Skip to main content

dhcpcd EUVDEUVD-2026-38498

| CVE-2026-56117 MEDIUM
Use After Free (CWE-416)
2026-06-23 VulnCheck GHSA-p284-r695-7gxf
5.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
5.7 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.7 MEDIUM

Local-only access with high complexity due to required non-default privsep-disabled configuration; low privileges to connect; availability-only impact from daemon crash with no confidentiality or integrity consequence.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
SUSE
5.3 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H
Red Hat
4.7 MEDIUM
qualitative

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 23, 2026 - 17:07 vuln.today
Analysis Generated
Jun 23, 2026 - 17:07 vuln.today

DescriptionCVE.org

dhcpcd through 10.3.2, fixed in commit 78ea09e, contains a heap use-after-free vulnerability in the control socket handling within src/control.c that allows local unprivileged attackers to trigger memory corruption when privilege separation is disabled. Attackers can connect to the control socket and send a privileged command such as -x, causing control_recvdata() to free the client object while the same READ+HANGUP event subsequently reaches control_hangup() with the stale pointer, resulting in a use-after-free condition exploitable in deployments using --disable-privsep or where privsep initialization has failed with the control socket operating in mode 0666.

AnalysisAI

Heap use-after-free in dhcpcd through version 10.3.2 allows local unprivileged attackers to crash the DHCP client daemon by exploiting a double-free race between READ and HANGUP events on the control socket. When an attacker sends a privileged command such as -x, control_recvdata() frees the client fd_list object while the subsequent HANGUP event delivers the same stale pointer to control_hangup(), triggering memory corruption that results in denial of network service on the affected host. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify host running dhcpcd without privsep
Delivery
Connect to world-writable control socket (mode 0666)
Exploit
Send privileged -x shutdown command
Execution
control_recvdata() frees client fd_list object
Persist
Pending HANGUP event delivers stale pointer to control_hangup()
Impact
Heap use-after-free crashes dhcpcd daemon

Vulnerability AssessmentAI

Exploitation Exploitation requires all three of the following conditions simultaneously: (1) dhcpcd must be running with privilege separation disabled, either explicitly via the --disable-privsep command-line argument or implicitly because the privsep subprocess failed to initialize at startup; (2) the control socket must be operating in mode 0666 - world-readable and world-writable - so that unprivileged local users can connect to it; and (3) the attacker must have local unprivileged user access to the host. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N, score 5.7) accurately captures the threat profile: local-only attack surface, a specific non-default attack prerequisite (privsep disabled), low but required privilege, and exclusively availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A local unprivileged user on a host running dhcpcd with --disable-privsep (or after a privsep initialization failure leaves the control socket world-writable) connects to the mode-0666 control socket and issues the -x command to request daemon shutdown. The command causes control_recvdata() to free the fd_list client object, after which the pending HANGUP event on the same file descriptor triggers control_hangup() with the now-stale pointer, producing a heap use-after-free that crashes the dhcpcd daemon and drops all dynamically assigned network configuration from the host. …
Remediation Upgrade dhcpcd to a version incorporating upstream commit 78ea09ed1633a583dbcde6e7bab9df4639ec8a34 (https://github.com/NetworkConfiguration/dhcpcd/commit/78ea09ed1633a583dbcde6e7bab9df4639ec8a34) once distribution packages are available; an exact patched release tag is not confirmed from current data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Dhcpcd

View all
CVE-2016-1503 CRITICAL
9.8 Apr 18

dhcpcd before 6.10.0, as used in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-0

CVE-2019-11766 CRITICAL
9.8 May 05

dhcp6.c in dhcpcd before 6.11.7 and 7.x before 7.2.2 has a buffer over-read in the D6_OPTION_PD_EXCLUDE feature. Rated c

CVE-2019-11577 CRITICAL
9.8 Apr 28

dhcpcd before 7.2.1 contains a buffer overflow in dhcp6_findna in dhcp6.c when reading NA/TA addresses. Rated critical s

CVE-2026-56115 HIGH
8.7 Jun 23

Stack out-of-bounds write in dhcpcd (the widely-used DHCP/DHCPv6 client) through version 10.3.2 lets a same-link attacke

CVE-2012-2152 HIGH
7.5 Jul 25

Stack-based buffer overflow in the get_packet method in socket.c in dhcpcd 3.2.3 allows remote attackers to cause a deni

CVE-2016-1504 HIGH
7.5 Feb 07

dhcpcd before 6.10.0 allows remote attackers to cause a denial of service (invalid read and crash) via vectors related t

CVE-2012-6699 HIGH
7.5 Apr 11

The decode_search function in dhcp.c in dhcpcd 3.x allows remote DHCP servers to cause a denial of service (out-of-bound

CVE-2012-6698 HIGH
7.5 Apr 11

The decode_search function in dhcp.c in dhcpcd 3.x allows remote DHCP servers to cause a denial of service (out-of-bound

CVE-2012-6700 HIGH
7.5 Apr 11

The decode_search function in dhcp.c in dhcpcd 3.x does not properly free allocated memory, which allows remote DHCP ser

CVE-2026-56116 HIGH
7.1 Jun 23

Denial of service in dhcpcd through version 10.3.2 allows an adjacent-network attacker to exhaust memory in the daemon b

CVE-2014-7913 MEDIUM
6.8 Jul 30

The print_option function in dhcp-common.c in dhcpcd through 6.9.1, as used in dhcp.c in dhcpcd 5.x in Android before 5.

CVE-2014-7912 MEDIUM
6.8 Jul 30

The get_option function in dhcp.c in dhcpcd before 6.2.0, as used in dhcpcd 5.x in Android before 5.1 and other products

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Server 16.0 Affected
SUSE Linux Enterprise Server 16.1 Affected
SUSE Linux Enterprise Server for SAP applications 16.0 Affected
SUSE Linux Enterprise Server for SAP applications 16.1 Affected
SUSE Linux Micro 6.2 Affected

Share

EUVD-2026-38498 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy