dhclient, the DHCP client shipped with FreeBSD, has an out‑of‑bounds heap write that occurs when resizing the array of environment variables passed to dhclient‑script. The code that expands this array miscalculates the required memory, allowing an attacker to overflow the heap buffer. The overflow can trigger a crash of dhclient, and, as indicated by the advisory, may also be leveraged to achieve remote code execution. The weakness is a classic heap buffer overrun, classified as CWE‑122.

The vulnerable component is the FreeBSD dhclient implementation. All versions of dhclient that were current at the time of the advisory—those distributed with FreeBSD releases prior to the fix—are affected. The exact version range is not specified, but the issue applies to any instance of dhclient running on FreeBSD systems where the advertised vulnerability exists.

This issue presents a high risk to any host that receives DHCP traffic from an untrusted network. An attacker can send a specially crafted DHCP packet to the vulnerable client, causing the heap overrun. The CVSS score of 8.1 indicates high severity, the EPSS score is < 1%, and the vulnerability is not listed in the CISA KEV catalog, but the potential for remote code execution combined with the ability to trigger the flaw via network packets makes it a serious threat. The vulnerability is exploitable without local privileges and does not require authentication, meaning that any remote machine within the DHCP broadcast domain or a compromised router forwarding DHCP traffic could be used to attack the target.