CVE Catalog

CVE-2026-56114

MediumCVSS 5.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

7th percentile — higher than 7% of all known CVEs

Summary

A vulnerability in dhcpcd up to version 10.3.2 (fixed in commit 2f00c7b) allows an unauthenticated same-link attacker to perform a one-byte stack out-of-bounds write. The flaw is in the dhcp6_makemessage() function in src/dhcp6.c when serializing an oversized OPTION_PD_EXCLUDE option body from RFC6603.

Risk Assessment

An attacker can send a crafted DHCPv6 ADVERTISE message with IA_PD IAPREFIX /0 and a valid OPTION_PD_EXCLUDE using an exclude prefix length of /121 through /128, triggering an out-of-bounds write beyond a fixed local buffer on the stack, potentially corrupting adjacent stack memory and leading to crashes or arbitrary code execution.

Recommendation

Update dhcpcd to a version containing commit 2f00c7b or later immediately. If an update is not possible, restrict trusted DHCPv6 message sources in the local network.

Original NVD description (English source)

dhcpcd through 10.3.2, fixed in commit 2f00c7b, contains a one-byte stack out-of-bounds write vulnerability in dhcp6_makemessage() in src/dhcp6.c that allows unauthenticated same-link attackers to write beyond a fixed local buffer by serializing an oversized RFC6603 OPTION_PD_EXCLUDE option body. Attackers can send a crafted DHCPv6 ADVERTISE message containing an IA_PD IAPREFIX /0 with a valid OPTION_PD_EXCLUDE using an exclude prefix length of /121 through /128 to trigger the out-of-bounds write and potentially corrupt adjacent stack memory.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS