27-Year-Old OpenBSD Authentication Bypass: Details and PoC Exploit Publicly Disclosed

A one-line bug that survived 27 years

Researchers at Argus have publicly disclosed an OpenBSD authentication bypass that sat unnoticed in the operating system for 27 years. Tracked as CVE-2026-55706, the flaw lets an attacker defeat PAP login on OpenBSD’s PPP stack without knowing a single credential. Crucially, the team released both the full technical details and a working proof-of-concept exploit.

The bug lives in the sppp_pap_input() function inside OpenBSD’s sppp(4) subsystem. This code handles synchronous PPP links, which underpin PPPoE connectivity.

How the OpenBSD authentication bypass works

The flaw is almost absurdly simple. When OpenBSD acts as a PAP authenticator, it compares the peer’s name and password using bcmp. However, the comparison length comes straight from the incoming PAP frame, so an attacker controls it.

Because bcmp returns 0 whenever the length is zero, supplying empty name and password fields makes both checks pass. As a result, the failure branch never runs, and OpenBSD replies with a PAP_ACK. Authentication then completes with no credentials at all.

A second issue shares the same root cause. Supplying an oversized name length pushes bcmp past the allocated buffer, which leaks adjacent kernel heap memory.

Reachable over PPPoE, no credentials needed

Both bugs sit on the PPPoE data path. Therefore, an attacker running a rogue PPPoE server in the same broadcast domain can impersonate a legitimate server. Once the handshake completes, OpenBSD routes the victim’s traffic through the attacker’s endpoint, enabling interception or a man-in-the-middle position.

The attack vector is network-adjacent rather than internet-wide. For that reason, MITRE rates CVE-2026-55706 at 5.8 (medium). Even so, the impact is serious wherever PPPoE authentication runs on untrusted Layer 2 segments.

Details and PoC exploit now public

The researchers verified the attack against OpenBSD 7.6 (amd64) in QEMU/KVM. You can read the full 27-year breakdown of the OpenBSD authentication bypass on the Argus blog. Additionally, the team published the proof-of-concept exploit script that completes the handshake and triggers a PAP_ACK with empty fields.

The vulnerable pattern dates back to a July 1999 import from FreeBSD. A 2009 change that moved credentials to dynamic allocation later introduced the heap over-read. Interestingly, the CHAP handler in the same file always used the correct exact-length check. The PAP handler simply never got the same fix.

What to do now

OpenBSD developer mvs committed a fix on June 14, 2026, just two days after responsible disclosure. The patch adds exact-length checks before each comparison, which closes both the bypass and the over-read at once.

Administrators should update to a patched OpenBSD build promptly. Meanwhile, teams that rely on PAP over PPPoE should treat their Layer 2 segments as untrusted and watch for rogue access concentrators.