Skip to main content

dhcpcd CVE-2026-56114

| EUVDEUVD-2026-38492 MEDIUM
Out-of-bounds Write (CWE-787)
2026-06-23 VulnCheck GHSA-8q8g-fjv5-5h56
6.0
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.0 MEDIUM
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Adjacent-only via rogue DHCPv6 server; no privileges or interaction required; impact limited to availability (crash) with no confirmed confidentiality or integrity loss.

3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
5.9 MEDIUM
AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
Red Hat
5.3 MEDIUM
qualitative

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 23, 2026 - 17:05 vuln.today
Analysis Generated
Jun 23, 2026 - 17:05 vuln.today

DescriptionCVE.org

dhcpcd through 10.3.2, fixed in commit 2f00c7b, contains a one-byte stack out-of-bounds write vulnerability in dhcp6_makemessage() in src/dhcp6.c that allows unauthenticated same-link attackers to write beyond a fixed local buffer by serializing an oversized RFC6603 OPTION_PD_EXCLUDE option body. Attackers can send a crafted DHCPv6 ADVERTISE message containing an IA_PD IAPREFIX /0 with a valid OPTION_PD_EXCLUDE using an exclude prefix length of /121 through /128 to trigger the out-of-bounds write and potentially corrupt adjacent stack memory.

AnalysisAI

Stack memory corruption in dhcpcd through 10.3.2 exposes systems running the DHCPv6 client to availability disruption from unauthenticated attackers on the same network link. The one-byte off-by-one overflow in dhcp6_makemessage() is triggered by a crafted DHCPv6 ADVERTISE containing an RFC6603 OPTION_PD_EXCLUDE sub-option with an exclude prefix length of /121 through /128, overflowing a 16-byte stack buffer by exactly one byte. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Gain access to same Layer 2 segment as target
Delivery
Deploy rogue DHCPv6 server on link
Exploit
Wait for target dhcpcd to send DHCPv6 SOLICIT
Install
Respond with crafted ADVERTISE containing OPTION_PD_EXCLUDE with prefix length /121-/128
C2
One-byte stack overflow triggered in dhcp6_makemessage()
Execute
Adjacent stack memory corrupted
Impact
dhcpcd crash and IPv6 network disruption

Vulnerability AssessmentAI

Exploitation The attacker must be present on the same Layer 2 network segment as the target (AV:A) - exploitation across routed network boundaries is not possible. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 4.0 vector (AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N) scores 6.0 (Medium), correctly reflecting that exploitation is constrained to adjacent-network attackers and impacts only availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the same Layer 2 segment as a target running dhcpcd - such as a compromised host on a shared LAN, or an attacker on an unsegmented corporate Wi-Fi network - configures a rogue DHCPv6 server. When the target's dhcpcd sends a DHCPv6 SOLICIT, the attacker responds with a crafted ADVERTISE message containing an IA_PD IAPREFIX /0 sub-option with an OPTION_PD_EXCLUDE using an exclude prefix length between /121 and /128. …
Remediation The primary remediation is to apply upstream commit 2f00c7bfc408b6582d331932dfa47829c4819029 from https://github.com/NetworkConfiguration/dhcpcd/commit/2f00c7bfc408b6582d331932dfa47829c4819029, or to update to a distribution-packaged release that incorporates this commit - a specific patched release version number was not independently confirmed from available data, so users should verify with their distribution maintainers. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Dhcpcd

View all
CVE-2016-1503 CRITICAL
9.8 Apr 18

dhcpcd before 6.10.0, as used in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-0

CVE-2019-11766 CRITICAL
9.8 May 05

dhcp6.c in dhcpcd before 6.11.7 and 7.x before 7.2.2 has a buffer over-read in the D6_OPTION_PD_EXCLUDE feature. Rated c

CVE-2019-11577 CRITICAL
9.8 Apr 28

dhcpcd before 7.2.1 contains a buffer overflow in dhcp6_findna in dhcp6.c when reading NA/TA addresses. Rated critical s

CVE-2026-56115 HIGH
8.7 Jun 23

Stack out-of-bounds write in dhcpcd (the widely-used DHCP/DHCPv6 client) through version 10.3.2 lets a same-link attacke

CVE-2012-2152 HIGH
7.5 Jul 25

Stack-based buffer overflow in the get_packet method in socket.c in dhcpcd 3.2.3 allows remote attackers to cause a deni

CVE-2016-1504 HIGH
7.5 Feb 07

dhcpcd before 6.10.0 allows remote attackers to cause a denial of service (invalid read and crash) via vectors related t

CVE-2012-6699 HIGH
7.5 Apr 11

The decode_search function in dhcp.c in dhcpcd 3.x allows remote DHCP servers to cause a denial of service (out-of-bound

CVE-2012-6698 HIGH
7.5 Apr 11

The decode_search function in dhcp.c in dhcpcd 3.x allows remote DHCP servers to cause a denial of service (out-of-bound

CVE-2012-6700 HIGH
7.5 Apr 11

The decode_search function in dhcp.c in dhcpcd 3.x does not properly free allocated memory, which allows remote DHCP ser

CVE-2026-56116 HIGH
7.1 Jun 23

Denial of service in dhcpcd through version 10.3.2 allows an adjacent-network attacker to exhaust memory in the daemon b

CVE-2014-7913 MEDIUM
6.8 Jul 30

The print_option function in dhcp-common.c in dhcpcd through 6.9.1, as used in dhcp.c in dhcpcd 5.x in Android before 5.

CVE-2014-7912 MEDIUM
6.8 Jul 30

The get_option function in dhcp.c in dhcpcd before 6.2.0, as used in dhcpcd 5.x in Android before 5.1 and other products

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Server 16.0 Affected
SUSE Linux Enterprise Server 16.1 Affected
SUSE Linux Enterprise Server for SAP applications 16.0 Affected
SUSE Linux Enterprise Server for SAP applications 16.1 Affected
SUSE Linux Micro 6.2 Affected

Share

CVE-2026-56114 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy