Skip to main content

dhcpcd CVE-2026-56115

| EUVDEUVD-2026-38494 HIGH
Out-of-bounds Write (CWE-787)
2026-06-23 VulnCheck GHSA-vhmp-9f3g-3f36
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.1 HIGH

Same-link rogue server needs no auth or interaction (AV:A/AC:L/PR:N/UI:N); single-byte stack write reliably crashes the client (A:H) with limited write control (I:L) and no data disclosure (C:N).

3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
4.0 AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N
SUSE
5.9 MEDIUM
AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
Red Hat
5.3 MEDIUM
qualitative

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Updated
Jun 25, 2026 - 17:30 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 25, 2026 - 17:30 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 25, 2026 - 17:22 vuln.today
cvss_changed
Severity Changed
Jun 25, 2026 - 17:22 NVD
MEDIUM HIGH
CVSS changed
Jun 25, 2026 - 17:22 NVD
6.0 (MEDIUM) 8.7 (HIGH)
Source Code Evidence Fetched
Jun 23, 2026 - 17:06 vuln.today
Analysis Generated
Jun 23, 2026 - 17:06 vuln.today

DescriptionCVE.org

dhcpcd through 10.3.2, fixed in commit 2f00c7b, contains a one-byte stack out-of-bounds write vulnerability in dhcp6_makemessage() in src/dhcp6.c that allows unauthenticated same-link attackers to write beyond a fixed local buffer by serializing an oversized RFC6603 OPTION_PD_EXCLUDE option body. Attackers can send a crafted DHCPv6 ADVERTISE message containing an IA_PD IAPREFIX /0 with a valid OPTION_PD_EXCLUDE using an exclude prefix length of /121 through /128 to trigger the out-of-bounds write and potentially corrupt adjacent stack memory.

AnalysisAI

Stack out-of-bounds write in dhcpcd (the widely-used DHCP/DHCPv6 client) through version 10.3.2 lets a same-link attacker corrupt client stack memory by replying with a malicious DHCPv6 ADVERTISE. When dhcpcd serializes an oversized RFC6603 OPTION_PD_EXCLUDE body in dhcp6_makemessage(), a one-byte value is written past a fixed 16-byte stack buffer. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Join victim's local link as rogue DHCPv6 server
Delivery
Race-answer SOLICIT with crafted ADVERTISE
Exploit
Embed IA_PD /0 with OPTION_PD_EXCLUDE /121-/128
Install
Client serializes exclude option in dhcp6_makemessage
C2
One-byte write past exb[16] stack buffer
Execute
Corrupt adjacent stack memory
Impact
Crash dhcpcd or potential further corruption

Vulnerability AssessmentAI

Exploitation Requires the attacker to be on the same link (link-local/adjacent network) and able to act as a rogue DHCPv6 server answering the victim before the legitimate server; the victim must run dhcpcd ≤10.3.2 with DHCPv6 prefix delegation active so that dhcp6_makemessage() processes IA_PD. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and should temper the headline 8.7 CVSS:4.0 score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the same broadcast/link segment (e.g., a guest VLAN, hostile Wi-Fi, or compromised host) runs a rogue DHCPv6 server and races to answer a victim's DHCPv6 SOLICIT with a crafted ADVERTISE containing an IA_PD IAPREFIX /0 and an OPTION_PD_EXCLUDE of /121-/128. When the victim's dhcpcd builds its follow-up REQUEST, dhcp6_makemessage() writes one byte past the fixed stack buffer, corrupting adjacent stack memory and most likely crashing the client (DoS), with theoretical potential for further corruption. …
Remediation Update dhcpcd to a release containing the upstream fix, commit 2f00c7b (one-line change enlarging the exb buffer from 16 to 17 bytes); since the public reference is the commit rather than a tagged release, treat this as 'upstream fix available (PR/commit); released patched version not independently confirmed' and pin to your distribution's patched package once published, or build from a tree including 2f00c7b. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running dhcpcd versions through 10.3.2. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Dhcpcd

View all
CVE-2016-1503 CRITICAL
9.8 Apr 18

dhcpcd before 6.10.0, as used in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-0

CVE-2019-11766 CRITICAL
9.8 May 05

dhcp6.c in dhcpcd before 6.11.7 and 7.x before 7.2.2 has a buffer over-read in the D6_OPTION_PD_EXCLUDE feature. Rated c

CVE-2019-11577 CRITICAL
9.8 Apr 28

dhcpcd before 7.2.1 contains a buffer overflow in dhcp6_findna in dhcp6.c when reading NA/TA addresses. Rated critical s

CVE-2012-2152 HIGH
7.5 Jul 25

Stack-based buffer overflow in the get_packet method in socket.c in dhcpcd 3.2.3 allows remote attackers to cause a deni

CVE-2016-1504 HIGH
7.5 Feb 07

dhcpcd before 6.10.0 allows remote attackers to cause a denial of service (invalid read and crash) via vectors related t

CVE-2012-6699 HIGH
7.5 Apr 11

The decode_search function in dhcp.c in dhcpcd 3.x allows remote DHCP servers to cause a denial of service (out-of-bound

CVE-2012-6698 HIGH
7.5 Apr 11

The decode_search function in dhcp.c in dhcpcd 3.x allows remote DHCP servers to cause a denial of service (out-of-bound

CVE-2012-6700 HIGH
7.5 Apr 11

The decode_search function in dhcp.c in dhcpcd 3.x does not properly free allocated memory, which allows remote DHCP ser

CVE-2026-56116 HIGH
7.1 Jun 23

Denial of service in dhcpcd through version 10.3.2 allows an adjacent-network attacker to exhaust memory in the daemon b

CVE-2014-7913 MEDIUM
6.8 Jul 30

The print_option function in dhcp-common.c in dhcpcd through 6.9.1, as used in dhcp.c in dhcpcd 5.x in Android before 5.

CVE-2014-7912 MEDIUM
6.8 Jul 30

The get_option function in dhcp.c in dhcpcd before 6.2.0, as used in dhcpcd 5.x in Android before 5.1 and other products

CVE-2026-56114 MEDIUM
6.0 Jun 23

Stack memory corruption in dhcpcd through 10.3.2 exposes systems running the DHCPv6 client to availability disruption fr

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Server 16.0 Affected
SUSE Linux Enterprise Server 16.1 Affected
SUSE Linux Enterprise Server for SAP applications 16.0 Affected
SUSE Linux Enterprise Server for SAP applications 16.1 Affected
SUSE Linux Micro 6.2 Affected

Share

CVE-2026-56115 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy