The OpenBSD project has published a fix for a vulnerability (CVE-2026-57589) in the kernel affecting the implementation of system calls for working with System V semaphores (sem). The problem is caused by accessing already freed memory in the sys_semget() function and can be exploited to gain root privileges by an unprivileged local user in the default configuration.
A fix has been added to the OpenBSD-current codebase enabled May 23, but patches for already released releases publishedjust today. The error was present in the code for 23 years and was identified as part of the Patch the Planet initiative to check open projects with OpenAI AI models.
In addition to the noted problem several fixes have been published that are not marked as fixing vulnerabilities, but, judging by the description, may be related to security: insufficient input validationin IPsec and IPComp code; double free in NFS server; memory corruption in the code for working with locks in the pinsyscall and kbind functions.