CVE-2026-56115
Analyzed Analyzed - Analysis Complete

Stack-Based Buffer Overflow in dhcpcd DHCPv6

Vulnerability report for CVE-2026-56115, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-23

Last updated on: 2026-06-29

Assigner: VulnCheck

Description

Bootimus through 0.1.70 contains a broken access control vulnerability that allows authenticated low-privileged users to perform administrative actions by exploiting missing role enforcement in the JWTMiddleware function in internal/auth/auth.go, which validates JWT tokens and account status but fails to inspect the is_admin flag. Attackers can send requests to any endpoint under the /api/users path to create new administrator accounts or reset administrator passwords, thereby gaining full control of the server and the ability to modify boot menus and installation scripts served to PXE clients.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-23
Last Modified
2026-06-29
Generated
2026-07-14
AI Q&A
2026-06-23
EPSS Evaluated
2026-07-12
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
bootimus bootimus to 0.1.70 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in dhcpcd versions up to 10.3.2 in the dhcp6_makemessage() function located in src/dhcp6.c. It is a one-byte stack out-of-bounds write caused by serializing an oversized RFC6603 OPTION_PD_EXCLUDE option body. An unauthenticated attacker on the same network link can send a specially crafted DHCPv6 ADVERTISE message containing an IA_PD IAPREFIX with a prefix length of /0 and a valid OPTION_PD_EXCLUDE using an exclude prefix length between /121 and /128. This triggers the out-of-bounds write, potentially corrupting adjacent stack memory.

Impact Analysis

The vulnerability allows an unauthenticated attacker on the same network link to write beyond a fixed local buffer on the stack. This out-of-bounds write can corrupt adjacent stack memory, which may lead to unpredictable behavior such as crashes, denial of service, or potentially arbitrary code execution depending on the context and exploitation.

Detection Guidance

This vulnerability can be detected by monitoring DHCPv6 ADVERTISE messages on the local network for suspicious IA_PD IAPREFIX /0 options containing an OPTION_PD_EXCLUDE with exclude prefix lengths between /121 and /128. Such crafted packets indicate attempts to exploit the out-of-bounds write.

Network administrators can use packet capture tools like tcpdump or Wireshark to filter and analyze DHCPv6 traffic for these specific malformed options.

  • Use tcpdump to capture DHCPv6 ADVERTISE messages: tcpdump -i <interface> 'udp and port 546 or 547'
  • Analyze captured packets in Wireshark, filtering for DHCPv6 messages with IA_PD IAPREFIX /0 and OPTION_PD_EXCLUDE with prefix length between /121 and /128.
Mitigation Strategies

The immediate mitigation step is to update dhcpcd to a version that includes the fix from commit 2f00c7b, which addresses the one-byte stack out-of-bounds write vulnerability.

Until the update can be applied, network administrators should consider filtering or blocking suspicious DHCPv6 ADVERTISE messages containing IA_PD IAPREFIX /0 with OPTION_PD_EXCLUDE options having exclude prefix lengths from /121 to /128 to prevent exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56115. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart