CVE-2026-56114 - Vulnerability Details

- dhcpcd Stack Out-of-Bounds Write in dhcp6_makemessage()

Description

dhcpcd through 10.3.2, fixed in commit 2f00c7b, contains a one-byte stack out-of-bounds write vulnerability in dhcp6_makemessage() in src/dhcp6.c that allows unauthenticated same-link attackers to write beyond a fixed local buffer by serializing an oversized RFC6603 OPTION_PD_EXCLUDE option body. Attackers can send a crafted DHCPv6 ADVERTISE message containing an IA_PD IAPREFIX /0 with a valid OPTION_PD_EXCLUDE using an exclude prefix length of /121 through /128 to trigger the out-of-bounds write and potentially corrupt adjacent stack memory.

Published: 2026-06-23

Score: 6 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A one‑byte stack out‑of‑bounds write (CWE‑787) occurs in dhcp6_makemessage() when the function serializes an oversized RFC6603 OPTION_PD_EXCLUDE option body. An unauthenticated attacker on the same physical link can send a crafted DHCPv6 ADVERTISE message containing an IA_PD IAPREFIX /0 with a valid OPTION_PD_EXCLUDE using an exclude prefix length of /121 through /128; this triggers the write beyond a fixed local buffer and corrupts adjacent stack memory, creating an opportunity for arbitrary code execution.

Affected Systems

The vulnerability exists in dhcpcd versions up to and including 10.3.2 released by NetworkConfiguration. Any system running an affected dhcpcd that participates in DHCPv6 configuration is at risk. This includes routers, embedded devices, and operating systems that use dhcpcd for IPv6 address autoconfiguration.

Risk and Exploitability

The CVSS score of 6 indicates moderate severity. The exploit requires no authentication and is limited to the local Ethernet or Wi‑Fi segment. EPSS information is unavailable, and the issue is not listed in the CISA KEV catalog, so no publicly available exploit code is reported. However, an attacker present on the network segment can trigger the out‑of‑bounds write by sending a single crafted DHCPv6 message, making the vulnerability a straightforward local attack.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

NetworkConfiguration

dhcpcd

affected

Version	Status	Constraints
`0`	affected	≤ 10.3.2
`2f00c7bfc408b6582d331932dfa47829c4819029`	unaffected	—

No data.

Vendor Product Confidence Versions

Networkconfiguration

Dhcpcd

100%

Version	Status	Scheme	Platform
`[0,10.3.2]`	affected	semver	—
`2f00c7bfc408b6582d331932dfa47829c4819029`	unaffected	code_commit	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the upstream patch from commit 2f00c7bfc408b6582d331932dfa47829c4819029, which adds bounds checking in dhcp6_makemessage()
Upgrade dhcpcd to any newer release that incorporates the patch (versions greater than 10.3.2)
If a quick upgrade is not possible, disable DHCPv6 or configure the system to accept DHCPv6 advertisements only on trusted interfaces

Generated by OpenCVE AI on June 24, 2026 at 11:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00175.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/NetworkConfiguration/dhcpcd/commit/2f00c7bfc408b6582d331932dfa47829c4819029
https://nvd.nist.gov/vuln/detail/CVE-2026-56114
https://www.cve.org/CVERecord?id=CVE-2026-56114
https://www.vulncheck.com/advisories/dhcpcd-stack-out-of-bounds-write-in-dhcp6-makemessage

History

Wed, 24 Jun 2026 14:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 24 Jun 2026 12:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-56114 https://www.cve.org/CVERecord?id=CVE-2026-56114
Metrics	threat_severity `None`	threat_severity `Moderate`

Tue, 23 Jun 2026 21:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Networkconfiguration Networkconfiguration dhcpcd
Vendors & Products		Networkconfiguration Networkconfiguration dhcpcd

Tue, 23 Jun 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		dhcpcd through 10.3.2, fixed in commit 2f00c7b, contains a one-byte stack out-of-bounds write vulnerability in dhcp6_makemessage() in src/dhcp6.c that allows unauthenticated same-link attackers to write beyond a fixed local buffer by serializing an oversized RFC6603 OPTION_PD_EXCLUDE option body. Attackers can send a crafted DHCPv6 ADVERTISE message containing an IA_PD IAPREFIX /0 with a valid OPTION_PD_EXCLUDE using an exclude prefix length of /121 through /128 to trigger the out-of-bounds write and potentially corrupt adjacent stack memory.
Title		dhcpcd Stack Out-of-Bounds Write in dhcp6_makemessage()
Weaknesses		CWE-787
References		https://github.com/NetworkConfiguration/dhcpcd/commit/2f00c7bfc408b6582d331932dfa47829c4819029 https://www.vulncheck.com/advisories/dhcpcd-stack-out-of-bounds-write-in-dhcp6-makemessage
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}` cvssV4_0 `{'score': 6, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

Networkconfiguration Dhcpcd

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2026-06-23T16:08:10.043Z

Updated: 2026-06-24T14:03:07.344Z

Reserved: 2026-06-18T19:15:10.650Z

Link: CVE-2026-56114

Vulnrichment

Updated: 2026-06-24T14:02:54.637Z

NVD

No data.

Redhat

Severity : Moderate

Publid Date: 2026-06-23T16:08:10Z

Links: CVE-2026-56114 - Bugzilla

OpenCVE Enrichment

Updated: 2026-06-24T11:15:04Z

Weaknesses

CWE-787
Out-of-bounds Write

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object