This is a great find buried in the research — there's actually a directly relevant predecessor that's worth highlighting carefully.
The Closest Historical Parallel: CVE-2019-8460
Here's the interesting twist: OpenBSD's own SACK implementation was already the subject of a security vulnerability just
six years ago — and it was found in the
same tcp_sack_option() function, by Check Point Research, in the direct aftermath of the 2019 Linux SACK Panic disclosures.
CVE-2019-8460 was discovered by Reuven Plevinsky and Tal Vainshtein of Check Point, who found that the OpenBSD kernel (all versions including 6.5) could be forced to create long chains of TCP SACK holes, causing very expensive calls to tcp_sack_option() for every incoming SACK packet, leading to denial of service.
The vulnerability worked because an attacker could manipulate a connection's window scaling and RTT, forcing the victim to send a large amount of unacknowledged data and increase its retransmission timeout — enabling the attacker to send a large number of SACKs. As the sorted list of SACK holes grew larger, inserting additional elements became increasingly expensive, since inserting
n elements into a sorted list in order has O(n²) complexity.
The fix simply limited the number of SACK holes to 128.
So
CVE-2019-8460 is the closest historical relative to the Mythos-discovered bug — same OS, same function, same data structure (the singly linked list of holes), same attack surface (crafted SACK packets from a remote attacker). But the
mechanism differs importantly:
- CVE-2019-8460 was a resource exhaustion / algorithmic complexity attack — flood the list with holes, make the O(n²) traversal grind the CPU to a halt. No overflow, no NULL dereference.
- The Mythos bug is a signed integer overflow enabling a NULL pointer dereference — a single carefully crafted SACK block exploiting 32-bit sequence number wrap-around to simultaneously satisfy two contradictory conditions, crashing the kernel outright with two packets.
The irony is striking: the 2019 fix capped the number of holes at 128 and addressed the algorithmic complexity problem, but the signed integer overflow in the
sequence number validation logic that underpins the Mythos bug was a completely orthogonal flaw in the same code — and it survived that 2019 review entirely untouched. The actual patch for the Mythos bug was committed with the message: "Due to an integer overflow, sequence numbers in selective ACK packets were accepted. Such packets caused a NULL pointer dereference in the TCP stack, resulting in a kernel crash."
So to directly answer your question: yes, bugs of a similar
spirit — SACK list logic errors in OpenBSD's TCP stack causing remote DoS — have been found before. But the specific combination of
signed integer overflow in sequence number comparison exploited to trigger a NULL pointer dereference appears to be genuinely novel. The 2019 researchers were literally in the same function, staring at the same linked list, and still missed it. That's precisely what makes it such a compelling demonstration of AI-assisted vulnerability research.
