Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Adjacent-only reach via DHCP; no auth barrier; impact is exclusively process crash, so A:H and C:N/I:N.
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
A NULL pointer dereference occurs in Roy Marples NetworkConfiguration/dhcpcd 10.3.0 while parsing configuration options. In parse_option() (src/if-options.c:1886), the code performs a member access on a NULL pointer of type 'struct dhcp_opt' when an unexpected/invalid option token or parsing state causes the lookup to yield NULL. The instrumented fuzzing build reports 'runtime error: member access within null pointer of type struct dhcp_opt' and aborts.
AnalysisAI
NULL pointer dereference in dhcpcd 10.3.0 allows an unauthenticated attacker on the same network segment to crash the DHCP client daemon by sending a crafted packet with unexpected or invalid option tokens. The fault occurs in parse_option() at src/if-options.c:1886, where a NULL return from option lookup is immediately dereferenced as a 'struct dhcp_opt' member without a null check, causing a runtime abort. No public exploit or CISA KEV listing exists, and EPSS sits at the 4th percentile, indicating low but real crash-level risk for any host running this specific dhcpcd version on a shared or adversarially accessible network segment.
Technical ContextAI
dhcpcd is a widely deployed DHCP client daemon authored by Roy Marples, used across Linux and BSD-derived systems including embedded and IoT platforms. The vulnerable function parse_option() in src/if-options.c is responsible for interpreting DHCP option fields from received packets. Under CWE-476 (NULL Pointer Dereference), the root cause is missing null-guard logic: when a DHCP option token fails to map to a known 'struct dhcp_opt' entry - either because the token is unknown, malformed, or triggers an unexpected parser state - the lookup returns NULL. The code then performs a struct member access on that NULL pointer without checking for the null condition first, causing undefined behavior and an immediate process abort. CPE data in NVD is listed as n/a, indicating the product has not yet received a formal CPE identifier; the affected version is confirmed as 10.3.0 from the description and the upstream GitHub repository (github.com/NetworkConfiguration/dhcpcd). The discovery was made via instrumented fuzzing, as indicated by the 'runtime error' sanitizer message in the description and the Mastodon post from the researcher (@sigdevel on infosec.exchange).
RemediationAI
No vendor-released patch version has been independently confirmed at the time of analysis; the fix version is not stated in any available reference. Users should monitor the upstream dhcpcd repository at github.com/NetworkConfiguration/dhcpcd for a patched release addressing CVE-2025-70102 and upgrade to that version once available. As a compensating control, restrict layer-2 network access to hosts running dhcpcd using 802.1X port authentication or DHCP snooping on managed switches to limit who can inject crafted DHCP responses - note this does not prevent rogue DHCP servers on the same uncontrolled segment. On Linux hosts, deploying dhcpcd under a systemd service with RestrictAddressFamilies and ProtectSystem hardening can limit the blast radius of a crash but will not prevent the process abort itself. If network connectivity loss from a dhcpcd crash is operationally critical, consider temporarily switching to an alternative DHCP client (e.g., dhclient, NetworkManager's built-in client) on affected 10.3.0 installations until a patch is confirmed.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: Moderate| Product | Status |
|---|---|
| SUSE Linux Enterprise Server 16.0 | Affected |
| SUSE Linux Enterprise Server 16.1 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Affected |
| SUSE Linux Micro 6.2 | Affected |
| openSUSE Leap 16.0 | Affected |
| SLES-CHOST-BYOS-Aliyun | Affected |
| SLES-CHOST-BYOS-Azure | Affected |
| SLES-CHOST-BYOS-EC2 | Affected |
| SLES-CHOST-BYOS-GCE | Affected |
| SLES-CHOST-BYOS-GDC | Affected |
| SLES-CHOST-BYOS-SAP-CCloud | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210156
GHSA-9g28-83m6-mvg3