Description
dhcpcd through 10.3.2, fixed in commit 78ea09e, contains a heap use-after-free vulnerability in the control socket handling within src/control.c that allows local unprivileged attackers to trigger memory corruption when privilege separation is disabled. Attackers can connect to the control socket and send a privileged command such as -x, causing control_recvdata() to free the client object while the same READ+HANGUP event subsequently reaches control_hangup() with the stale pointer, resulting in a use-after-free condition exploitable in deployments using --disable-privsep or where privsep initialization has failed with the control socket operating in mode 0666.
Published: 2026-06-23
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

dhcpcd contains a heap use‑after‑free vulnerability in its control‑socket handling. When privilege separation is disabled, a local unprivileged user can connect to the control socket and issue a privileged command, such as –x. This triggers the client object to be freed during control_recvdata(). A later READ+HANGUP event calls control_hangup() and dereferences the now‑stale pointer, producing memory corruption that can be leveraged to execute arbitrary code. The weakness is categorized as CWE‑416 and CWE‑825.

Affected Systems

The flaw affects NetworkConfiguration’s dhcpcd through version 10.3.2 inclusive. Systems that run dhcpcd with the --disable‑privsep option or that experience privilege‑separation initialization failures, leaving the control socket in mode 0666, are especially vulnerable.

Risk and Exploitability

The CVSS score of 5.7 indicates moderate severity. No EPSS score is available and the vulnerability is not listed in CISA’s KEV catalog. Because the attack vector is local, risk is confined to machines where a non‑privileged user can open the control socket. However, if the daemon runs with elevated privileges, a successful exploitation could lead to full system compromise.

Generated by OpenCVE AI on June 24, 2026 at 13:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch introduced in commit 78ea09e or upgrade dhcpcd to a version that incorporates this fix.
  • Re‑enable privilege separation by removing the --disable‑privsep flag or ensuring that privilege‑separation initialization completes successfully before the daemon starts.
  • Restrict the control socket’s permissions so it is not world‑readable/writeable; set the socket mode to a more restrictive value such as 0600 and limit access to trusted users only.

Generated by OpenCVE AI on June 24, 2026 at 13:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-825
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Networkconfiguration
Networkconfiguration dhcpcd
Vendors & Products Networkconfiguration
Networkconfiguration dhcpcd

Tue, 23 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description dhcpcd through 10.3.2, fixed in commit 78ea09e, contains a heap use-after-free vulnerability in the control socket handling within src/control.c that allows local unprivileged attackers to trigger memory corruption when privilege separation is disabled. Attackers can connect to the control socket and send a privileged command such as -x, causing control_recvdata() to free the client object while the same READ+HANGUP event subsequently reaches control_hangup() with the stale pointer, resulting in a use-after-free condition exploitable in deployments using --disable-privsep or where privsep initialization has failed with the control socket operating in mode 0666.
Title dhcpcd Heap Use-After-Free via Control Socket Handling
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 5.7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Networkconfiguration Dhcpcd
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-24T13:43:25.658Z

Reserved: 2026-06-18T19:15:10.651Z

Link: CVE-2026-56117

cve-icon Vulnrichment

Updated: 2026-06-24T13:43:10.855Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-23T16:14:31Z

Links: CVE-2026-56117 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T14:00:07Z

Weaknesses