CVE-2026-56117
Awaiting Analysis Awaiting Analysis - Queue
Heap Use-After-Free in dhcpcd Control Socket Handling

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: VulnCheck

Description
dhcpcd through 10.3.2, fixed in commit 78ea09e, contains a heap use-after-free vulnerability in the control socket handling within src/control.c that allows local unprivileged attackers to trigger memory corruption when privilege separation is disabled. Attackers can connect to the control socket and send a privileged command such as -x, causing control_recvdata() to free the client object while the same READ+HANGUP event subsequently reaches control_hangup() with the stale pointer, resulting in a use-after-free condition exploitable in deployments using --disable-privsep or where privsep initialization has failed with the control socket operating in mode 0666.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-56117
EUVD
EUVD-2026-38498
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
networkconfiguration dhcpcd to 10.3.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability exists in dhcpcd through version 10.3.2 and involves a heap use-after-free condition in the control socket handling code within src/control.c.

When privilege separation is disabled or fails to initialize, local unprivileged attackers can connect to the control socket and send a privileged command such as -x.

This causes the function control_recvdata() to free the client object, but a subsequent READ+HANGUP event triggers control_hangup() to access the now freed (stale) pointer, resulting in memory corruption.

This use-after-free vulnerability can be exploited in deployments where the control socket operates with mode 0666 and privilege separation is disabled or not properly initialized.

Impact Analysis

This vulnerability allows local unprivileged attackers to cause memory corruption by exploiting a use-after-free condition.

Memory corruption can lead to unpredictable behavior including crashes, denial of service, or potentially arbitrary code execution depending on the environment and exploitability.

Since the vulnerability requires privilege separation to be disabled or failed, systems configured insecurely or with misconfigured privilege separation are at risk.

Detection Guidance

This vulnerability involves a heap use-after-free triggered by local unprivileged attackers connecting to the dhcpcd control socket and sending privileged commands such as -x when privilege separation is disabled.

Detection would involve monitoring for unexpected or unauthorized connections to the dhcpcd control socket, especially attempts to send privileged commands.

Since the control socket operates in mode 0666 in vulnerable deployments, checking the socket permissions and active connections can help identify potential exploitation attempts.

  • Use commands like `ls -l /run/dhcpcd/control` (or the actual control socket path) to check socket permissions.
  • Use `lsof -U | grep dhcpcd` to list open Unix domain sockets related to dhcpcd.
  • Monitor system logs for suspicious activity related to dhcpcd or control socket commands.
Mitigation Strategies

Immediate mitigation involves ensuring that privilege separation is enabled in dhcpcd to prevent local unprivileged attackers from exploiting the control socket.

If privilege separation cannot be enabled, restrict access to the control socket by changing its permissions to prevent unauthorized connections.

Applying the fix from commit 78ea09e, which addresses the use-after-free condition, is essential. This means updating dhcpcd to a version that includes this patch or later.

  • Enable privilege separation in dhcpcd configuration.
  • Restrict control socket permissions to limit access (e.g., remove world-writable permissions).
  • Update dhcpcd to a version that includes the fix from commit 78ea09e.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56117. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart