OpenBSD ICMPv6 Neighbor Discovery Option Length Zero Infinite Loop Vulnerability

A denial-of-service vulnerability has been identified in OpenBSD versions through 7.8 within the slaacd and rad daemons. These daemons enter an infinite loop upon receiving a crafted ICMPv6 Neighbor Discovery message containing a zero-length option over the local network. The loop is triggered by an expression that calculates the option length without first verifying whether it is zero, causing the daemons to spin and do nothing.

Impact

Exploitation of this vulnerability leads to an infinite loop in the affected daemons, causing them to consume CPU resources without performing any useful work.

Reproduction

The vulnerability can be reproduced by sending an ICMPv6 Neighbor Discovery message with a zero-length option to a system running an affected version of OpenBSD. This can be done over the local network, targeting the slaacd or rad daemon.

Remediation

Users can apply the source code patch available in the OpenBSD 7.8 errata to address this vulnerability. Instructions for applying the patch can be found in the OpenBSD 7.8 errata.