OpenBSD OpenBSD Makers of OpenBSD operating system, LibreSSL and OpenSSH

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any OpenBSD product.

RSS Feeds for OpenBSD security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in OpenBSD products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by OpenBSD Sorted by Most Security Vulnerabilities since 2018

OpenBSD OpenSSH55 vulnerabilities
SSH Server Implementation

OpenBSD47 vulnerabilities

OpenBSD LibreSSL6 vulnerabilities
Crypto Library

OpenBSD Opensmtpd1 vulnerability

Known Exploited OpenBSD Vulnerabilities

The following OpenBSD vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
OpenSMTPD Remote Code Execution Vulnerability smtp_mailaddr in smtp_session.c in OpenSMTPD, as used in OpenBSD and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session.
CVE-2020-7247 Exploit Probability: 94.1%
March 25, 2022

The vulnerability CVE-2020-7247: OpenSMTPD Remote Code Execution Vulnerability is in the top 1% of the currently known exploitable vulnerabilities.

By the Year

In 2025 there have been 3 vulnerabilities in OpenBSD with an average score of 5.5 out of ten. Last year, in 2024 OpenBSD had 4 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in OpenBSD in 2025 could surpass last years number. Last year, the average CVE base score was greater by 2.60




Year Vulnerabilities Average Score
2025 3 5.50
2024 4 8.10
2023 13 7.44
2022 3 6.23
2021 6 6.28
2020 5 8.16
2019 12 7.38
2018 6 5.95

It may take a day or so for new OpenBSD vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent OpenBSD Security Vulnerabilities

In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating

CVE-2025-32728 3.8 - Low - April 10, 2025

In sshd in OpenSSH before 10.0, the DisableForwarding directive does not adhere to the documentation stating that it disables X11 and agent forwarding.

A flaw was found in the OpenSSH package

CVE-2025-26466 5.9 - Medium - February 28, 2025

A flaw was found in the OpenSSH package. For each ping packet the SSH server receives, a pong packet is allocated in a memory buffer and stored in a queue of packages. It is only freed when the server/client key exchange has finished. A malicious client may keep sending such packages, leading to an uncontrolled increase in memory consumption on the server side. Consequently, the server may become unavailable, resulting in a denial of service attack.

Allocation of Resources Without Limits or Throttling

A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled

CVE-2025-26465 6.8 - Medium - February 18, 2025

A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high.

Detection of Error Condition Without Action

OpenBSD VMM GDTR Limits Restoration Vulnerability on Intel CPUs

CVE-2024-11149 - December 06, 2024

In OpenBSD 7.4 before errata 014, vmm(4) did not restore GDTR limits properly on Intel (VMX) CPUs.

OpenBSD NFS Client and Server Double Free and Uninitialized Variable Vulnerabilities

CVE-2024-10934 - November 15, 2024

In OpenBSD 7.5 before errata 008 and OpenBSD 7.4 before errata 021, avoid possible mbuf double free in NFS client and server implementation, do not use uninitialized variable in error handling of NFS server.

OpenSSH Race Condition leading to RCE, known as regreSSHion

CVE-2024-6387 8.1 - High - July 01, 2024

A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.

Race Condition

NFS in a BSD derived codebase, as used in OpenBSD through 7.4 and FreeBSD through 14.0-RELEASE, allows remote attackers to execute arbitrary code via a bug

CVE-2024-29937 - April 11, 2024

NFS in a BSD derived codebase, as used in OpenBSD through 7.4 and FreeBSD through 14.0-RELEASE, allows remote attackers to execute arbitrary code via a bug that is unrelated to memory corruption.

OpenSSH through 9.6, when common types of DRAM are used, might

CVE-2023-51767 7 - High - December 24, 2023

OpenSSH through 9.6, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges.

In ssh in OpenSSH before 9.6

CVE-2023-51385 6.5 - Medium - December 18, 2023

In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.

Shell injection

In ssh-agent in OpenSSH before 9.6, certain destination constraints can be incompletely applied

CVE-2023-51384 5.5 - Medium - December 18, 2023

In ssh-agent in OpenSSH before 9.6, certain destination constraints can be incompletely applied. When destination constraints are specified during addition of PKCS#11-hosted private keys, these constraints are only applied to the first key, even if a PKCS#11 token returns multiple keys.

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.