Skip to main content

dhcpcd CVE-2026-14258

| EUVDEUVD-2026-40941 MEDIUM
Loop with Unreachable Exit Condition (Infinite Loop) (CWE-835)
2026-07-01 redhat GHSA-hm5v-wwxq-27x8
6.5
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
6.5 MEDIUM
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
6.5 MEDIUM

AV:A because RA packets are link-local only; PR:N and AC:L as any adjacent host can send a crafted RA; A:H for CPU-exhaustion DoS with no C or I impact.

3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
MEDIUM
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 01, 2026 - 11:06 vuln.today
CVE Published
Jul 01, 2026 - 09:24 cve.org
MEDIUM 6.5

DescriptionCVE.org

A flaw was found in dhcpcd's IPv6 Neighbor Discovery Router Advertisement processing. A specially crafted IPv6 Router Advertisement containing a zero-length Neighbor Discovery option can bypass validation during packet storage and later be reparsed without adequate validation, causing the parser to enter a non-advancing loop. Successful exploitation may result in excessive CPU consumption, leading to a denial of service.

AnalysisAI

Denial of service in dhcpcd's IPv6 Neighbor Discovery Router Advertisement parser allows an adjacent unauthenticated attacker to exhaust CPU resources on any host running dhcpcd with IPv6 enabled. The flaw (CWE-835 - infinite loop) arises because a zero-length Neighbor Discovery option passes initial storage validation but is later reparsed without sufficient bounds enforcement, causing the parser to loop indefinitely without advancing. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Gain access to shared Layer-2 network segment
Delivery
Craft ICMPv6 Router Advertisement with zero-length ND option
Exploit
Broadcast or unicast malformed RA to target host
Install
dhcpcd stores option bypassing initial length check
C2
Re-parse triggers non-advancing loop
Execute
CPU fully consumed
Impact
Host availability lost

Vulnerability AssessmentAI

Exploitation The attacker must be on the same IPv6 link (Layer-2 broadcast domain or VLAN) as the target, as IPv6 Router Advertisements are link-local and not routable across network boundaries - this is the primary limiting factor. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.5 with vector AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H accurately reflects the threat model: exploitation is constrained to adjacent-network attackers (AV:A), meaning the adversary must share a Layer-2 broadcast domain or VLAN with the target - they cannot exploit this from the open internet. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker positioned on the same Layer-2 network segment as a target host running dhcpcd - for example, a malicious guest on a shared cloud VLAN or a rogue device on an enterprise Wi-Fi network - crafts and broadcasts an IPv6 Router Advertisement containing a Neighbor Discovery option with a length field set to zero. No public proof-of-concept code has been identified, but constructing such a packet requires only standard raw socket privileges and publicly documented RA packet structure. …
Remediation The primary fix is an upstream commit to the dhcpcd source tree at https://github.com/NetworkConfiguration/dhcpcd/commit/75289ca, which addresses the zero-length option parsing loop. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

CVE-2026-0966 HIGH
8.2 Mar 26

Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Server 16.0 Affected
SUSE Linux Enterprise Server 16.1 Affected
SUSE Linux Enterprise Server for SAP applications 16.0 Affected
SUSE Linux Enterprise Server for SAP applications 16.1 Affected
SUSE Linux Micro 6.2 Affected

Share

CVE-2026-14258 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy