Skip to main content

Dhcpcd

18 CVEs product

Monthly

CVE-2026-56117 MEDIUM PATCH This Month

Heap use-after-free in dhcpcd through version 10.3.2 allows local unprivileged attackers to crash the DHCP client daemon by exploiting a double-free race between READ and HANGUP events on the control socket. When an attacker sends a privileged command such as -x, control_recvdata() frees the client fd_list object while the subsequent HANGUP event delivers the same stale pointer to control_hangup(), triggering memory corruption that results in denial of network service on the affected host. No public exploit code or CISA KEV listing exists at time of analysis; the upstream fix is available as commit 78ea09e.

Use After Free Memory Corruption Buffer Overflow Dhcpcd
NVD GitHub VulDB
CVSS 4.0
5.7
EPSS
0.1%
CVE-2026-56116 HIGH PATCH This Week

Denial of service in dhcpcd through version 10.3.2 allows an adjacent-network attacker to exhaust memory in the daemon by repeatedly sending crafted IPv6 Router Advertisements with zero-lifetime Route Information options. The unfreed allocations in routeinfo_findalloc() accumulate linearly until the daemon crashes, disrupting DHCP client functionality on the affected host. No public exploit identified at time of analysis, but the upstream fix (commit 708b4a5) is available.

Denial Of Service Dhcpcd
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-56115 HIGH PATCH This Week

Stack out-of-bounds write in dhcpcd (the widely-used DHCP/DHCPv6 client) through version 10.3.2 lets a same-link attacker corrupt client stack memory by replying with a malicious DHCPv6 ADVERTISE. When dhcpcd serializes an oversized RFC6603 OPTION_PD_EXCLUDE body in dhcp6_makemessage(), a one-byte value is written past a fixed 16-byte stack buffer. No public exploit identified at time of analysis; EPSS is low (0.18%, 7th percentile) and the issue is not in CISA KEV, but a vendor fix (commit 2f00c7b) is available.

Buffer Overflow Memory Corruption Dhcpcd
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-56114 MEDIUM PATCH This Month

Stack memory corruption in dhcpcd through 10.3.2 exposes systems running the DHCPv6 client to availability disruption from unauthenticated attackers on the same network link. The one-byte off-by-one overflow in `dhcp6_makemessage()` is triggered by a crafted DHCPv6 ADVERTISE containing an RFC6603 OPTION_PD_EXCLUDE sub-option with an exclude prefix length of /121 through /128, overflowing a 16-byte stack buffer by exactly one byte. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis; however, the upstream fix commit precisely identifies the trigger, making independent exploit development straightforward.

Buffer Overflow Memory Corruption Dhcpcd
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.2%
CVE-2026-56113 MEDIUM PATCH This Month

Heap use-after-free in dhcpcd through 10.3.2 enables unauthenticated same-link attackers - acting as or impersonating a DHCPv6 server - to crash the daemon by sending a crafted DHCPv6 RENEW reply exploiting a pointer lifecycle flaw in delegated prefix deprecation. The flaw triggers dhcp6_deprecatedele() to free a delegated child address while an outer TAILQ_FOREACH_SAFE iterator in dhcp6_deprecateaddrs() still retains the freed pointer, causing a use-after-free when TAILQ_REMOVE is subsequently reached. Impact is limited to availability (daemon crash); no public exploit or CISA KEV listing exists at time of analysis, but the adjacent-network attack vector and zero-privilege requirement lower the bar for local segment adversaries.

Use After Free Denial Of Service Memory Corruption Dhcpcd
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.2%
CVE-2019-11766 CRITICAL PATCH Act Now

dhcp6.c in dhcpcd before 6.11.7 and 7.x before 7.2.2 has a buffer over-read in the D6_OPTION_PD_EXCLUDE feature. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Buffer Overflow Information Disclosure Dhcpcd Debian Linux
NVD
CVSS 3.1
9.8
EPSS
2.1%
CVE-2019-11579 MEDIUM PATCH This Month

dhcp.c in dhcpcd before 7.2.1 contains a 1-byte read overflow with DHO_OPTSOVERLOADED. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Buffer Overflow Information Disclosure Dhcpcd Debian Linux
NVD
CVSS 3.1
5.3
EPSS
1.4%
CVE-2019-11578 MEDIUM PATCH This Month

auth.c in dhcpcd before 7.2.1 allowed attackers to infer secrets by performing latency attacks. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Dhcpcd
NVD
CVSS 3.1
5.9
EPSS
2.0%
CVE-2019-11577 CRITICAL PATCH Act Now

dhcpcd before 7.2.1 contains a buffer overflow in dhcp6_findna in dhcp6.c when reading NA/TA addresses. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Buffer Overflow Dhcpcd
NVD
CVSS 3.0
9.8
EPSS
53.1%
CVE-2016-1504 HIGH PATCH This Week

dhcpcd before 6.10.0 allows remote attackers to cause a denial of service (invalid read and crash) via vectors related to the option length. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.

Buffer Overflow Denial Of Service Dhcpcd
NVD
CVSS 3.0
7.5
EPSS
2.3%
CVE-2016-1503 CRITICAL Act Now

dhcpcd before 6.10.0, as used in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 and other products, mismanages option lengths, which allows remote. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service RCE Google Buffer Overflow Dhcpcd +1
NVD
CVSS 3.0
9.8
EPSS
9.4%
CVE-2012-6700 HIGH This Week

The decode_search function in dhcp.c in dhcpcd 3.x does not properly free allocated memory, which allows remote DHCP servers to cause a denial of service via a crafted response. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Buffer Overflow Debian Linux Dhcpcd
NVD
CVSS 3.0
7.5
EPSS
0.5%
CVE-2012-6699 HIGH This Week

The decode_search function in dhcp.c in dhcpcd 3.x allows remote DHCP servers to cause a denial of service (out-of-bounds read) via a crafted response. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Buffer Overflow Debian Linux Dhcpcd
NVD
CVSS 3.0
7.5
EPSS
0.6%
CVE-2012-6698 HIGH This Week

The decode_search function in dhcp.c in dhcpcd 3.x allows remote DHCP servers to cause a denial of service (out-of-bounds write) via a crafted response. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Buffer Overflow Debian Linux Dhcpcd
NVD
CVSS 3.0
7.5
EPSS
0.6%
CVE-2014-7913 MEDIUM This Month

The print_option function in dhcp-common.c in dhcpcd through 6.9.1, as used in dhcp.c in dhcpcd 5.x in Android before 5.1 and other products, misinterprets the return value of the snprintf function,. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

Denial Of Service RCE Google Buffer Overflow Dhcpcd
NVD
CVSS 2.0
6.8
EPSS
0.6%
CVE-2014-7912 MEDIUM This Month

The get_option function in dhcp.c in dhcpcd before 6.2.0, as used in dhcpcd 5.x in Android before 5.1 and other products, does not validate the relationship between length fields and the amount of. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

Denial Of Service RCE Google Buffer Overflow Dhcpcd
NVD
CVSS 2.0
6.8
EPSS
0.5%
CVE-2014-6060 LOW PATCH Monitor

The get_option function in dhcpcd 4.0.0 through 6.x before 6.4.3 allows remote DHCP servers to cause a denial of service by resetting the DHO_OPTIONSOVERLOADED option in the (1) bootfile or (2). Rated low severity (CVSS 3.3), this vulnerability is low attack complexity.

Denial Of Service Dhcpcd Android
NVD
CVSS 2.0
3.3
EPSS
0.1%
CVE-2012-2152 HIGH This Week

Stack-based buffer overflow in the get_packet method in socket.c in dhcpcd 3.2.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long packet. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Buffer Overflow Denial Of Service RCE Dhcpcd
NVD
CVSS 2.0
7.5
EPSS
3.9%
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Heap use-after-free in dhcpcd through version 10.3.2 allows local unprivileged attackers to crash the DHCP client daemon by exploiting a double-free race between READ and HANGUP events on the control socket. When an attacker sends a privileged command such as -x, control_recvdata() frees the client fd_list object while the subsequent HANGUP event delivers the same stale pointer to control_hangup(), triggering memory corruption that results in denial of network service on the affected host. No public exploit code or CISA KEV listing exists at time of analysis; the upstream fix is available as commit 78ea09e.

Use After Free Memory Corruption Buffer Overflow +1
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Denial of service in dhcpcd through version 10.3.2 allows an adjacent-network attacker to exhaust memory in the daemon by repeatedly sending crafted IPv6 Router Advertisements with zero-lifetime Route Information options. The unfreed allocations in routeinfo_findalloc() accumulate linearly until the daemon crashes, disrupting DHCP client functionality on the affected host. No public exploit identified at time of analysis, but the upstream fix (commit 708b4a5) is available.

Denial Of Service Dhcpcd
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Stack out-of-bounds write in dhcpcd (the widely-used DHCP/DHCPv6 client) through version 10.3.2 lets a same-link attacker corrupt client stack memory by replying with a malicious DHCPv6 ADVERTISE. When dhcpcd serializes an oversized RFC6603 OPTION_PD_EXCLUDE body in dhcp6_makemessage(), a one-byte value is written past a fixed 16-byte stack buffer. No public exploit identified at time of analysis; EPSS is low (0.18%, 7th percentile) and the issue is not in CISA KEV, but a vendor fix (commit 2f00c7b) is available.

Buffer Overflow Memory Corruption Dhcpcd
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Stack memory corruption in dhcpcd through 10.3.2 exposes systems running the DHCPv6 client to availability disruption from unauthenticated attackers on the same network link. The one-byte off-by-one overflow in `dhcp6_makemessage()` is triggered by a crafted DHCPv6 ADVERTISE containing an RFC6603 OPTION_PD_EXCLUDE sub-option with an exclude prefix length of /121 through /128, overflowing a 16-byte stack buffer by exactly one byte. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code has been identified at time of analysis; however, the upstream fix commit precisely identifies the trigger, making independent exploit development straightforward.

Buffer Overflow Memory Corruption Dhcpcd
NVD GitHub VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Heap use-after-free in dhcpcd through 10.3.2 enables unauthenticated same-link attackers - acting as or impersonating a DHCPv6 server - to crash the daemon by sending a crafted DHCPv6 RENEW reply exploiting a pointer lifecycle flaw in delegated prefix deprecation. The flaw triggers dhcp6_deprecatedele() to free a delegated child address while an outer TAILQ_FOREACH_SAFE iterator in dhcp6_deprecateaddrs() still retains the freed pointer, causing a use-after-free when TAILQ_REMOVE is subsequently reached. Impact is limited to availability (daemon crash); no public exploit or CISA KEV listing exists at time of analysis, but the adjacent-network attack vector and zero-privilege requirement lower the bar for local segment adversaries.

Use After Free Denial Of Service Memory Corruption +1
NVD GitHub VulDB
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

dhcp6.c in dhcpcd before 6.11.7 and 7.x before 7.2.2 has a buffer over-read in the D6_OPTION_PD_EXCLUDE feature. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Buffer Overflow Information Disclosure Dhcpcd +1
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

dhcp.c in dhcpcd before 7.2.1 contains a 1-byte read overflow with DHO_OPTSOVERLOADED. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Out-of-bounds Read vulnerability could allow attackers to read data from memory outside the intended buffer boundaries.

Buffer Overflow Information Disclosure Dhcpcd +1
NVD
EPSS 2% CVSS 5.9
MEDIUM PATCH This Month

auth.c in dhcpcd before 7.2.1 allowed attackers to infer secrets by performing latency attacks. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Dhcpcd
NVD
EPSS 53% CVSS 9.8
CRITICAL PATCH Act Now

dhcpcd before 7.2.1 contains a buffer overflow in dhcp6_findna in dhcp6.c when reading NA/TA addresses. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Buffer Overflow Dhcpcd
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

dhcpcd before 6.10.0 allows remote attackers to cause a denial of service (invalid read and crash) via vectors related to the option length. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.

Buffer Overflow Denial Of Service Dhcpcd
NVD
EPSS 9% CVSS 9.8
CRITICAL Act Now

dhcpcd before 6.10.0, as used in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 and other products, mismanages option lengths, which allows remote. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service RCE Google +3
NVD
EPSS 1% CVSS 7.5
HIGH This Week

The decode_search function in dhcp.c in dhcpcd 3.x does not properly free allocated memory, which allows remote DHCP servers to cause a denial of service via a crafted response. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Buffer Overflow Debian Linux +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

The decode_search function in dhcp.c in dhcpcd 3.x allows remote DHCP servers to cause a denial of service (out-of-bounds read) via a crafted response. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Buffer Overflow Debian Linux +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

The decode_search function in dhcp.c in dhcpcd 3.x allows remote DHCP servers to cause a denial of service (out-of-bounds write) via a crafted response. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Buffer Overflow Debian Linux +1
NVD
EPSS 1% CVSS 6.8
MEDIUM This Month

The print_option function in dhcp-common.c in dhcpcd through 6.9.1, as used in dhcp.c in dhcpcd 5.x in Android before 5.1 and other products, misinterprets the return value of the snprintf function,. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

Denial Of Service RCE Google +2
NVD
EPSS 1% CVSS 6.8
MEDIUM This Month

The get_option function in dhcp.c in dhcpcd before 6.2.0, as used in dhcpcd 5.x in Android before 5.1 and other products, does not validate the relationship between length fields and the amount of. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. No vendor patch available.

Denial Of Service RCE Google +2
NVD
EPSS 0% CVSS 3.3
LOW PATCH Monitor

The get_option function in dhcpcd 4.0.0 through 6.x before 6.4.3 allows remote DHCP servers to cause a denial of service by resetting the DHO_OPTIONSOVERLOADED option in the (1) bootfile or (2). Rated low severity (CVSS 3.3), this vulnerability is low attack complexity.

Denial Of Service Dhcpcd Android
NVD
EPSS 4% CVSS 7.5
HIGH This Week

Stack-based buffer overflow in the get_packet method in socket.c in dhcpcd 3.2.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long packet. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Buffer Overflow Denial Of Service RCE +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy