• Category: Security
  • Status: confirmed
  • Sources: NVD, HN discussion
  • Summary: CVE-2026-57589 is a use-after-free in sys/kern/sysv_sem.c in OpenBSD through 7.9 that allows local privilege escalation to root. NVD describes it as a context-switch use-after-free after tsleep in sys_semget(). It carries CVSS 7.4 with vector AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, so it needs local access and has high attack complexity but no prior privileges, and is classified CWE-416. NVD published the record on 2026-06-24 and references fix commit 1957873d2063 without naming a patched release. The thread reached the Hacker News front page on 2026-07-08. No active exploitation is reported.
  • Why it matters: It is a local-root path in the base OpenBSD kernel, extending this week's run of privilege-escalation disclosures beyond Linux, so administrators of multi-user OpenBSD hosts should track the errata.

Send feedback on this story