CVE-2026-14258 Overview
CVE-2026-14258 is a denial of service vulnerability in dhcpcd, a widely deployed DHCP client used across Linux and BSD distributions. The flaw resides in the IPv6 Neighbor Discovery Router Advertisement processing logic. A specially crafted IPv6 Router Advertisement packet containing a zero-length Neighbor Discovery option bypasses validation during initial packet storage. The malformed option is later reparsed without adequate validation, causing the parser to enter a non-advancing loop [CWE-835]. Successful exploitation results in excessive CPU consumption on the affected host, leading to a denial of service condition.
Critical Impact
An attacker on the adjacent network can send a single crafted IPv6 Router Advertisement to lock the dhcpcd parser into an infinite loop, exhausting CPU resources.
Affected Products
- dhcpcd (NetworkConfiguration/dhcpcd) versions prior to the fix in commit 75289ca
- Red Hat Enterprise Linux distributions shipping vulnerable dhcpcd builds
- Linux and BSD systems using dhcpcd for IPv6 stateless address autoconfiguration
Discovery Timeline
- 2026-07-01 - CVE-2026-14258 published to NVD
- 2026-07-01 - Last updated in NVD database
Technical Details for CVE-2026-14258
Vulnerability Analysis
The vulnerability affects the IPv6 Neighbor Discovery (ND) option parser inside src/ipv6nd.c. When dhcpcd receives a Router Advertisement (RA), it iterates through the appended ND options using each option's length field to advance the parsing cursor. An option with a declared length of zero causes the cursor to remain in place. The parser then re-reads the same malformed option indefinitely, producing an infinite loop [CWE-835].
The issue is amplified because the packet is accepted and stored during the initial receive path without rejecting the zero-length option. Subsequent reparsing operations trigger the loop each time the RA is revisited, pinning a CPU core at 100% utilization.
Root Cause
The root cause is missing validation of the Neighbor Discovery option length field. Per RFC 4861, every ND option must have a non-zero length expressed in units of 8 octets. The vulnerable dhcpcd code path did not reject options with length == 0, and the parser used the same field to advance its offset. This combination produces a classic loop with unreachable exit condition once a malformed option is encountered.
Attack Vector
Exploitation requires the attacker to be on the same layer-2 segment as the target, since IPv6 Router Advertisements are link-local by design. No authentication or user interaction is required. A single unsolicited RA packet is sufficient to trigger the condition. In shared broadcast domains such as public Wi-Fi, hosting networks, or virtualized cloud tenancy, any adjacent attacker can degrade the availability of dhcpcd clients.
// Security patch in src/ipv6nd.c - Discard NA packets with a zero length option
// Source: https://github.com/NetworkConfiguration/dhcpcd/commit/75289ca
bool new_ia;
#endif
+#define FREE_RAP(rap) \
+ if (new_rap) \
+ ipv6nd_removefreedrop_ra(rap, 0, 0); \
+ else \
+ ipv6nd_free_ra(rap); \
+
if (ifp == NULL || RS_STATE(ifp) == NULL) {
#ifdef DEBUG_RS
logdebugx("RA for unexpected interface from %s", sfrom);
The patch introduces a FREE_RAP macro to safely release Router Advertisement state when a malformed option is detected, ensuring the parser discards the offending packet instead of entering the non-advancing loop.
Detection Methods for CVE-2026-14258
Indicators of Compromise
- Sustained 100% CPU utilization by the dhcpcd process on an affected host
- Unsolicited IPv6 Router Advertisement packets containing ND options with a length field of zero
- Loss of IPv6 connectivity or delayed address configuration on hosts sharing the network segment
Detection Strategies
- Inspect IPv6 RA traffic with a packet capture tool such as tcpdump -i <iface> 'icmp6 and ip6[40] == 134' and flag options where the length octet equals 0x00.
- Monitor per-process CPU metrics and alert when dhcpcd exceeds a sustained utilization threshold uncorrelated with interface changes.
- Correlate host-based CPU anomalies with adjacent IPv6 ICMPv6 type 134 traffic to identify targeted exploitation attempts.
Monitoring Recommendations
- Enable RA Guard on managed switches to drop unauthorized Router Advertisements at the network edge.
- Ingest host telemetry into a centralized data lake and build alerts for CPU saturation localized to network configuration daemons.
- Track the volume of ICMPv6 type 134 packets per source MAC to detect flooding or malformed RA activity.
How to Mitigate CVE-2026-14258
Immediate Actions Required
- Apply the vendor-provided dhcpcd update that includes commit 75289ca as soon as it is available for your distribution.
- Deploy IPv6 RA Guard or equivalent first-hop security controls on all access switches to restrict RAs to authorized routers.
- Audit systems for exposure by identifying hosts running dhcpcd with IPv6 enabled on untrusted networks.
Patch Information
The upstream fix is available in the dhcpcd project as commit 75289ca, which discards Neighbor Discovery packets containing zero-length options before they can be reparsed. Refer to the Red Hat CVE-2026-14258 Advisory and GitHub Issue #415 on dhcpcd for distribution-specific package versions and backports.
Workarounds
- Disable IPv6 on interfaces that do not require it using sysctl -w net.ipv6.conf.<iface>.disable_ipv6=1 where operationally acceptable.
- Configure dhcpcd to ignore Router Advertisements on untrusted interfaces via the noipv6rs directive in /etc/dhcpcd.conf.
- Restrict layer-2 access to trusted devices using port security and 802.1X on network access ports.
# Configuration example - disable IPv6 RA processing in dhcpcd
# Edit /etc/dhcpcd.conf and add:
noipv6rs
# Or, per-interface, disable IPv6 entirely at the kernel level:
sudo sysctl -w net.ipv6.conf.eth0.disable_ipv6=1
# Enable RA Guard on Cisco access switches (example):
interface GigabitEthernet0/1
ipv6 nd raguard attach-policy HOST
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

