OpenBSD TCP SACK 27-Year Bug
- Entity ID:
ent-20260419-g1a0000000a2 - Type:
issue - Scope:
shared - Status:
active - Aliases: OpenBSD TCP SACK DoS, Errata #025, 27-year-old OpenBSD bug
Description
Denial-of-service vulnerability in OpenBSD's TCP SACK implementation present since 1999 (27 years). Autonomously discovered by Claude Mythos Preview across ~1,000 scaffold runs at total compute cost under $20,000. Allows remote attacker to crash any OpenBSD host responding over TCP. Patched in OpenBSD 7.8 Errata #025 on March 25, 2026 - six days before the npm source leak.
Key claims
- Mythos finds OS-wide vulnerabilities for under $20,000 per sweep
- OpenBSD patched the 27-year TCP SACK bug six days before the npm leak
Relations
- OpenBSD TCP SACK 27-Year Bug --[derived_from]--> Claude Mythos Preview