libprop/prop_object.c in proplib in NetBSD 4.0 and 4.0.1 allows local users to cause a denial of service (NULL pointer dereference and kernel panic) via a malformed externalized plist (XML form) containing an undefined element.
https://exchange.xforce.ibmcloud.com/vulnerabilities/51311
http://www.securitytracker.com/id?1022431
http://www.securityfocus.com/bid/35466