CVE-2025-30334
📋 TL;DR
A vulnerability in OpenBSD's wg(4) WireGuard implementation allows specially crafted network traffic to cause a kernel crash (denial of service). This affects OpenBSD 7.5 and 7.6 systems using WireGuard interfaces before specific errata patches were applied.
💻 Affected Systems
- OpenBSD
📦 What is this software?
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
⚠️ Risk & Real-World Impact
Worst Case
Complete system crash requiring reboot, disrupting all services on affected OpenBSD systems.
Likely Case
Denial of service affecting WireGuard connectivity and potentially other network services on the system.
If Mitigated
Minimal impact if patches are applied or WireGuard interfaces are not in use.
🎯 Exploit Status
Exploitation requires sending malicious traffic to WireGuard interfaces; patch analysis suggests buffer calculation issue.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: OpenBSD 7.5 errata 015, OpenBSD 7.6 errata 006
Vendor Advisory: https://ftp.openbsd.org/pub/OpenBSD/patches/
Restart Required: Yes
Instructions:
1. Download appropriate patch from OpenBSD patches directory. 2. Apply patch using 'patch' command. 3. Rebuild and install kernel. 4. Reboot system.
🔧 Temporary Workarounds
Disable WireGuard interfaces
allTemporarily disable wg(4) interfaces to prevent exploitation.
ifconfig wg0 down
ifconfig wg0 destroy
Restrict WireGuard traffic
allUse firewall rules to limit traffic to WireGuard interfaces.
pfctl -t trusted_wg -T add 192.168.1.0/24
pass in on wg0 from <trusted_wg>
🧯 If You Can't Patch
- Implement strict firewall rules to limit WireGuard traffic to trusted sources only.
- Monitor WireGuard interfaces for unusual traffic patterns and implement rate limiting.
🔍 How to Verify
Check if Vulnerable:
Check OpenBSD version and errata level: 'sysctl kern.version' and verify if below patched versions.Check Version:
sysctl kern.versionVerify Fix Applied:
Verify kernel version includes errata patches: 'sysctl kern.version' should show 7.5-errata015 or 7.6-errata006.📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages in /var/log/messages
- WireGuard interface errors in system logs
Network Indicators:
- Unusual traffic patterns to WireGuard ports
- Sudden loss of WireGuard connectivity
SIEM Query:
source="kernel" AND "panic" OR "wg"