Severity by source
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Adjacent-only via rogue DHCPv6 server; no privileges or interaction required; impact limited to availability (crash) with no confirmed confidentiality or integrity loss.
AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
dhcpcd through 10.3.2, fixed in commit 2f00c7b, contains a one-byte stack out-of-bounds write vulnerability in dhcp6_makemessage() in src/dhcp6.c that allows unauthenticated same-link attackers to write beyond a fixed local buffer by serializing an oversized RFC6603 OPTION_PD_EXCLUDE option body. Attackers can send a crafted DHCPv6 ADVERTISE message containing an IA_PD IAPREFIX /0 with a valid OPTION_PD_EXCLUDE using an exclude prefix length of /121 through /128 to trigger the out-of-bounds write and potentially corrupt adjacent stack memory.
AnalysisAI
Stack memory corruption in dhcpcd through 10.3.2 exposes systems running the DHCPv6 client to availability disruption from unauthenticated attackers on the same network link. The one-byte off-by-one overflow in dhcp6_makemessage() is triggered by a crafted DHCPv6 ADVERTISE containing an RFC6603 OPTION_PD_EXCLUDE sub-option with an exclude prefix length of /121 through /128, overflowing a 16-byte stack buffer by exactly one byte. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must be present on the same Layer 2 network segment as the target (AV:A) - exploitation across routed network boundaries is not possible. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 4.0 vector (AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N) scores 6.0 (Medium), correctly reflecting that exploitation is constrained to adjacent-network attackers and impacts only availability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker on the same Layer 2 segment as a target running dhcpcd - such as a compromised host on a shared LAN, or an attacker on an unsegmented corporate Wi-Fi network - configures a rogue DHCPv6 server. When the target's dhcpcd sends a DHCPv6 SOLICIT, the attacker responds with a crafted ADVERTISE message containing an IA_PD IAPREFIX /0 sub-option with an OPTION_PD_EXCLUDE using an exclude prefix length between /121 and /128. … |
| Remediation | The primary remediation is to apply upstream commit 2f00c7bfc408b6582d331932dfa47829c4819029 from https://github.com/NetworkConfiguration/dhcpcd/commit/2f00c7bfc408b6582d331932dfa47829c4819029, or to update to a distribution-packaged release that incorporates this commit - a specific patched release version number was not independently confirmed from available data, so users should verify with their distribution maintainers. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
dhcpcd before 6.10.0, as used in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-0
dhcp6.c in dhcpcd before 6.11.7 and 7.x before 7.2.2 has a buffer over-read in the D6_OPTION_PD_EXCLUDE feature. Rated c
dhcpcd before 7.2.1 contains a buffer overflow in dhcp6_findna in dhcp6.c when reading NA/TA addresses. Rated critical s
Stack out-of-bounds write in dhcpcd (the widely-used DHCP/DHCPv6 client) through version 10.3.2 lets a same-link attacke
Stack-based buffer overflow in the get_packet method in socket.c in dhcpcd 3.2.3 allows remote attackers to cause a deni
dhcpcd before 6.10.0 allows remote attackers to cause a denial of service (invalid read and crash) via vectors related t
The decode_search function in dhcp.c in dhcpcd 3.x allows remote DHCP servers to cause a denial of service (out-of-bound
The decode_search function in dhcp.c in dhcpcd 3.x allows remote DHCP servers to cause a denial of service (out-of-bound
The decode_search function in dhcp.c in dhcpcd 3.x does not properly free allocated memory, which allows remote DHCP ser
Denial of service in dhcpcd through version 10.3.2 allows an adjacent-network attacker to exhaust memory in the daemon b
The print_option function in dhcp-common.c in dhcpcd through 6.9.1, as used in dhcp.c in dhcpcd 5.x in Android before 5.
The get_option function in dhcp.c in dhcpcd before 6.2.0, as used in dhcpcd 5.x in Android before 5.1 and other products
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Buffer Overflow
View allVendor StatusVendor
SUSE
Severity: Moderate| Product | Status |
|---|---|
| SUSE Linux Enterprise Server 16.0 | Affected |
| SUSE Linux Enterprise Server 16.1 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Affected |
| SUSE Linux Micro 6.2 | Affected |
| openSUSE Leap 16.0 | Affected |
| SLES-CHOST-BYOS-Aliyun | Affected |
| SLES-CHOST-BYOS-Azure | Affected |
| SLES-CHOST-BYOS-EC2 | Affected |
| SLES-CHOST-BYOS-GCE | Affected |
| SLES-CHOST-BYOS-GDC | Affected |
| SLES-CHOST-BYOS-SAP-CCloud | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38492
GHSA-8q8g-fjv5-5h56