CVE-2026-56115
Awaiting Analysis Awaiting Analysis - Queue
Stack-Based Buffer Overflow in dhcpcd DHCPv6

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: VulnCheck

Description
dhcpcd through 10.3.2, fixed in commit 2f00c7b, contains a one-byte stack out-of-bounds write vulnerability in dhcp6_makemessage() in src/dhcp6.c that allows unauthenticated same-link attackers to write beyond a fixed local buffer by serializing an oversized RFC6603 OPTION_PD_EXCLUDE option body. Attackers can send a crafted DHCPv6 ADVERTISE message containing an IA_PD IAPREFIX /0 with a valid OPTION_PD_EXCLUDE using an exclude prefix length of /121 through /128 to trigger the out-of-bounds write and potentially corrupt adjacent stack memory.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-56115
EUVD
EUVD-2026-38494
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
networkconfiguration dhcpcd to 10.3.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in dhcpcd versions up to 10.3.2 in the dhcp6_makemessage() function located in src/dhcp6.c. It is a one-byte stack out-of-bounds write caused by serializing an oversized RFC6603 OPTION_PD_EXCLUDE option body. An unauthenticated attacker on the same network link can send a specially crafted DHCPv6 ADVERTISE message containing an IA_PD IAPREFIX with a prefix length of /0 and a valid OPTION_PD_EXCLUDE using an exclude prefix length between /121 and /128. This triggers the out-of-bounds write, potentially corrupting adjacent stack memory.

Impact Analysis

The vulnerability allows an unauthenticated attacker on the same network link to write beyond a fixed local buffer on the stack. This out-of-bounds write can corrupt adjacent stack memory, which may lead to unpredictable behavior such as crashes, denial of service, or potentially arbitrary code execution depending on the context and exploitation.

Detection Guidance

This vulnerability can be detected by monitoring DHCPv6 ADVERTISE messages on the local network for suspicious IA_PD IAPREFIX /0 options containing an OPTION_PD_EXCLUDE with exclude prefix lengths between /121 and /128. Such crafted packets indicate attempts to exploit the out-of-bounds write.

Network administrators can use packet capture tools like tcpdump or Wireshark to filter and analyze DHCPv6 traffic for these specific malformed options.

  • Use tcpdump to capture DHCPv6 ADVERTISE messages: tcpdump -i <interface> 'udp and port 546 or 547'
  • Analyze captured packets in Wireshark, filtering for DHCPv6 messages with IA_PD IAPREFIX /0 and OPTION_PD_EXCLUDE with prefix length between /121 and /128.
Mitigation Strategies

The immediate mitigation step is to update dhcpcd to a version that includes the fix from commit 2f00c7b, which addresses the one-byte stack out-of-bounds write vulnerability.

Until the update can be applied, network administrators should consider filtering or blocking suspicious DHCPv6 ADVERTISE messages containing IA_PD IAPREFIX /0 with OPTION_PD_EXCLUDE options having exclude prefix lengths from /121 to /128 to prevent exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56115. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart