CVE-2026-42512
Heap Buffer Overrun in dhclient via DHCP Packet
Publication date: 2026-04-30
Last updated on: 2026-05-01
Assigner: FreeBSD
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freebsd | freebsd | 15.0 |
| freebsd | freebsd | 15.0 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 14.3 |
| freebsd | freebsd | 14.3 |
| freebsd | freebsd | 14.3 |
| freebsd | freebsd | 14.3 |
| freebsd | freebsd | 14.3 |
| freebsd | freebsd | 14.3 |
| freebsd | freebsd | 14.3 |
| freebsd | freebsd | 14.3 |
| freebsd | freebsd | 14.3 |
| freebsd | freebsd | 15.0 |
| freebsd | freebsd | 14.4 |
| freebsd | freebsd | 15.0 |
| freebsd | freebsd | 14.3 |
| freebsd | freebsd | 14.4 |
| freebsd | freebsd | 15.0 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 13.5 |
| freebsd | freebsd | 14.3 |
| freebsd | freebsd | 14.3 |
| freebsd | freebsd | 14.4 |
| freebsd | freebsd | 14.4 |
| freebsd | freebsd | 15.0 |
| freebsd | freebsd | 15.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in dhclient, the default IPv4 DHCP client on FreeBSD. When dhclient builds an environment to pass to dhclient-script, it needs to resize an array of string pointers. The code that expands this array incorrectly calculates the new memory size, causing a heap buffer overrun.
A specially crafted DHCP packet can trigger this buffer overrun, which may cause dhclient to crash or potentially allow an attacker to execute code remotely.
How can this vulnerability impact me? :
If exploited, this vulnerability can cause dhclient to crash, leading to denial of service on the affected system.
More seriously, an attacker on the same broadcast domain who can respond to DHCP requests may leverage this bug to achieve remote code execution, potentially gaining control over the affected system.
There is no known workaround, so upgrading to a patched version of FreeBSD is necessary to mitigate the risk.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a heap buffer overrun in dhclient when processing DHCP offers, which can cause crashes or potentially remote code execution.
Detection can focus on monitoring dhclient crashes or unusual behavior related to DHCP processing.
Since the attack requires an attacker to be on the same broadcast domain and respond to DHCP requests, monitoring DHCP traffic for suspicious or unexpected DHCP offer packets may help.
No specific detection commands are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
There is no workaround available for this vulnerability.
Immediate mitigation steps include upgrading to a patched version of FreeBSD that fixes the dhclient vulnerability.
- Use pkg or freebsd-update to upgrade to the fixed dhclient version.
- Alternatively, apply the source code patches provided in the FreeBSD security advisory.
Additionally, enabling DHCP snooping on switches can help mitigate the risk by preventing unauthorized DHCP servers from responding to requests.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.