Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-70102

CVE-2025-70102: dhcpcd NULL Pointer Dereference Flaw

CVE-2025-70102 is a NULL pointer dereference flaw in dhcpcd 10.3.0 that occurs during configuration option parsing. This article covers the technical details, affected versions, security impact, and mitigation.

Published:

CVE-2025-70102 Overview

CVE-2025-70102 is a NULL pointer dereference vulnerability in Roy Marples' dhcpcd version 10.3.0, a widely deployed DHCP client used across Linux and BSD systems. The flaw resides in the parse_option() function at src/if-options.c:1886, where the code performs a member access on a NULL pointer of type struct dhcp_opt. An unexpected or invalid option token causes the lookup to return NULL, triggering an abort when the dereference is attempted. The vulnerability was identified through instrumented fuzzing, which produced a runtime error: member access within null pointer of type struct dhcp_opt diagnostic. The issue is classified under [CWE-476] and is exploitable from an adjacent network position.

Critical Impact

An adjacent-network attacker can crash dhcpcd by supplying crafted DHCP configuration options, disrupting network connectivity on affected hosts.

Affected Products

  • Roy Marples dhcpcd 10.3.0
  • Linux and BSD distributions bundling the vulnerable release
  • Embedded and appliance firmware using dhcpcd 10.3.0 as the DHCP client

Discovery Timeline

  • 2026-06-15 - CVE-2025-70102 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-70102

Vulnerability Analysis

The vulnerability is a NULL pointer dereference in the configuration option parser of dhcpcd 10.3.0. The parse_option() routine in src/if-options.c looks up a struct dhcp_opt descriptor for a supplied option token. When the lookup fails to find a matching descriptor, the function returns a NULL pointer but the caller proceeds to access a member of that structure without a guard check. The instrumented fuzzing build reports the access as runtime error: member access within null pointer of type struct dhcp_opt, causing the daemon to abort. Because dhcpcd typically runs as a long-lived service responsible for interface configuration, an abort terminates DHCP lease management and prevents address renewal on affected interfaces.

Root Cause

The root cause is missing validation of the pointer returned by the option descriptor lookup. The parser assumes a valid struct dhcp_opt is always returned for any option token encountered during configuration parsing. When an unexpected token, malformed option, or invalid parser state results in a NULL return, the subsequent member access dereferences address zero. This is a classic CWE-476 pattern where return values are consumed without a NULL check.

Attack Vector

The attack vector is adjacent network, meaning an attacker must be on the same logical network segment as the target. A rogue DHCP server or a man-in-the-middle on the local link can deliver crafted option payloads that drive dhcpcd into the vulnerable parsing path. No authentication or user interaction is required. Successful triggering aborts the client process, producing a denial-of-service condition that affects host network connectivity. The impact is limited to availability and minor confidentiality and integrity effects, as no code execution has been demonstrated.

No public proof-of-concept code is currently published. See the InfoSec Exchange Post for additional technical context.

Detection Methods for CVE-2025-70102

Indicators of Compromise

  • Unexpected dhcpcd process termination or repeated restart events in system logs
  • Hosts losing DHCP-assigned addresses on a specific network segment without infrastructure changes
  • Crash dumps or abort messages referencing parse_option or if-options.c

Detection Strategies

  • Monitor dhcpcd exit codes and abort signals through systemd journal entries or syslog collectors
  • Inspect DHCP traffic on managed segments for malformed or anomalous option fields using network sensors
  • Correlate DHCP client failures across multiple hosts on the same VLAN to identify segment-level abuse

Monitoring Recommendations

  • Forward dhcpcd service status and crash events to centralized logging for retention and alerting
  • Alert on unauthorized DHCP servers detected through DHCP snooping on managed switches
  • Track DHCP lease churn rates per interface to surface clients repeatedly failing to acquire leases

How to Mitigate CVE-2025-70102

Immediate Actions Required

  • Inventory hosts running dhcpcd 10.3.0 and prioritize patching once a fixed release is published
  • Enable DHCP snooping and port security on access switches to block rogue DHCP servers
  • Restrict adjacent-network access to trusted devices through 802.1X or network segmentation

Patch Information

No vendor patch reference is published in the NVD record at the time of disclosure. Monitor the upstream dhcpcd project releases for a fixed version superseding 10.3.0 and apply distribution updates as they become available.

Workarounds

  • Deploy DHCP snooping on layer-2 infrastructure to drop responses from untrusted ports
  • Use static IP configuration on critical hosts where DHCP is not strictly required
  • Configure service supervisors to restart dhcpcd automatically on abort to limit downtime while a patch is pending
bash
# Example: enable automatic restart of dhcpcd under systemd
sudo systemctl edit dhcpcd.service
# Add the following override:
# [Service]
# Restart=always
# RestartSec=5s
sudo systemctl daemon-reload
sudo systemctl restart dhcpcd

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.