Description
dhcpcd through 10.3.2, fixed in commit 5733d3c, contains a heap use-after-free vulnerability that allows unauthenticated same-link attackers to crash the daemon by sending a crafted DHCPv6 RENEW reply with RFC6603 OPTION_PD_EXCLUDE and both preferred and valid lifetimes set to zero. Attackers acting as or impersonating a DHCPv6 server can trigger dhcp6_deprecatedele() to free a delegated child address while an outer TAILQ_FOREACH_SAFE iterator in dhcp6_deprecateaddrs() still holds the freed pointer, causing a use-after-free when TAILQ_REMOVE is reached.
Published: 2026-06-23
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

dhcpcd contains a heap use‑after‑free flaw in its DHCPv6 handling. A crafted DHCPv6 RENEW reply that includes an RFC6603 OPTION_PD_EXCLUDE with both preferred and valid lifetimes set to zero can cause the daemon to free a delegated child address while another function still holds a reference to it. When the iterator later accesses the freed pointer, the program crashes. This loss of service can disrupt network connectivity for clients that rely on dhcpcd, and the weaknesses are characterized as CWE‑416 and CWE‑825.

Affected Systems

NetworkConfiguration’s dhcpcd package up through version 10.3.2 is affected. The issue was fixed by commit 5733d3c, so any system running an earlier release should apply that patch or a later version.

Risk and Exploitability

The CVSS score of 6 indicates moderate severity. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, implying limited public exploitation evidence. Likely attack vector is a local attacker on the same network link impersonating a DHCPv6 server and sending a crafted RENEW message. Based on the description, it is inferred that no authentication is required to trigger the flaw. The exploitation results in a crash of dhcpcd, causing a temporary denial of service for local clients that rely on DHCPv6.

Generated by OpenCVE AI on June 24, 2026 at 13:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update dhcpcd to the patched version that incorporates commit 5733d3c or later
  • If immediate upgrade is not possible, restrict DHCPv6 traffic to trusted servers by configuring firewall rules to filter out invalid OPTION_PD_EXCLUDE messages
  • Monitor /var/log/dhcpcd.log for fatal crashes and configure the service to automatically restart to mitigate temporary loss of service

Generated by OpenCVE AI on June 24, 2026 at 13:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Networkconfiguration
Networkconfiguration dhcpcd
Vendors & Products Networkconfiguration
Networkconfiguration dhcpcd

Tue, 23 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description dhcpcd through 10.3.2, fixed in commit 5733d3c, contains a heap use-after-free vulnerability that allows unauthenticated same-link attackers to crash the daemon by sending a crafted DHCPv6 RENEW reply with RFC6603 OPTION_PD_EXCLUDE and both preferred and valid lifetimes set to zero. Attackers acting as or impersonating a DHCPv6 server can trigger dhcp6_deprecatedele() to free a delegated child address while an outer TAILQ_FOREACH_SAFE iterator in dhcp6_deprecateaddrs() still holds the freed pointer, causing a use-after-free when TAILQ_REMOVE is reached.
Title dhcpcd Heap Use-After-Free in dhcp6_deprecateaddrs via DHCPv6 RENEW
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Networkconfiguration Dhcpcd
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-23T17:58:21.174Z

Reserved: 2026-06-18T19:15:10.650Z

Link: CVE-2026-56113

cve-icon Vulnrichment

Updated: 2026-06-23T17:58:18.518Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-23T16:05:59Z

Links: CVE-2026-56113 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T14:00:07Z

Weaknesses