Skip to main content

FreeBSD dhclient EUVDEUVD-2026-26350

| CVE-2026-42511 HIGH
Improper Neutralization of Quoting Syntax (CWE-149)
2026-04-30 freebsd
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Analysis Updated
May 01, 2026 - 16:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 01, 2026 - 16:22 vuln.today
cvss_changed
CVSS changed
May 01, 2026 - 16:22 NVD
7.3 (HIGH) 8.1 (HIGH)
Analysis Generated
Apr 30, 2026 - 14:22 vuln.today
CVSS changed
Apr 30, 2026 - 14:22 NVD
7.3 (HIGH)
EUVD ID Assigned
Apr 30, 2026 - 07:15 euvd
EUVD-2026-26350
Analysis Generated
Apr 30, 2026 - 07:15 vuln.today
CVE Published
Apr 30, 2026 - 06:56 nvd
HIGH 8.1

DescriptionCVE.org

The BOOTP file field is written to the lease file without escaping embedded double-quotes, allowing injection of arbitrary dhclient.conf directives. When the lease file is subsequently re-parsed by dhclient, e.g., after a system restart, an attacker-controlled field from the lease is passed to dhclient-script(8), which evaluates it.

A rogue DHCP server may be able to execute arbirary code as root on a system running dhclient.

AnalysisAI

Remote code execution as root in FreeBSD dhclient allows malicious DHCP servers to inject arbitrary commands via unsanitized BOOTP file field in DHCP responses. When dhclient writes lease data without escaping embedded double-quotes and later re-parses it (e.g., after system restart), injected dhclient.conf directives execute through dhclient-script. EPSS score is notably low (0.02%, 5th percentile) with SSVC indicating no observed exploitation and partial technical impact, suggesting limited real-world targeting despite the high-severity nature of root code execution. No public exploit code identified at time of analysis.

Technical ContextAI

DHCP (Dynamic Host Configuration Protocol) clients like FreeBSD's dhclient receive configuration data from DHCP servers, including the BOOTP file field (typically used for network boot file paths). The vulnerability stems from CWE-149 (Improper Neutralization of Quoting Syntax), where dhclient fails to escape double-quote characters when writing the BOOTP file field to its lease database file. When dhclient subsequently re-parses this lease file-either on daemon restart or system reboot-the maliciously crafted field is interpreted as dhclient.conf configuration directives rather than data. These directives are then passed to dhclient-script, a shell script that executes with root privileges to configure network interfaces. The affected CPE (cpe:2.3:a:freebsd:freebsd) identifies the FreeBSD base system's DHCP client implementation. This is a classic quote injection vulnerability where insufficient input sanitization allows data fields to break out of their intended context and become executable code.

RemediationAI

Apply FreeBSD security patches immediately: upgrade to FreeBSD 13.5-RELEASE-p13, 14.3-RELEASE-p12, 14.4-RELEASE-p3, or 15.0-RELEASE-p7 depending on your major version branch. Patches available through freebsd-update utility or by rebuilding from patched sources as detailed in FreeBSD-SA-26:12.dhclient advisory (https://security.freebsd.org/advisories/FreeBSD-SA-26:12.dhclient.asc). For systems where immediate patching is not feasible, configure static IP addressing to eliminate DHCP client usage entirely-this prevents exploitation but sacrifices automatic network configuration and may complicate mobile device management. Alternatively, restrict DHCP server access via network segmentation and MAC address filtering on switching infrastructure to allow only trusted DHCP servers, though this requires existing network access control infrastructure and does not protect against compromised legitimate servers. Organizations using FreeBSD in untrusted network environments (laptops on public networks) should prioritize patching over mitigations due to the severity of root code execution.

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2025-14558 HIGH POC
7.2 Mar 09

The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement mess

CVE-2013-4854 HIGH POC
7.8 Jul 29

The RFC 5011 implementation in rdata.c in ISC BIND 9.7.x and 9.8.x before 9.8.5-P2, 9.8.6b1, 9.9.x before 9.9.3-P2, and

CVE-2024-6387 HIGH POC
8.1 Jul 01

Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to

CVE-2023-48795 MEDIUM POC
5.9 Dec 18

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot

CVE-2013-2171 MEDIUM POC
6.9 Jul 02

The vm_map_lookup function in sys/vm/vm_map.c in the mmap implementation in the kernel in FreeBSD 9.0 through 9.1-RELEAS

CVE-2016-5766 HIGH POC
8.8 Aug 07

Integer overflow in the _gd2GetHeader function in gd_gd2.c in the GD Graphics Library (aka libgd) before 2.2.3, as used

CVE-2016-1879 HIGH POC
7.5 Jan 29

The Stream Control Transmission Protocol (SCTP) module in FreeBSD 9.3 before p33, 10.1 before p26, and 10.2 before p9, w

CVE-2020-7457 HIGH POC
8.1 Jul 09

In FreeBSD 12.1-STABLE before r359565, 12.1-RELEASE before p7, 11.4-STABLE before r362975, 11.4-RELEASE before p1, and 1

CVE-2018-8897 HIGH POC
7.8 May 08

A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) wa

CVE-2012-3549 HIGH POC
7.8 Oct 09

The SCTP implementation in FreeBSD 8.2 allows remote attackers to cause a denial of service (NULL pointer dereference an

CVE-2024-29937 CRITICAL POC
9.8 Apr 11

NFS in a BSD derived codebase, as used in OpenBSD through 7.4 and FreeBSD through 14.0-RELEASE, allows remote attackers

Share

EUVD-2026-26350 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy