Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AV:A because RA packets are link-local only; PR:N and AC:L as any adjacent host can send a crafted RA; A:H for CPU-exhaustion DoS with no C or I impact.
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
A flaw was found in dhcpcd's IPv6 Neighbor Discovery Router Advertisement processing. A specially crafted IPv6 Router Advertisement containing a zero-length Neighbor Discovery option can bypass validation during packet storage and later be reparsed without adequate validation, causing the parser to enter a non-advancing loop. Successful exploitation may result in excessive CPU consumption, leading to a denial of service.
AnalysisAI
Denial of service in dhcpcd's IPv6 Neighbor Discovery Router Advertisement parser allows an adjacent unauthenticated attacker to exhaust CPU resources on any host running dhcpcd with IPv6 enabled. The flaw (CWE-835 - infinite loop) arises because a zero-length Neighbor Discovery option passes initial storage validation but is later reparsed without sufficient bounds enforcement, causing the parser to loop indefinitely without advancing. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must be on the same IPv6 link (Layer-2 broadcast domain or VLAN) as the target, as IPv6 Router Advertisements are link-local and not routable across network boundaries - this is the primary limiting factor. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 6.5 with vector AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H accurately reflects the threat model: exploitation is constrained to adjacent-network attackers (AV:A), meaning the adversary must share a Layer-2 broadcast domain or VLAN with the target - they cannot exploit this from the open internet. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker positioned on the same Layer-2 network segment as a target host running dhcpcd - for example, a malicious guest on a shared cloud VLAN or a rogue device on an enterprise Wi-Fi network - crafts and broadcasts an IPv6 Router Advertisement containing a Neighbor Discovery option with a length field set to zero. No public proof-of-concept code has been identified, but constructing such a packet requires only standard raw socket privileges and publicly documented RA packet structure. … |
| Remediation | The primary fix is an upstream commit to the dhcpcd source tree at https://github.com/NetworkConfiguration/dhcpcd/commit/75289ca, which addresses the zero-length option parsing loop. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Red Hat Enterprise Linux 10
View allRemote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h
Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft
Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter
HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel
HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls
Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege
HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator
Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD
Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user
Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co
Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap
Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces
Same technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: Moderate| Product | Status |
|---|---|
| SUSE Linux Enterprise Server 16.0 | Affected |
| SUSE Linux Enterprise Server 16.1 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Affected |
| SUSE Linux Micro 6.2 | Affected |
| openSUSE Leap 16.0 | Affected |
| SLES-CHOST-BYOS-Aliyun | Affected |
| SLES-CHOST-BYOS-Azure | Affected |
| SLES-CHOST-BYOS-EC2 | Affected |
| SLES-CHOST-BYOS-GCE | Affected |
| SLES-CHOST-BYOS-GDC | Affected |
| SLES-CHOST-BYOS-SAP-CCloud | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40941
GHSA-hm5v-wwxq-27x8