On April 4, 2026 the OpenBSD project shipped errata 027 (errata 033 on the 7.7 branch) flagged as a SECURITY FIX. The patch touches iked(8), the daemon that handles IKEv2 negotiations to bring up and maintain IPsec tunnels. The official wording is short: it adds stricter checks to avoid an out-of-bounds read, a NULL pointer dereference, and to keep the state machine consistent.
What goes wrong
iked processes IKEv2 protocol messages that arrive over the network during security association negotiation. When the daemon parses those messages without fully validating their contents, a hand-crafted packet can push it into reading past the allocated buffer (an out-of-bounds read) or into following a pointer that is NULL. The first leaks memory that should stay private; the second crashes the process.
The third item the errata mentions, keeping the state machine consistent, points to messages received in an unexpected order or state leaving iked in a condition it was never meant to reach, which is the ground both earlier bugs grow from.
Who is affected
Any OpenBSD 7.7 or 7.8 system running iked for IPsec. That covers OpenBSD-based routers, firewalls and VPN gateways, a common role for the platform. If your install never starts iked, this particular path does not expose you.
The vector is the network: iked listens for IKEv2 traffic (UDP 500 and 4500). An attacker who can send packets to the daemon may try to trigger the flaw without prior authentication, since these defects sit early in the message processing path.
Severity
OpenBSD rated the entry internally as medium severity and assigned no CVE. The demonstrated impact is denial of service (iked crashing on the NULL pointer) and process memory exposure from the out-of-bounds read. There is no evidence of code execution from these bugs, but a crashing VPN daemon cuts off tunnels for anyone who depends on it, and the memory leak can reveal sensitive material from ongoing negotiations.
Mitigation
The fix is to apply the errata. On OpenBSD the standard route is syspatch, which downloads and installs the binary patch:
syspatchAfter installing it, restart the daemon so it loads the corrected code:
rcctl restart ikedIf you build from source, apply the published patch from the errata page and recompile iked. Until you can patch, restricting with pf which sources may speak IKEv2 to the daemon shrinks the attack surface, though it does not replace the fix.
To stay current with OpenBSD security fixes, check the OpenBSD page and follow the official errata list.
Source
- OpenBSD 7.8 Errata (027 - iked): https://www.openbsd.org/errata78.html