Skip to main content

dhcpcd CVE-2026-56113

| EUVDEUVD-2026-38491 MEDIUM
Use After Free (CWE-416)
2026-06-23 VulnCheck GHSA-vh4p-87xg-jc4x
6.0
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.0 MEDIUM
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.3 MEDIUM

Adjacent vector (LAN-only); AC:H because OPTION_PD_EXCLUDE prefix delegation must be actively configured; availability-only impact; no scope change.

3.1 AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
5.3 MEDIUM
AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
5.3 MEDIUM
qualitative

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 23, 2026 - 17:04 vuln.today
Analysis Generated
Jun 23, 2026 - 17:04 vuln.today

DescriptionCVE.org

dhcpcd through 10.3.2, fixed in commit 5733d3c, contains a heap use-after-free vulnerability that allows unauthenticated same-link attackers to crash the daemon by sending a crafted DHCPv6 RENEW reply with RFC6603 OPTION_PD_EXCLUDE and both preferred and valid lifetimes set to zero. Attackers acting as or impersonating a DHCPv6 server can trigger dhcp6_deprecatedele() to free a delegated child address while an outer TAILQ_FOREACH_SAFE iterator in dhcp6_deprecateaddrs() still holds the freed pointer, causing a use-after-free when TAILQ_REMOVE is reached.

AnalysisAI

Heap use-after-free in dhcpcd through 10.3.2 enables unauthenticated same-link attackers - acting as or impersonating a DHCPv6 server - to crash the daemon by sending a crafted DHCPv6 RENEW reply exploiting a pointer lifecycle flaw in delegated prefix deprecation. The flaw triggers dhcp6_deprecatedele() to free a delegated child address while an outer TAILQ_FOREACH_SAFE iterator in dhcp6_deprecateaddrs() still retains the freed pointer, causing a use-after-free when TAILQ_REMOVE is subsequently reached. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain same-link network position
Delivery
Impersonate DHCPv6 server on segment
Exploit
Wait for or solicit RENEW from dhcpcd client
Execution
Send crafted RENEW reply with OPTION_PD_EXCLUDE and zero lifetimes
Persist
Trigger UAF in dhcp6_deprecateaddrs
Impact
Crash dhcpcd daemon

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to be on the same Layer-2 network segment as the target host (adjacent network - not remotely exploitable across routed boundaries). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H) scores 6.0, accurately capturing the key signals: adjacent-network requirement and a specific attack target condition (AT:P) reflecting that OPTION_PD_EXCLUDE prefix delegation must be in use - a non-default configuration absent in most deployments. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker positioned on the same Layer-2 network segment as a host running dhcpcd with DHCPv6 prefix delegation configured sets up a rogue DHCPv6 server - or performs a DHCPv6 server impersonation via spoofed source addressing. When the legitimate client sends a DHCPv6 RENEW, the attacker responds with a crafted reply including OPTION_PD_EXCLUDE (RFC 6603) and sets both preferred and valid lifetimes to zero, triggering the defective deprecation path inside dhcpcd and crashing the daemon. …
Remediation The primary remediation is to update dhcpcd to a version incorporating upstream commit 5733d3c59a5651f64357ac11c98b4f39895c8d25, available at https://github.com/NetworkConfiguration/dhcpcd/commit/5733d3c59a5651f64357ac11c98b4f39895c8d25. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Dhcpcd

View all
CVE-2016-1503 CRITICAL
9.8 Apr 18

dhcpcd before 6.10.0, as used in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-0

CVE-2019-11766 CRITICAL
9.8 May 05

dhcp6.c in dhcpcd before 6.11.7 and 7.x before 7.2.2 has a buffer over-read in the D6_OPTION_PD_EXCLUDE feature. Rated c

CVE-2019-11577 CRITICAL
9.8 Apr 28

dhcpcd before 7.2.1 contains a buffer overflow in dhcp6_findna in dhcp6.c when reading NA/TA addresses. Rated critical s

CVE-2026-56115 HIGH
8.7 Jun 23

Stack out-of-bounds write in dhcpcd (the widely-used DHCP/DHCPv6 client) through version 10.3.2 lets a same-link attacke

CVE-2012-2152 HIGH
7.5 Jul 25

Stack-based buffer overflow in the get_packet method in socket.c in dhcpcd 3.2.3 allows remote attackers to cause a deni

CVE-2016-1504 HIGH
7.5 Feb 07

dhcpcd before 6.10.0 allows remote attackers to cause a denial of service (invalid read and crash) via vectors related t

CVE-2012-6699 HIGH
7.5 Apr 11

The decode_search function in dhcp.c in dhcpcd 3.x allows remote DHCP servers to cause a denial of service (out-of-bound

CVE-2012-6698 HIGH
7.5 Apr 11

The decode_search function in dhcp.c in dhcpcd 3.x allows remote DHCP servers to cause a denial of service (out-of-bound

CVE-2012-6700 HIGH
7.5 Apr 11

The decode_search function in dhcp.c in dhcpcd 3.x does not properly free allocated memory, which allows remote DHCP ser

CVE-2026-56116 HIGH
7.1 Jun 23

Denial of service in dhcpcd through version 10.3.2 allows an adjacent-network attacker to exhaust memory in the daemon b

CVE-2014-7913 MEDIUM
6.8 Jul 30

The print_option function in dhcp-common.c in dhcpcd through 6.9.1, as used in dhcp.c in dhcpcd 5.x in Android before 5.

CVE-2014-7912 MEDIUM
6.8 Jul 30

The get_option function in dhcp.c in dhcpcd before 6.2.0, as used in dhcpcd 5.x in Android before 5.1 and other products

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Server 16.0 Affected
SUSE Linux Enterprise Server 16.1 Affected
SUSE Linux Enterprise Server for SAP applications 16.0 Affected
SUSE Linux Enterprise Server for SAP applications 16.1 Affected
SUSE Linux Micro 6.2 Affected

Share

CVE-2026-56113 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy