Skip to main content

dhcpcd CVE-2026-56116

| EUVDEUVD-2026-38496 HIGH
Memory Leak (CWE-401)
2026-06-23 VulnCheck GHSA-g36w-q35r-qvg3
7.1
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.1 HIGH
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Same-link IPv6 ND traffic so AV:A; no auth or user interaction; only availability of dhcpcd is impacted, hence C:N/I:N/A:H.

3.1 AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
6.5 MEDIUM
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
6.5 MEDIUM
qualitative

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 23, 2026 - 17:01 vuln.today
Analysis Generated
Jun 23, 2026 - 17:01 vuln.today

DescriptionCVE.org

dhcpcd through 10.3.2, fixed in commit 708b4a5, contains a memory leak vulnerability in the IPv6 Router Advertisement route information handling that allows an unauthenticated same-link attacker to cause denial of service by sending crafted Router Advertisements. Attackers can repeatedly send Router Advertisements containing Route Information options with a lifetime of zero, triggering unfreed allocations in routeinfo_findalloc() that cause linear memory exhaustion and eventual daemon crash.

AnalysisAI

Denial of service in dhcpcd through version 10.3.2 allows an adjacent-network attacker to exhaust memory in the daemon by repeatedly sending crafted IPv6 Router Advertisements with zero-lifetime Route Information options. The unfreed allocations in routeinfo_findalloc() accumulate linearly until the daemon crashes, disrupting DHCP client functionality on the affected host. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain Layer-2 adjacency to target
Delivery
Craft IPv6 RA with zero-lifetime Route Information option
Exploit
Send RA stream toward victim interface
Execution
Trigger leak in routeinfo_findalloc() per packet
Persist
Memory grows until dhcpcd is OOM-killed
Impact
Host loses DHCP/IPv6 autoconfiguration

Vulnerability AssessmentAI

Exploitation The target host must run dhcpcd 10.3.2 or earlier with IPv6 Router Advertisement processing enabled (the default on most distributions when IPv6 is active). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H) scores 7.1 and accurately characterizes a same-link, unauthenticated availability-only attack - no confidentiality or integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the same broadcast domain - for example a malicious guest on corporate Wi-Fi, a compromised IoT device, or an adjacent VM on a shared L2 segment - sends a continuous stream of forged ICMPv6 Router Advertisements containing Route Information options with lifetime=0 toward target hosts. Each RA causes dhcpcd to allocate but never release a routeinfo structure, slowly exhausting process memory until the daemon is OOM-killed or crashes, breaking IPv4/IPv6 lease renewal on the victim. …
Remediation Upstream fix available (commit 708b4a56bae080a5b18c2e0c4c6fbe103131a2b0); a released patched version is not independently confirmed in the input, so administrators should upgrade dhcpcd to the next tagged release that includes this commit or apply the one-line patch (free(rinfo) in ipv6nd_expirera in src/ipv6nd.c) and rebuild. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all systems running dhcpcd and document current installed versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Dhcpcd

View all
CVE-2016-1503 CRITICAL
9.8 Apr 18

dhcpcd before 6.10.0, as used in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-0

CVE-2019-11766 CRITICAL
9.8 May 05

dhcp6.c in dhcpcd before 6.11.7 and 7.x before 7.2.2 has a buffer over-read in the D6_OPTION_PD_EXCLUDE feature. Rated c

CVE-2019-11577 CRITICAL
9.8 Apr 28

dhcpcd before 7.2.1 contains a buffer overflow in dhcp6_findna in dhcp6.c when reading NA/TA addresses. Rated critical s

CVE-2026-56115 HIGH
8.7 Jun 23

Stack out-of-bounds write in dhcpcd (the widely-used DHCP/DHCPv6 client) through version 10.3.2 lets a same-link attacke

CVE-2012-2152 HIGH
7.5 Jul 25

Stack-based buffer overflow in the get_packet method in socket.c in dhcpcd 3.2.3 allows remote attackers to cause a deni

CVE-2016-1504 HIGH
7.5 Feb 07

dhcpcd before 6.10.0 allows remote attackers to cause a denial of service (invalid read and crash) via vectors related t

CVE-2012-6699 HIGH
7.5 Apr 11

The decode_search function in dhcp.c in dhcpcd 3.x allows remote DHCP servers to cause a denial of service (out-of-bound

CVE-2012-6698 HIGH
7.5 Apr 11

The decode_search function in dhcp.c in dhcpcd 3.x allows remote DHCP servers to cause a denial of service (out-of-bound

CVE-2012-6700 HIGH
7.5 Apr 11

The decode_search function in dhcp.c in dhcpcd 3.x does not properly free allocated memory, which allows remote DHCP ser

CVE-2014-7913 MEDIUM
6.8 Jul 30

The print_option function in dhcp-common.c in dhcpcd through 6.9.1, as used in dhcp.c in dhcpcd 5.x in Android before 5.

CVE-2014-7912 MEDIUM
6.8 Jul 30

The get_option function in dhcp.c in dhcpcd before 6.2.0, as used in dhcpcd 5.x in Android before 5.1 and other products

CVE-2026-56114 MEDIUM
6.0 Jun 23

Stack memory corruption in dhcpcd through 10.3.2 exposes systems running the DHCPv6 client to availability disruption fr

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Server 16.0 Affected
SUSE Linux Enterprise Server 16.1 Affected
SUSE Linux Enterprise Server for SAP applications 16.0 Affected
SUSE Linux Enterprise Server for SAP applications 16.1 Affected
SUSE Linux Micro 6.2 Affected

Share

CVE-2026-56116 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy