On January 14, 2026, the OpenBSD project published errata 012 for OpenBSD 7.8, fixing two denial-of-service (DoS) vulnerabilities in rpki-client, OpenBSD’s official tool for validating the origin of BGP routes through the Resource Public Key Infrastructure (RPKI).
What rpki-client is and why it matters
rpki-client is an RPKI validator that downloads and verifies the certificates and signed objects published by the Regional Internet Registries (RIRs) and by the various Certification Authorities (CAs). From that data it produces the Route Origin Authorization (ROA) assertions that routers use to decide whether to accept or reject BGP announcements. It is a key component in deploying RPKI Route Origin Validation, one of the most widely used defenses against route hijacking (BGP hijacking) and accidental or malicious prefix announcements.
Because rpki-client processes remote data originating from third parties (any CA within the RPKI hierarchy), its robustness against hostile input is essential: a flaw in the validator can leave an operator without up-to-date validation data.
The two vulnerabilities
Errata 012 describes two distinct issues, both of a denial-of-service nature:
-
NULL pointer dereference triggered by a malicious RPKI CA. A Certification Authority within the RPKI hierarchy can publish crafted objects that, when processed by rpki-client, trigger a NULL pointer dereference and the resulting crash of the validation process.
-
Memory exhaustion triggered by a malicious RPKI Trust Anchor. A malicious Trust Anchor can cause rpki-client to consume memory in an uncontrolled way, exhausting system resources and again halting validation.
In both cases the impact is interruption of the RPKI validation service, not code execution or information disclosure. The practical risk is that an operator stops receiving reliable validation data, which can degrade the protection of their BGP policy against invalid announcements.
Who is affected and severity
The issue affects OpenBSD 7.8 systems running rpki-client. The severity is medium: these are availability bugs exploitable by malicious participants in the RPKI ecosystem, without compromising the confidentiality or integrity of the system. No CVE identifier has been published for this errata.
These same bugs were also fixed in rpki-client 9.7, distributed in portable form for other operating systems that use the tool outside OpenBSD.
Mitigation and patch
The recommendation is to apply errata 012 through OpenBSD’s usual patching mechanism. On systems where syspatch is available:
syspatchThose who build from source should apply the official patch published on the errata page and recompile rpki-client. Users of the portable version should update to rpki-client 9.7 or later. After applying the patch, restart the validation process to make sure the fixed binary is running.
If you are interested in the security of BSD systems, you can check the OpenBSD page to learn about its security-by-default model.