Description
A NULL pointer dereference occurs in Roy Marples NetworkConfiguration/dhcpcd 10.3.0 while parsing configuration options. In parse_option() (src/if-options.c:1886), the code performs a member access on a NULL pointer of type 'struct dhcp_opt' when an unexpected/invalid option token or parsing state causes the lookup to yield NULL. The instrumented fuzzing build reports 'runtime error: member access within null pointer of type struct dhcp_opt' and aborts.
Published: 2026-06-15
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An uninitialized pointer dereference occurs in the Roy Marples NetworkConfiguration/dhcpcd 10.3.0 source during option parsing. When an unexpected or invalid option token or parsing state causes the lookup to return NULL, the code performs a member access on a NULL pointer of type 'struct dhcp_opt', causing the daemon to abort. This results in a crash that can deny the DHCP client service. The weakness is identified as CWE‑476, indicating a classic null pointer dereference. The impact is a loss of availability; if an attacker can influence the parsing of configuration options, the crash could be triggered repeatedly, bringing down the DHCP service.

Affected Systems

The affected product is the dhcpcd DHCP client daemon, version 10.3.0. No vendor or product name is recorded in the CVE database, but the source indicates it is a network configuration tool.

Risk and Exploitability

The vulnerability has a CVSS score of 6.3, indicating moderate severity, and the EPSS score of less than 1% indicates a very low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote, via crafted DHCP options or malicious configuration files that can be supplied over the network or through local file tampering. An attacker would need the ability to affect parsing of configuration options, which could be achieved by sending malformed options in DHCP traffic or by modifying configuration files with privileged access. The vulnerability would cause the dhcpcd service to terminate abruptly, leading to a denial of service of DHCP functionality.

Generated by OpenCVE AI on June 18, 2026 at 01:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest dhcpcd patch that removes the null pointer dereference (check for a release later than 10.3.0).
  • If a patch is not yet available, isolate the dhcpcd process by running it with the minimum privileges required and ensure that only trusted users can modify its configuration files.
  • On critical hosts, disable the DHCP client or replace it with an alternative implementation until the vulnerability is fixed.

Generated by OpenCVE AI on June 18, 2026 at 01:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Dhcpcd Project
Dhcpcd Project dhcpcd
Vendors & Products Dhcpcd Project
Dhcpcd Project dhcpcd

Tue, 23 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title dhcpcd: dhcpcd: Denial of Service via NULL pointer dereference during configuration option parsing
References
Metrics threat_severity

None

threat_severity

Moderate


Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Null Pointer Dereference in dhcpcd 10.3.0 During Option Parsing

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title Null Pointer Dereference in dhcpcd 10.3.0 During Option Parsing

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-476
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description A NULL pointer dereference occurs in Roy Marples NetworkConfiguration/dhcpcd 10.3.0 while parsing configuration options. In parse_option() (src/if-options.c:1886), the code performs a member access on a NULL pointer of type 'struct dhcp_opt' when an unexpected/invalid option token or parsing state causes the lookup to yield NULL. The instrumented fuzzing build reports 'runtime error: member access within null pointer of type struct dhcp_opt' and aborts.
References

Subscriptions

Dhcpcd Project Dhcpcd
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-16T14:47:32.985Z

Reserved: 2026-01-09T00:00:00.000Z

Link: CVE-2025-70102

cve-icon Vulnrichment

Updated: 2026-06-16T14:46:26.622Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T20:16:24.827

Modified: 2026-06-16T15:51:29.037

Link: CVE-2025-70102

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-15T00:00:00Z

Links: CVE-2025-70102 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:46:36Z

Weaknesses