A 27-Year-Old Authentication Bypass in OpenBSD's PPP Stack
Summary
An OpenBSD vulnerability in the sppp PAP authentication path allows zero-length credentials to be accepted due to attacker-controlled lengths passed to bcmp, causing a 27-year bypass. The flaw originated in 1999 and went unfixed until a June 2026 commit; PoC demonstrates that a rogue PPPoE server can authenticate without real credentials and hijack traffic. The article documents the bug, its historical fixes, and the patch details with the commit link.