Skip to main content

FreeBSD dhclient CVE-2026-42512

| EUVDEUVD-2026-26357 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-04-30 freebsd
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Analysis Updated
May 01, 2026 - 16:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 01, 2026 - 16:22 vuln.today
cvss_changed
CVSS changed
May 01, 2026 - 16:22 NVD
7.3 (HIGH) 8.1 (HIGH)
Analysis Generated
Apr 30, 2026 - 14:24 vuln.today
CVSS changed
Apr 30, 2026 - 14:22 NVD
7.3 (HIGH)
EUVD ID Assigned
Apr 30, 2026 - 09:00 euvd
EUVD-2026-26357
Analysis Generated
Apr 30, 2026 - 09:00 vuln.today
CVE Published
Apr 30, 2026 - 07:58 nvd
HIGH 8.1

DescriptionCVE.org

As dhclient is building an environment to pass to dhclient-script, it may need to resize the array of string pointers. The code which expands the array incorrectly calculates its new size when requesting memory, resulting in a heap buffer overrun.

A specially crafted packet can cause dhclient to overrun its buffer of environment entries. This can result in a crash, but it may be possible to leverage this bug to achieve remote code execution.

AnalysisAI

Heap buffer overflow in FreeBSD dhclient enables potential remote code execution when processing maliciously crafted DHCP packets. Affects FreeBSD 13.5, 14.3, 14.4, and 15.0 branches prior to security patches. EPSS exploitation probability is low (0.03%, 8th percentile) and no active exploitation confirmed, but SSVC classifies this as automatable with partial technical impact. The vulnerability requires network position to send crafted DHCP responses (CVSS AV:N/AC:H), making exploitation complexity high but not requiring authentication.

Technical ContextAI

The dhclient DHCP client daemon in FreeBSD contains a heap buffer overflow (CWE-122) in its environment variable handling logic. When dhclient receives DHCP packets and prepares to invoke the dhclient-script helper, it builds an array of environment string pointers. The memory reallocation routine miscalculates the required buffer size during array expansion, leading to a heap-based buffer overrun. This affects the ISC DHCP client implementation bundled with FreeBSD across multiple release branches. The vulnerability lies in unsafe memory management during dynamic array resizing, a common class of memory corruption bugs that can compromise control flow if exploitable. The CPE identifier cpe:2.3:a:freebsd:freebsd indicates this is specific to the FreeBSD operating system distribution's dhclient implementation.

RemediationAI

Apply FreeBSD security patches immediately by upgrading to patched releases: FreeBSD 14.3-RELEASE-p12 or later, FreeBSD 14.4-RELEASE-p3 or later, FreeBSD 13.5-RELEASE-p13 or later, or FreeBSD 15.0-RELEASE-p7 or later. Follow upgrade procedures at https://security.freebsd.org/advisories/FreeBSD-SA-26:15.dhclient.asc for binary updates via freebsd-update or source-based patching. If immediate patching is impossible, implement network segmentation to isolate dhclient systems from untrusted networks and consider static IP configuration to disable DHCP entirely on critical systems, though this sacrifices dynamic network configuration convenience and may break cloud or enterprise DHCP-dependent infrastructure. For temporary risk reduction, deploy DHCP snooping on network switches to validate DHCP server authenticity and prevent rogue DHCP responses, though this requires managed switch infrastructure and careful configuration to avoid disrupting legitimate DHCP services.

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2025-14558 HIGH POC
7.2 Mar 09

The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement mess

CVE-2013-4854 HIGH POC
7.8 Jul 29

The RFC 5011 implementation in rdata.c in ISC BIND 9.7.x and 9.8.x before 9.8.5-P2, 9.8.6b1, 9.9.x before 9.9.3-P2, and

CVE-2024-6387 HIGH POC
8.1 Jul 01

Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to

CVE-2023-48795 MEDIUM POC
5.9 Dec 18

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot

CVE-2013-2171 MEDIUM POC
6.9 Jul 02

The vm_map_lookup function in sys/vm/vm_map.c in the mmap implementation in the kernel in FreeBSD 9.0 through 9.1-RELEAS

CVE-2016-5766 HIGH POC
8.8 Aug 07

Integer overflow in the _gd2GetHeader function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.3, as used

CVE-2016-1879 HIGH POC
7.5 Jan 29

The Stream Control Transmission Protocol (SCTP) module in FreeBSD 9.3 before p33, 10.1 before p26, and 10.2 before p9, w

CVE-2020-7457 HIGH POC
8.1 Jul 09

In FreeBSD 12.1-STABLE before r359565, 12.1-RELEASE before p7, 11.4-STABLE before r362975, 11.4-RELEASE before p1, and 1

CVE-2018-8897 HIGH POC
7.8 May 08

A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) wa

CVE-2012-3549 HIGH POC
7.8 Oct 09

The SCTP implementation in FreeBSD 8.2 allows remote attackers to cause a denial of service (NULL pointer dereference an

CVE-2024-29937 CRITICAL POC
9.8 Apr 11

NFS in a BSD derived codebase, as used in OpenBSD through 7.4 and FreeBSD through 14.0-RELEASE, allows remote attackers

Share

CVE-2026-42512 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy