Description
dhcpcd through 10.3.2, fixed in commit 2f00c7b, contains a one-byte stack out-of-bounds write vulnerability in dhcp6_makemessage() in src/dhcp6.c that allows unauthenticated same-link attackers to write beyond a fixed local buffer by serializing an oversized RFC6603 OPTION_PD_EXCLUDE option body. Attackers can send a crafted DHCPv6 ADVERTISE message containing an IA_PD IAPREFIX /0 with a valid OPTION_PD_EXCLUDE using an exclude prefix length of /121 through /128 to trigger the out-of-bounds write and potentially corrupt adjacent stack memory.
Published: 2026-06-23
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a one-byte stack out-of-bounds write in the function dhcp6_makemessage() within dhcpcd, representing a stack buffer overrun (CWE‑787). It is triggered when a DHCPv6 ADVERTISE message contains an oversized RFC6603 OPTION_PD_EXCLUDE option body, allowing an unauthenticated attacker on the same link to write beyond a fixed local buffer. The vulnerability can corrupt adjacent stack memory, which may lead to program failure or unintended behavior.

Affected Systems

The vulnerability affects all releases of dhcpcd up to and including version 10.3.2 provided by the NetworkConfiguration project. A fix was introduced in commit 2f00c7b, which added bounds checking to dhcp6_makemessage. Any system running dhcpcd 10.3.2 or older that receives DHCPv6 PD configuration is potentially impacted.

Risk and Exploitability

The CVSS score of 6 places the flaw at medium severity. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog, indicating no known widespread exploitation. Attackers must be on the same link as the target and send a carefully crafted DHCPv6 ADVERTISE packet. The overflow can potentially corrupt stack memory; based on the description, this could lead to a crash or other unintended behavior. The overall risk is moderate, but mitigation is advised.

Generated by OpenCVE AI on June 24, 2026 at 11:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade dhcpcd to a release that includes commit 2f00c7b, or rebuild dhcpcd from source with that commit applied
  • Check the vendor’s official advisories or security releases for updates on this vulnerability
  • If an immediate upgrade is not possible, consider disabling DHCPv6 PD functionality on interfaces that do not require it to reduce exposure

Generated by OpenCVE AI on June 24, 2026 at 11:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Networkconfiguration
Networkconfiguration dhcpcd
Vendors & Products Networkconfiguration
Networkconfiguration dhcpcd

Tue, 23 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description dhcpcd through 10.3.2, fixed in commit 2f00c7b, contains a one-byte stack out-of-bounds write vulnerability in dhcp6_makemessage() in src/dhcp6.c that allows unauthenticated same-link attackers to write beyond a fixed local buffer by serializing an oversized RFC6603 OPTION_PD_EXCLUDE option body. Attackers can send a crafted DHCPv6 ADVERTISE message containing an IA_PD IAPREFIX /0 with a valid OPTION_PD_EXCLUDE using an exclude prefix length of /121 through /128 to trigger the out-of-bounds write and potentially corrupt adjacent stack memory.
Title dhcpcd Stack Out-of-Bounds Write in dhcp6_makemessage()
Weaknesses CWE-787
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 6, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Networkconfiguration Dhcpcd
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-23T17:08:40.406Z

Reserved: 2026-06-18T19:15:10.650Z

Link: CVE-2026-56115

cve-icon Vulnrichment

Updated: 2026-06-23T17:08:36.867Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-23T16:08:55Z

Links: CVE-2026-56115 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T11:15:04Z

Weaknesses