CVE-2026-56113
Awaiting Analysis Awaiting Analysis - Queue
Heap Use-After-Free in dhcpcd DHCPv6 Server

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: VulnCheck

Description
dhcpcd through 10.3.2, fixed in commit 5733d3c, contains a heap use-after-free vulnerability that allows unauthenticated same-link attackers to crash the daemon by sending a crafted DHCPv6 RENEW reply with RFC6603 OPTION_PD_EXCLUDE and both preferred and valid lifetimes set to zero. Attackers acting as or impersonating a DHCPv6 server can trigger dhcp6_deprecatedele() to free a delegated child address while an outer TAILQ_FOREACH_SAFE iterator in dhcp6_deprecateaddrs() still holds the freed pointer, causing a use-after-free when TAILQ_REMOVE is reached.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-56113
EUVD
EUVD-2026-38491
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
networkconfiguration dhcpcd to 10.3.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not include any details on how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-56113 is a heap use-after-free vulnerability in dhcpcd versions up to 10.3.2. It occurs when the dhcp6_deprecatedele() function frees a delegated child address while an outer iterator in dhcp6_deprecateaddrs() still holds a pointer to that freed memory. This happens when a crafted DHCPv6 RENEW reply with RFC6603 OPTION_PD_EXCLUDE and both preferred and valid lifetimes set to zero is sent. The use-after-free leads to a crash of the dhcpcd daemon.

The root cause is improper handling of IPv6 address deprecation during prefix deletion, where deleting an address invalidates the iteration pointer used to traverse the list of addresses, causing invalid memory access.

The fix involves modifying the dhcp6_deprecatedele function to signal when the iteration should restart and adding logic to restart the loop to ensure all addresses are processed safely.

Impact Analysis

This vulnerability allows an unauthenticated attacker on the same network segment to impersonate a DHCPv6 server and send a specially crafted DHCPv6 RENEW reply that triggers a use-after-free condition, causing the dhcpcd daemon to crash.

The impact is a denial of service (DoS) condition on the affected system, potentially disrupting network connectivity or services relying on dhcpcd.

Detection Guidance

Detection of this vulnerability involves identifying if the dhcpcd daemon version is 10.3.2 or earlier, as these versions are affected.

Monitoring for crashes or abnormal behavior of the dhcpcd daemon when receiving DHCPv6 RENEW replies with RFC6603 OPTION_PD_EXCLUDE and both preferred and valid lifetimes set to zero can indicate exploitation attempts.

You can check the dhcpcd version installed on your system using the command:

  • dhcpcd --version

To monitor network traffic for suspicious DHCPv6 RENEW messages with the specific crafted options, you can use packet capture tools such as tcpdump:

  • sudo tcpdump -i <interface> 'udp and port 546 or 547'

Then analyze captured packets for DHCPv6 RENEW messages containing OPTION_PD_EXCLUDE with preferred and valid lifetimes set to zero.

Mitigation Strategies

The primary mitigation step is to update dhcpcd to a version that includes the fix from commit 5733d3c or later.

If updating immediately is not possible, consider restricting or filtering DHCPv6 RENEW messages on your network to prevent unauthenticated or malicious DHCPv6 servers from sending crafted packets that exploit this vulnerability.

Monitoring and logging dhcpcd daemon crashes can help detect exploitation attempts and respond accordingly.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56113. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart