Remote code execution via malicious DHCP options
Summary
| CVE | CVE-2026-42511 |
|---|---|
| State | PUBLISHED |
| Assigner | freebsd |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-30 07:16:37 UTC |
| Updated | 2026-04-30 07:16:37 UTC |
| Description | The BOOTP file field is written to the lease file without escaping embedded double-quotes, allowing injection of arbitrary dhclient.conf directives. When the lease file is subsequently re-parsed by dhclient, e.g., after a system restart, an attacker-controlled field from the lease is passed to dhclient-script(8), which evaluates it. A rogue DHCP server may be able to execute arbirary code as root on a system running dhclient. |
Risk And Classification
Problem Types: CWE-149 | CWE-149 CWE-149: Improper Neutralization of Quoting Syntax
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | FreeBSD | FreeBSD | affected 15.0-RELEASE p7 release | Not specified |
| CNA | FreeBSD | FreeBSD | affected 14.4-RELEASE p3 release | Not specified |
| CNA | FreeBSD | FreeBSD | affected 14.3-RELEASE p12 release | Not specified |
| CNA | FreeBSD | FreeBSD | affected 13.5-RELEASE p13 release | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| security.freebsd.org/advisories/FreeBSD-SA-26:12.dhclient.asc | [email protected] | security.freebsd.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Joshua Rogers of AISLE Research Team (en)
There are currently no legacy QID mappings associated with this CVE.