernel Stack Disclosure via MPLS Label Stack Over-read


From: shj <shahriyar () byteray co uk>
Date: Fri, 19 Jun 2026 07:32:14 +0200

------------------------------------------------------------------------
OpenBSD mpls_do_error: Remote Kernel Stack Disclosure via MPLS Label Stack Over-read
------------------------------------------------------------------------

Affected:  OpenBSD -current prior to 2026-06-18 (fixed in -current)
Vendor:    OpenBSD
Severity:  Medium
Reporter:  Argus Systems
Date:      2026-06-12
CVE:       CVE-2026-56099


1. SUMMARY
==========

The mpls_do_error() function in sys/netmpls/mpls_input.c parses an
incoming MPLS label stack into a fixed-size local array,
struct shim_hdr stack[MPLS_INKERNEL_LOOP_MAX] (16 entries). When the
parse loop completes without encountering the Bottom-of-Stack (BoS)
label, nstk reaches MPLS_INKERNEL_LOOP_MAX (16). Several subsequent
code paths then compute a copy length of (nstk + 1) * sizeof(*shim)
-- 17 entries -- and use it with icmp_do_exthdr(), M_PREPEND(), and
m_copyback() against the 16-entry stack object. This reads one
struct shim_hdr (4 bytes) past the end of the array, and that data is
reflected back to the sender inside the generated ICMP/MPLS error
response.


2. AFFECTED VERSIONS
====================

The (nstk + 1) length computations against the 16-entry stack[] array
were introduced with the ICMP/MPLS error path on 2010-09-13 (commit
201d6983add, "First shot at ICMP error handling inside an MPLS path.
Currently only TTL exceeded errors for IPv4 are handled."). The parse
loop was bounded by MPLS_INKERNEL_LOOP_MAX (16), but nothing rejected
a stack that ran to completion without a BoS bit, so nstk could reach
16 and the subsequent (nstk + 1) reads accessed stack[16].

Affected: OpenBSD -current prior to 2026-06-18 (mpls_input.c pre
v1.82).


3. DETAILS
==========

Vulnerable code (sys/netmpls/mpls_input.c, mpls_do_error):

  struct shim_hdr stack[MPLS_INKERNEL_LOOP_MAX];   /* 16 entries */
  ...
  for (nstk = 0; nstk < MPLS_INKERNEL_LOOP_MAX; nstk++) {
      ...
      stack[nstk] = *mtod(m, struct shim_hdr *);
      m_adj(m, sizeof(*shim));
      if (MPLS_BOS_ISSET(stack[nstk].shim_label))
          break;
  }
  /* no guard: with no BoS bit set, nstk == 16 here */

  shim = &stack[0];
  ...
  case IPVERSION:
      ...
      if (icmp_do_exthdr(m, ICMP_EXT_MPLS, 1, stack,
          (nstk + 1) * sizeof(*shim)))
          return (NULL);
      ...

MPLS_INKERNEL_LOOP_MAX is defined as 16 and sizeof(struct shim_hdr) is
4. With nstk == 16, each of these copies 17 * 4 = 68 bytes from a
64-byte stack[] object, reading stack[16] -- one struct shim_hdr (4
bytes) of adjacent kernel stack -- and including it in the response.

The same (nstk + 1) length is later used to prepend and m_copyback()
the stack back onto the reflected packet:

  M_PREPEND(m, (nstk + 1) * sizeof(*shim), M_NOWAIT);
  ...
  m_copyback(m, 0, (nstk + 1) * sizeof(*shim), stack, M_NOWAIT);

so the leaked entry also travels on the wire as the 17th MPLS shim
header of the returned frame.


4. REACHABILITY
===============

The path is reachable remotely via mpls_input() -> mpls_do_error() on
systems that have MPLS enabled on an interface. The trigger is a
crafted MPLS frame (EtherType 0x8847) carrying 16 labels with no BoS
bit set and an outermost label TTL of 1, so the TTL-exceeded error
path is taken:

  mpls_input  (ttl <= 1)
    -> mpls_do_error(m, ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS, 0)

The inner payload must be IPv4 so the IPVERSION branch is reached.


5. IMPACT
=========

Each crafted packet leaks 4 bytes of kernel stack memory adjacent to
the stack[] array. The leak is carried in the ICMP/MPLS extension
object of the error response reflected back to the sender, so an
attacker can harvest the leaked bytes.


6. PROOF OF CONCEPT
===================

A Python/Scapy PoC sends a 16-label MPLS frame with no BoS bit set
and an outermost label TTL of 1, then captures the reply. On a
vulnerable kernel the reply carries 17 MPLS shim headers on the wire;
the 17th (stack[16]) is the leaked kernel stack data.

PoC:
https://pop.argus-systems.ai/attachments/poc-008-mpls-stack-leak.py


7. FIX
======

Fixed in -current by mvs on 2026-06-18. The fix adds a guard that
drops a label stack which runs to completion without a BoS bit, so
nstk can no longer reach MPLS_INKERNEL_LOOP_MAX:

  if (nstk >= MPLS_INKERNEL_LOOP_MAX) {
      m_freem(m);
      return (NULL);
  }

Fix commit (mpls_input.c v1.82):
https://github.com/openbsd/src/commit/6a23123ec05f1eb29cfcaae0f3a468b2e1983cfd


8. TIMELINE
===========

  2026-06-12  Reported to security () openbsd org with PoC
  2026-06-18  Fix committed to -current


9. CREDIT
=========

Discovered and reported by Argus Systems (https://byteray.co.uk/).


10. REFERENCES
==============

Advisory:
  https://pop.argus-systems.ai/advisory/adv-040.html

Proof of concept:
https://pop.argus-systems.ai/attachments/poc-008-mpls-stack-leak.py

Fix commit:
https://github.com/openbsd/src/commit/6a23123ec05f1eb29cfcaae0f3a468b2e1983cfd

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

  • OpenBSD mpls_do_error: Remote Kernel Stack Disclosure via MPLS Label Stack Over-read shj (Jun 20)