On February 2, 2026, the OpenBSD project released a security errata that fixes a use-after-free flaw in its built-in web server, httpd(8). The fix shipped as errata 013 for the 7.8 branch, and it affects the supported 7.7 release too.
What httpd(8) is and where it runs
httpd(8) is the lightweight web server that ships with the OpenBSD base system. It follows the project’s philosophy: small, audited code with privilege separation through chroot and privsep. People run it to serve static sites, sit in front as a front-end, or host simple applications wherever simplicity and robustness matter more than feature count. Since it comes with the base system, many OpenBSD installations rely on it without adding any third-party software.
What the vulnerability is
The flaw is a use-after-free: httpd(8) reaches into a region of memory that has already been freed. The condition fires when processing HTTP requests that use chunked transfer encoding, the mechanism that lets the body of a request or response travel in fragments without knowing its total length in advance.
Use-after-free bugs sit in the family of memory-management flaws (CWE-416). In the worst case they lead to memory corruption, a service crash (denial of service) or, depending on how the freed memory gets reused, undesired process behaviour. OpenBSD’s official advisory describes the fix tersely, “Fix a use-after-free in httpd(8) when using chunked encoding”, in keeping with the project’s habit of withholding details that could ease exploitation before users patch.
Who is affected and severity
This hits OpenBSD 7.7 and 7.8 installations that run httpd(8) and receive traffic capable of using chunked encoding. Since httpd(8) is usually exposed to the Internet or to untrusted networks, treat any reachable server that serves requests with a chunked body as exposed until the patch is applied.
OpenBSD assigned no CVE identifier to this errata and published no CVSS score, which is common in its errata workflow. The severity counts as high because it is a memory-management flaw in an Internet-facing network service, though the advisory does not confirm active exploitation or whether code execution is feasible.
Mitigation and patch
The fix comes through OpenBSD’s binary patching tool. As the administrator, just run:
syspatchand restart httpd(8) (rcctl restart httpd) so the service loads the corrected binary. If you prefer, the project publishes the patch as a unified source diff signed with signify(1), which you can apply and rebuild by hand. Errata 013 covers all supported architectures (including amd64, arm64 and i386).
While you patch, it pays to limit the service’s exposure and confirm that httpd(8) runs with its default privilege separation and chroot, one of the structural protections the project keeps precisely to contain flaws of this kind. To understand the project’s security approach, read OpenBSD: a culture of security.