Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
8DescriptionCVE.org
As dhclient is building an environment to pass to dhclient-script, it may need to resize the array of string pointers. The code which expands the array incorrectly calculates its new size when requesting memory, resulting in a heap buffer overrun.
A specially crafted packet can cause dhclient to overrun its buffer of environment entries. This can result in a crash, but it may be possible to leverage this bug to achieve remote code execution.
AnalysisAI
Heap buffer overflow in FreeBSD dhclient enables potential remote code execution when processing maliciously crafted DHCP packets. Affects FreeBSD 13.5, 14.3, 14.4, and 15.0 branches prior to security patches. EPSS exploitation probability is low (0.03%, 8th percentile) and no active exploitation confirmed, but SSVC classifies this as automatable with partial technical impact. The vulnerability requires network position to send crafted DHCP responses (CVSS AV:N/AC:H), making exploitation complexity high but not requiring authentication.
Technical ContextAI
The dhclient DHCP client daemon in FreeBSD contains a heap buffer overflow (CWE-122) in its environment variable handling logic. When dhclient receives DHCP packets and prepares to invoke the dhclient-script helper, it builds an array of environment string pointers. The memory reallocation routine miscalculates the required buffer size during array expansion, leading to a heap-based buffer overrun. This affects the ISC DHCP client implementation bundled with FreeBSD across multiple release branches. The vulnerability lies in unsafe memory management during dynamic array resizing, a common class of memory corruption bugs that can compromise control flow if exploitable. The CPE identifier cpe:2.3:a:freebsd:freebsd indicates this is specific to the FreeBSD operating system distribution's dhclient implementation.
RemediationAI
Apply FreeBSD security patches immediately by upgrading to patched releases: FreeBSD 14.3-RELEASE-p12 or later, FreeBSD 14.4-RELEASE-p3 or later, FreeBSD 13.5-RELEASE-p13 or later, or FreeBSD 15.0-RELEASE-p7 or later. Follow upgrade procedures at https://security.freebsd.org/advisories/FreeBSD-SA-26:15.dhclient.asc for binary updates via freebsd-update or source-based patching. If immediate patching is impossible, implement network segmentation to isolate dhclient systems from untrusted networks and consider static IP configuration to disable DHCP entirely on critical systems, though this sacrifices dynamic network configuration convenience and may break cloud or enterprise DHCP-dependent infrastructure. For temporary risk reduction, deploy DHCP snooping on network switches to validate DHCP server authenticity and prevent rogue DHCP responses, though this requires managed switch infrastructure and careful configuration to avoid disrupting legitimate DHCP services.
The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and
The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement mess
The RFC 5011 implementation in rdata.c in ISC BIND 9.7.x and 9.8.x before 9.8.5-P2, 9.8.6b1, 9.9.x before 9.9.3-P2, and
Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot
The vm_map_lookup function in sys/vm/vm_map.c in the mmap implementation in the kernel in FreeBSD 9.0 through 9.1-RELEAS
Integer overflow in the _gd2GetHeader function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.3, as used
The Stream Control Transmission Protocol (SCTP) module in FreeBSD 9.3 before p33, 10.1 before p26, and 10.2 before p9, w
In FreeBSD 12.1-STABLE before r359565, 12.1-RELEASE before p7, 11.4-STABLE before r362975, 11.4-RELEASE before p1, and 1
A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) wa
The SCTP implementation in FreeBSD 8.2 allows remote attackers to cause a denial of service (NULL pointer dereference an
NFS in a BSD derived codebase, as used in OpenBSD through 7.4 and FreeBSD through 14.0-RELEASE, allows remote attackers
Same weakness CWE-122 – Heap-based Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26357