UnratedPublic exploit

OpenBSD PPP PAP Authentication Bypass in sppp_pap_input

IdentifiersCVE-2026-55706CWE-287

CVE-2026-55706 is an authentication bypass vulnerability in OpenBSD’s PPP stack, specifically in the sppp_pap_input() function in sys/net/if_spppsubr.c. In affected versions prior to commit 076e2b1c1fc4ac0883a72d3544131ad5cee7adf8, PAP credential validation uses bcmp() with comparison lengths derived directly from attacker-controlled fields in the incoming PAP frame. By supplying zero-length name and password values, both comparisons evaluate as equal, causing the system to accept authentication and send PAP_ACK without valid credentials. The same code path reportedly also contains a related heap over-read condition when an oversized name length causes bcmp() to read past the allocated buffer, but the primary tracked issue is the PAP authentication bypass.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an attacker to authenticate to the vulnerable OpenBSD PPP/PAP endpoint without knowing valid credentials. In PPPoE deployments, a rogue server on the same broadcast domain can abuse this to impersonate a legitimate PPPoE server, complete the authentication handshake, and position itself to receive or relay the victim’s traffic. This can enable unauthorized network access, traffic interception, and man-in-the-middle activity. The same vulnerable code path also reportedly exposes a kernel heap over-read condition, though the provided material primarily characterizes CVE-2026-55706 as an authentication bypass.

Mitigation

If you can’t patch tonight, do this now.

Until patched, reduce exposure of PAP-authenticated PPP/PPPoE services to untrusted or shared Layer 2 environments, especially broadcast domains where a rogue PPPoE server could be introduced. Restrict or disable PAP where operationally possible, prefer stronger authentication mechanisms that are not affected by this code path, and monitor for unexpected PPPoE peers or anomalous PAP authentication success events. These are compensating controls only; patching is the definitive mitigation.

Remediation

Patch, then assume compromise.

Update OpenBSD to a version that includes commit 076e2b1c1fc4ac0883a72d3544131ad5cee7adf8 or later. The fix adds exact-length checks before credential comparisons in sppp_pap_input(), preventing zero-length comparisons from succeeding and closing the related heap over-read condition in the same path.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

OpenbsdOpenbsdoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

security online infoNews

Jun 19, 2026

OpenBSD Authentication Bypass: PoC Exploit Disclosed

An OpenBSD PAP authentication bypass in sppp_pap_input() within the PPP/PPPoE stack that allows authentication with empty credentials due to attacker-controlled comparison lengths; the same root cause also enables a kernel heap over-read.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-55706

NVD

nvd.nist.gov/vuln/detail/CVE-2026-55706

MITRE CWE · CWE-287

cwe.mitre.org