Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-14258

CVE-2026-14258: dhcpcd IPv6 DoS Vulnerability

CVE-2026-14258 is a denial of service flaw in dhcpcd's IPv6 Neighbor Discovery processing that allows attackers to cause excessive CPU consumption. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-14258 Overview

CVE-2026-14258 is a denial of service vulnerability in dhcpcd, a widely deployed DHCP client used across Linux and BSD distributions. The flaw resides in the IPv6 Neighbor Discovery Router Advertisement processing logic. A specially crafted IPv6 Router Advertisement packet containing a zero-length Neighbor Discovery option bypasses validation during initial packet storage. The malformed option is later reparsed without adequate validation, causing the parser to enter a non-advancing loop [CWE-835]. Successful exploitation results in excessive CPU consumption on the affected host, leading to a denial of service condition.

Critical Impact

An attacker on the adjacent network can send a single crafted IPv6 Router Advertisement to lock the dhcpcd parser into an infinite loop, exhausting CPU resources.

Affected Products

  • dhcpcd (NetworkConfiguration/dhcpcd) versions prior to the fix in commit 75289ca
  • Red Hat Enterprise Linux distributions shipping vulnerable dhcpcd builds
  • Linux and BSD systems using dhcpcd for IPv6 stateless address autoconfiguration

Discovery Timeline

  • 2026-07-01 - CVE-2026-14258 published to NVD
  • 2026-07-01 - Last updated in NVD database

Technical Details for CVE-2026-14258

Vulnerability Analysis

The vulnerability affects the IPv6 Neighbor Discovery (ND) option parser inside src/ipv6nd.c. When dhcpcd receives a Router Advertisement (RA), it iterates through the appended ND options using each option's length field to advance the parsing cursor. An option with a declared length of zero causes the cursor to remain in place. The parser then re-reads the same malformed option indefinitely, producing an infinite loop [CWE-835].

The issue is amplified because the packet is accepted and stored during the initial receive path without rejecting the zero-length option. Subsequent reparsing operations trigger the loop each time the RA is revisited, pinning a CPU core at 100% utilization.

Root Cause

The root cause is missing validation of the Neighbor Discovery option length field. Per RFC 4861, every ND option must have a non-zero length expressed in units of 8 octets. The vulnerable dhcpcd code path did not reject options with length == 0, and the parser used the same field to advance its offset. This combination produces a classic loop with unreachable exit condition once a malformed option is encountered.

Attack Vector

Exploitation requires the attacker to be on the same layer-2 segment as the target, since IPv6 Router Advertisements are link-local by design. No authentication or user interaction is required. A single unsolicited RA packet is sufficient to trigger the condition. In shared broadcast domains such as public Wi-Fi, hosting networks, or virtualized cloud tenancy, any adjacent attacker can degrade the availability of dhcpcd clients.

c
// Security patch in src/ipv6nd.c - Discard NA packets with a zero length option
// Source: https://github.com/NetworkConfiguration/dhcpcd/commit/75289ca
 	bool new_ia;
 #endif
 
+#define FREE_RAP(rap)					\
+	if (new_rap)					\
+		ipv6nd_removefreedrop_ra(rap, 0, 0);	\
+	else						\
+		ipv6nd_free_ra(rap);			\
+
 	if (ifp == NULL || RS_STATE(ifp) == NULL) {
 #ifdef DEBUG_RS
 		logdebugx("RA for unexpected interface from %s", sfrom);

The patch introduces a FREE_RAP macro to safely release Router Advertisement state when a malformed option is detected, ensuring the parser discards the offending packet instead of entering the non-advancing loop.

Detection Methods for CVE-2026-14258

Indicators of Compromise

  • Sustained 100% CPU utilization by the dhcpcd process on an affected host
  • Unsolicited IPv6 Router Advertisement packets containing ND options with a length field of zero
  • Loss of IPv6 connectivity or delayed address configuration on hosts sharing the network segment

Detection Strategies

  • Inspect IPv6 RA traffic with a packet capture tool such as tcpdump -i <iface> 'icmp6 and ip6[40] == 134' and flag options where the length octet equals 0x00.
  • Monitor per-process CPU metrics and alert when dhcpcd exceeds a sustained utilization threshold uncorrelated with interface changes.
  • Correlate host-based CPU anomalies with adjacent IPv6 ICMPv6 type 134 traffic to identify targeted exploitation attempts.

Monitoring Recommendations

  • Enable RA Guard on managed switches to drop unauthorized Router Advertisements at the network edge.
  • Ingest host telemetry into a centralized data lake and build alerts for CPU saturation localized to network configuration daemons.
  • Track the volume of ICMPv6 type 134 packets per source MAC to detect flooding or malformed RA activity.

How to Mitigate CVE-2026-14258

Immediate Actions Required

  • Apply the vendor-provided dhcpcd update that includes commit 75289ca as soon as it is available for your distribution.
  • Deploy IPv6 RA Guard or equivalent first-hop security controls on all access switches to restrict RAs to authorized routers.
  • Audit systems for exposure by identifying hosts running dhcpcd with IPv6 enabled on untrusted networks.

Patch Information

The upstream fix is available in the dhcpcd project as commit 75289ca, which discards Neighbor Discovery packets containing zero-length options before they can be reparsed. Refer to the Red Hat CVE-2026-14258 Advisory and GitHub Issue #415 on dhcpcd for distribution-specific package versions and backports.

Workarounds

  • Disable IPv6 on interfaces that do not require it using sysctl -w net.ipv6.conf.<iface>.disable_ipv6=1 where operationally acceptable.
  • Configure dhcpcd to ignore Router Advertisements on untrusted interfaces via the noipv6rs directive in /etc/dhcpcd.conf.
  • Restrict layer-2 access to trusted devices using port security and 802.1X on network access ports.
bash
# Configuration example - disable IPv6 RA processing in dhcpcd
# Edit /etc/dhcpcd.conf and add:
noipv6rs

# Or, per-interface, disable IPv6 entirely at the kernel level:
sudo sysctl -w net.ipv6.conf.eth0.disable_ipv6=1

# Enable RA Guard on Cisco access switches (example):
interface GigabitEthernet0/1
 ipv6 nd raguard attach-policy HOST

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.