Why OpenBSD 7.9 Should Be on Your Radar in 2026

If you’ve been sleeping on OpenBSD, now is a good time to wake up. Released on May 19, 2026, OpenBSD 7.9 marks the project’s 60th release — and it’s one of the most feature-packed, security-hardened, and hardware-ready versions the team has ever shipped. Whether you’re a sysadmin, security researcher, developer, or just someone who cares deeply about operating system quality, why OpenBSD 7.9 should be on your radar in 2026 is a question worth taking seriously.

This isn’t a Linux distro with a snazzy theme. OpenBSD is built from the ground up with correctness, security, and clarity as its north star. Version 7.9 continues that tradition — but adds a wave of modern improvements that make it genuinely competitive as a daily system, a firewall platform, and a server OS for 2026 and beyond.

Let’s dig into what’s actually new and why it matters.

OpenBSD 7.9 at a Glance

Before we get into the details, here’s the headline summary:

• Released: May 19, 2026
• Milestone: 60th OpenBSD release
• OpenSSH version: 10.3
• LibreSSL version: 4.3.0
• DRM/graphics stack: Updated to Linux 6.18.22 base
• Packages available: 13,044 on amd64 alone

That last number tells you something important. OpenBSD is not a minimalist OS with a small package set — it’s a minimalist OS base that ships with a remarkably large and up-to-date ports collection. From GNOME 49 to Rust 1.94.1, Python 3.13.13, Go 1.26.2, PostgreSQL 18.3, and Firefox 150.0 — the ecosystem is current and capable.

Security: Still the Gold Standard

Security is where OpenBSD has always set the bar, and 7.9 doesn’t coast on reputation.

Pledge and Unveil Get Smarter

One of the more nuanced changes in 7.9 is the retirement of the pledge tmppath promise. This might sound like a regression, but it’s actually a tightening. The old tmppath promise was a blunt instrument. The replacement — using unveil /tmp rwc combined with pledge “rpath wpath cpath” — is a far more surgical approach that removes a broad-access shortcut that less careful code might have relied on.

Alongside this, 7.9 introduces a new __pledge_open system call. This allows libc to internally open a small, tightly controlled set of files (like zoneinfo data) even when pledge and unveil would otherwise block direct access. File descriptors obtained this way are restricted to read-only and cannot be passed via fdpassing or used with write, chmod, chflags, chown, ftruncate, or ftruncate. It’s a clever addition that makes pledged programs more functional without widening the attack surface.

Other security hardening changes include:

• Root can no longer bypass BPF’s BIOCLOCK — previously, root processes could still reconfigure a BPF descriptor after BIOCLOCK was set, which was supposed to revoke that ability entirely. This exemption has been removed.
• Kernel address leaks plugged — p_addr kernel addresses are no longer exposed through sysctl to non-root callers, and the TTY session kernel address pointer is similarly gated.
• Stricter timezone file handling in pledged processes — /etc/localtime and /usr/share/zoneinfo scans are now more tightly controlled.

These aren’t flashy CVE fixes — they’re the quiet, unglamorous hardening that makes OpenBSD the OS that doesn’t make the breach headlines.

OpenSSH 10.3: Important Security Fixes and New Features

Since OpenBSD is the home of OpenSSH, every release is also an SSH release. OpenSSH 10.3 ships with several security fixes that are worth paying attention to, especially if you run any kind of SSH infrastructure.

Security Fixes in OpenSSH 10.3

• Shell metacharacter injection in ssh: Validation of shell metacharacters in user names passed on the command line was happening too late. For configurations using %u tokens in a Match exec block, an attacker controlling the username could potentially execute arbitrary shell commands. Fixed in this release.
• authorized_keys principals matching bug in sshd: An incorrect algorithm could allow inappropriate matching when a principal name in a certificate contained a comma character. Exploitation required specific authorized_keys configurations, but it’s a subtle and nasty edge case now closed.
• scp root download setuid/setgid bug: When downloading files as root in legacy -O mode without -p (preserve modes), scp wasn’t clearing setuid/setgid bits from downloaded files. This bug apparently traced back to the original Berkeley rcp. Fixed.
• Incomplete ECDSA algorithm enforcement in sshd: If PubkeyAcceptedAlgorithms or HostbasedAcceptedAlgorithms contained any ECDSA algorithm name, other ECDSA algorithms would be accepted regardless of whether they were listed. Now properly enforced.

New SSH Features

Beyond the fixes, OpenSSH 10.3 adds some genuinely useful capabilities:

• ssh -Oconninfo — a new multiplexing command that shows connection information for a running mux session.
• ssh -O channels — lets you inspect what channels are currently open in a mux process.
• ~I escape — shows current SSH connection info from within a session, without needing a separate command.
• IANA-assigned codepoints for SSH agent forwarding — the protocol is moving toward standardization, and OpenSSH 10.3 is already there.
• invaliduser penalty in PerSourcePenalties — sshd can now apply configurable delays specifically to login attempts for usernames that don’t correspond to real accounts.
• ED25519 keys in PKCS8 format from ssh-keygen.
• Sub-second PerSourcePenalties — useful if you need to rate-limit events happening at ≥1 QPS without a full second granularity.

LibreSSL 4.3.0: Post-Quantum Cryptography Arrives

This is a big one that might not get the attention it deserves. LibreSSL 4.3.0, shipping in OpenBSD 7.9, adds support for MLKEM768_X25519 keyshares in TLS. This is a hybrid post-quantum key exchange mechanism combining the classical X25519 elliptic curve with the NIST-standardized ML-KEM (Module Lattice Key Encapsulation Mechanism).

In practical terms: if you’re running an OpenBSD 7.9 TLS server or client, you now have post-quantum-safe key exchange available. That’s not a future feature — it’s shipping today.

Other LibreSSL 4.3.0 highlights:

• TLS 1.1 and lower disabled at the method level — not just by default configuration, but architecturally. Old and broken TLS versions are gone.
• ML-KEM benchmarks added to openssl speed.
• starttls sieve protocol support for acme-client and nc.
• RSASSA-PSS with pubkey OID support in libssl.
• X.509 verifier depth bug fixed — an off-by-one error that could cause a 4-byte heap overwrite when talking to a malicious server. This was a real reliability fix.
• Delta CRL NULL dereference fixed — previously, if a Delta CRL was missing its cRLNumber, the verifier could be walked into a NULL dereference.

Performance Improvements: Real, Measurable Gains

OpenBSD has historically been willing to trade some performance for safety. In 7.9, the team has found ways to improve both simultaneously.

SMP Unlocking

Multi-core systems benefit from continued SMP (Symmetric Multi-Processing) work:

• Socket splicing is now unlocked — this removes a lock that was serializing socket splice operations, which matters significantly for high-throughput proxy setups.
• Parallel fault handling enabled on both amd64 and arm64.
• Increased MAXCPUs on amd64 to 255 — useful for anyone running OpenBSD on high-core-count server hardware.
• Softnet thread improvements across mips64 and network subsystems.

Scheduler Awareness of Heterogeneous CPUs

Modern CPUs — especially ARM chips like Apple Silicon — mix fast performance cores with efficient but slower cores. OpenBSD 7.9 introduces a mechanism to manage CPU cores with different speeds in the scheduler. The new hw.blockcpu sysctl variable accepts a sequence of letters (S for SMT, P for performance, E for efficient, L for lethargic) to tell the scheduler which cores to exclude. This currently works on amd64 and arm64.

BGP Daemon (bgpd) Performance Overhaul

If you use OpenBSD as a router or BGP route server, the improvements in bgpd are substantial:

• Adj-RIB-Out handling rewritten for better memory efficiency — large IXP route server deployments can expect over 50% memory reduction.
• UPDATE message processing split into two phases to reduce latency.
• CH hash tables introduced — a scalable hash map with improved cache locality.
• Initial sync duration for large route servers cut by more than 25% through improved filter deduplication and array-based filter rule storage.

Networking: VLAN-Aware Bridges and IPv6 Out of the Box

The networking stack in OpenBSD 7.9 gets a meaningful quality-of-life upgrade, particularly around VLANs and virtualization.

veb Becomes VLAN-Aware

The Virtual Ethernet Bridge (veb) is now a proper VLAN-aware bridge. Ports now support PVID (port VLAN identifier) configuration, support access/trunk/hybrid port modes, and implement Private VLAN support per RFC 5517. For anyone running OpenBSD as a network appliance or firewall with complex VLAN topologies, this is a significant step forward.

IPv6 SLAAC Enabled by Default

IPv6 autoconfiguration (SLAAC) is now enabled by default. This is a long-overdue change — in 2026, IPv6 should work out of the box on a fresh install, and now it does.

pf Gets Source and State Limiters

The world-class pf firewall gains source and state limiters — a new mechanism allowing administrators to cap connection rates and state table entries on a per-source basis, with configurable actions when limits are hit. This is a practical DDoS mitigation feature built directly into the firewall.

Also worth noting: NAT tracking in pflow (IPFIX/NetFlow v10) now includes a NAT template with post-NAT source and destination addresses and ports, making it easier to track internal-to-external translations in logging pipelines.

Hardware Support: Apple Silicon, RISC-V, and More

Hardware support in OpenBSD 7.9 is notably broad.

Apple Silicon and Apple Virtualization

• The Genesys Logic GL9755 SDHC controller — used in some Apple Silicon laptops — is now supported via sdmmc.
• OpenBSD now runs on Apple Virtualization, including a virtual USB digitizer to expose the touchpad.
• A new vmboot tiny kernel allows sysupgrade to work correctly for vmd VMs.

RISC-V: SpacemiT K1 SoC Support

The SpacemiT K1 SoC now has substantial support on riscv64, including a new clock/reset controller driver, GPIO support, PCIe support via dwpcie, ethernet via smte, and support for the Zicbom and Svpbmt RISC-V extensions.

USB4 Support

A new nhi driver for USB4 controllers arrives in 7.9, alongside PCI power management improvements that allow USB4 companion controllers to properly reach low-power sleep states.

AMD and Intel Improvements

• AMD Zen/Zen+ (Zen 1) floating point state leakage mitigated.
• AMD EPYC 9005 PSP support added.
• AMD suspend improved with proper SMU support for reaching lowest power states.
• Intel LPSS SPI controller now has an ispi driver.
• ASUS I2C laptop keyboard special keys now supported via iasuskbd.

Packages: A Surprisingly Modern Software Ecosystem

One thing people unfamiliar with OpenBSD often get wrong is assuming the ports/packages are outdated. Here’s what ships with 7.9 on amd64:

Over 13,000 packages for amd64. That’s not a niche OS trying to survive on the margins — that’s a full-featured platform.

tmux Gets Quality-of-Life Love

Because OpenBSD maintains tmux upstream, every release includes real tmux improvements — not just patches, but features from the developers themselves. In 7.9:

• focus-follows-mouse option added.
• Synchronized output mode (DECSET 2026) supported — useful for terminal multiplexers that need to coordinate output flushing.
• Seconds added to clock mode, synchronized to the actual second.
• Case-insensitive search in tmux modes, matching the behavior already in copy mode.
• Sorting and custom format flags added to list-keys.
• Built-in help text accessible with C-h in each mode.
• Nested tmux works properly with the new extkeys feature.

Who Should Consider OpenBSD 7.9?

To be direct: OpenBSD is not for everyone. If you need seamless hardware compatibility across dozens of obscure peripherals, or you’re gaming on Linux, this probably isn’t your primary desktop. But if you fall into any of these categories, you should genuinely consider it:

• Security engineers and researchers who want an OS that was designed to resist exploitation, not patched after the fact.
• Firewall and network appliance builders — pf, bgpd, relayd, httpd, and unbound are all class-leading tools.
• Developers who care about correctness — pledge, unveil, and strict toolchain defaults catch bugs early.
• Server administrators running web, mail, or routing infrastructure where stability and auditability matter.
• Anyone interested in post-quantum TLS — ML-KEM is shipping now, not as an experimental branch.

Final Thoughts

Sixty releases in, OpenBSD keeps doing what it’s always done: shipping a carefully integrated, security-first operating system where every component gets reviewed, every default gets questioned, and every feature earns its place. OpenBSD 7.9, released May 19, 2026, is no exception — and it may actually be one of the stronger arguments for the platform in recent memory.

Post-quantum cryptography in LibreSSL. A rewritten bgpd that cuts memory usage in half. SSH 10.3 with real security fixes and new introspection tools. VLAN-aware bridging, IPv6 SLAAC by default, pf source limiters, and hardware support stretching from Apple Silicon to RISC-V SpacemiT SoCs.

Why OpenBSD 7.9 should be on your radar in 2026 comes down to this: it’s an operating system that takes the hard problems seriously — and keeps getting better at solving them. If that matters to you, the 60th release is a very good time to take a closer look.

Disclaimer

The information provided on this blog is for general informational purposes only. While we strive to keep all content accurate and up to date, we make no warranties — express or implied — about the completeness, reliability, or suitability of the information presented. All product names, trademarks, and release details mentioned (including OpenBSD 7.9) belong to their respective owners. We are not affiliated with, endorsed by, or officially connected to the OpenBSD project or the OpenBSD Foundation in any way. Always refer to the official OpenBSD website for the most current and authoritative information. Use any guidance or technical details from this post at your own discretion and risk.

About the Author

Anup

Administrator

Anup Yadav is a passionate tech writer specializing in Linux news, Tech news, AI, Crypto, and Gadgets. Founder of Tech Refreshing, he simplifies complex topics like open-source software, blockchain, and the latest innovations to help readers stay ahead in the digital era. His insights on Linux distros, AI tools, and technology trends make him a trusted voice for tech enthusiasts and professionals alike.

Visit Website View All Posts