> Only two remote holes in the default install, in a heck of a long time!

https://www.openbsd.org/

https://en.wikipedia.org/wiki/OpenBSD#Security_record

LPE (to root) is serious, but it's not a remote hole.

Is this functionality accessible from sandboxed processes? That would make a remote hole much more dangerous when one is found, anyway. The CVE seems to concern SysV semaphores and the pledge(2) man page doesn't seem to mention those.

No.

https://github.com/openbsd/src/blob/d5b0ed23b6fe61f0278c37a4...

Perhaps relevant, Students from the University of Southern Denmark released a paper earlier this month, which once again noted the fact that over ~90% of the OpenBSD base system uses pledge(2). Almost certainly all of the network speaking daemons in base do.

https://arxiv.org/abs/2607.03056