HeadlinesBriefing favicon HeadlinesBriefing.com

OpenBSD 7.9 Use-After-Free Enables Root Privilege Escalation

Hacker News •
×

A use-after-free vulnerability in OpenBSD 7.9 allows local users to escalate privileges to root. The flaw resides in sys/kern/sysv_sem.c within the sys_semget() function, triggered by a context switch use-after-free after a tsleep call. This class of bug, cataloged as CWE-416, occurs when kernel memory is freed but a pointer to it remains accessible during a process sleep-wake cycle, letting an attacker manipulate the dangling reference.

The vulnerability affects the System V semaphore implementation, a legacy IPC mechanism still present in the base system. Because semget() is accessible to unprivileged users, the attack surface is broad: any local account can invoke the syscall and race the kernel's internal state during the context switch. The bug does not require authentication beyond a valid shell, making it a practical escalation vector on multi-user installations.

The fix landed in commit 1957873d2063db11dab780eca75b5e629d1e838d, which adjusts the reference counting and locking around the semaphore structure to prevent the premature free. Administrators should apply the patch immediately or upgrade to a post-fix snapshot; no workaround exists short of disabling System V semaphores entirely, which may break legacy applications.

This flaw underscores how older IPC subsystems remain fertile ground for memory-safety bugs even in codebases renowned for proactive auditing. The combination of widespread accessibility and kernel-level impact makes it a high-priority patch for any exposed OpenBSD host.