SNMPD-001 — OpenBSD snmpd / libagentx: uint32 overflow in ax_pdutostring() padding guard allows AgentX crash
Integer overflow in an AgentX bounds check — introduced and corrected entirely within the OpenBSD development tree.
Independent Security Research — Whitby, North Yorkshire, United Kingdom
1. Summary
A uint32 integer overflow in the padding-length guard of ax_pdutostring() in both usr.sbin/snmpd/ax.c and lib/libagentx/ax.c allowed a crafted AgentX octet-string with aos_slen = 0xFFFFFFFF to bypass a bounds check and crash the process. The bug was introduced on 2026-05-07 as an incomplete prior fix and corrected on 2026-05-21.
2. Technical detail
Files: usr.sbin/snmpd/ax.c, lib/libagentx/ax.c. Function: ax_pdutostring().
Commit 5105a7b (2026-05-07) changed the bounds check to account for AlignedOctetString padding:
if (((ostring->aos_slen + 3) & ~3U) > rawlen)When aos_slen = 0xFFFFFFFF (max uint32):
(0xFFFFFFFF + 3) wraps to 0x00000002
(0x00000002 & ~3U) = 0x00000000
0 > rawlen → false for any non-negative rawlenThe guard passes despite the attacker supplying the maximum possible length, allowing subsequent processing to read or write out-of-bounds.
Commit 19a7e1e (2026-05-21) replaces this with overflow-safe arithmetic:
if (rawlen < ostring->aos_slen ||
rawlen - ostring->aos_slen < padding)This form uses subtraction rather than addition so no wrap is possible.
Exploitability is limited: the AgentX socket must be enabled and the attacker must have permission to connect (typically only admin-granted local users). Remote exploitation is not possible in standard configurations.
3. Affected versions
- OpenBSD -current only, between 2026-05-07 and 2026-05-21.
- No OpenBSD release (7.8 or earlier) ever shipped the vulnerable code.
- The bug was introduced and corrected entirely within the development tree.
4. Fix
Fixed in OpenBSD -current, commit 19a7e1e, by Martijn van Duren (martijn@), 2026-05-21. Approved by deraadt@ and mvs@.
github.com/openbsd/src/commit/19a7e1e
5. Timeline
| Date | Event |
|---|---|
| 2026-05-07 | Overflow introduced in -current by commit 5105a7b (incomplete prior fix). |
| 2026-05-18 | Reported to bugs@openbsd.org by Stuart Thomas. |
| 2026-05-21 | Fixed independently in -current by Martijn van Duren. |
| 2026-05-21 | This disclosure published. |
6. Credit
Found independently by Stuart Thomas during a source-code audit of OpenBSD network daemons. Fixed independently by Martijn van Duren on the same day.
Legal note
This disclosure is published under the Defamation Act 2013 facts-and-opinion convention. Statements of fact — commit hashes, dates, vendor responses, code excerpts — are accurate to the best of the author’s knowledge and are evidenced by the OpenBSD CVS commit log, the public bugs@openbsd.org mailing-list archive, and the author’s contemporaneous correspondence with the OpenBSD project. Where any fact has been described inaccurately, the author will correct it; please email stuartpaulthomas@gmail.com.
The OpenBSD project is named as the publicly-accountable maintainer of the affected software. Individual developers (Claudio Jeker, Martijn van Duren, Theo de Raadt and others) are named only in their public capacity as committers and maintainers, and only in connection with their own public commits. They are characterised, where mentioned, as professional and prompt; this is the author’s honest experience of them.
The research was conducted on hardware owned by the author. No third-party systems were accessed in the course of the research. The work was performed within the scope permitted by the Computer Misuse Act 1990 (England and Wales) own-hardware exemption.
Coordinated disclosure of vulnerabilities in network-facing software is a matter of legitimate public interest under s.4 of the Defamation Act 2013. This disclosure is published in good faith on that basis.