CVE-2026-56113 Overview
CVE-2026-56113 is a heap use-after-free vulnerability [CWE-416] in dhcpcd through version 10.3.2. The flaw resides in the DHCPv6 address deprecation logic and is triggered by a crafted DHCPv6 RENEW reply containing an RFC6603 OPTION_PD_EXCLUDE option with both preferred and valid lifetimes set to zero. An unauthenticated attacker on the same link, acting as or impersonating a DHCPv6 server, can crash the daemon. The issue is fixed in upstream commit 5733d3c.
Critical Impact
Same-link attackers can remotely crash the dhcpcd daemon, disrupting IPv6 address management and network connectivity on affected hosts.
Affected Products
- dhcpcd versions through 10.3.2
- Linux and BSD distributions packaging dhcpcd as the DHCP client
- Embedded and network appliances relying on dhcpcd for DHCPv6 prefix delegation
Discovery Timeline
- 2026-06-23 - CVE-2026-56113 published to NVD
- 2026-06-23 - Last updated in NVD database
Technical Details for CVE-2026-56113
Vulnerability Analysis
The vulnerability lives in the DHCPv6 address deprecation path of dhcpcd. When the daemon processes a RENEW reply, it walks delegated prefix children to mark deprecated addresses. The function dhcp6_deprecatedele() frees a delegated child address inline, but the outer iterator in dhcp6_deprecateaddrs() still references that freed memory. When the loop reaches TAILQ_REMOVE, it operates on a dangling pointer, producing a use-after-free condition on the heap.
The trigger requires the attacker to send a DHCPv6 RENEW reply that includes RFC6603 OPTION_PD_EXCLUDE with both preferred and valid lifetimes equal to zero. This combination forces the deprecation routine into the vulnerable code path. Successful exploitation crashes the daemon, denying DHCPv6-managed addressing to the host.
Root Cause
The root cause is an iterator-invalidation defect. dhcp6_deprecateaddrs() uses TAILQ_FOREACH_SAFE over ia->pd_pfxs, but the body calls dhcp6_deprecatedele() which may free entries from the same list. Once an entry is freed, the cached next pointer in the outer iterator references unmapped or reused memory, violating the list's safe-iteration contract.
Attack Vector
The attack vector is adjacent network (same link). An attacker must be able to send DHCPv6 traffic to the victim, either by running a rogue DHCPv6 server, racing a legitimate server, or hijacking link-local multicast on the segment. No authentication or user interaction is required.
}
#ifndef SMALL
-static void
+static bool
dhcp6_deprecatedele(struct ipv6_addr *ia)
{
struct ipv6_addr *da, *dan, *dda;
struct timespec now;
struct dhcp6_state *state;
+ bool freed = false;
timespecclear(&now);
TAILQ_FOREACH_SAFE(da, &ia->pd_pfxs, pd_next, dan) {
Source: GitHub Commit 5733d3c. The patch changes the return type of dhcp6_deprecatedele() to bool so the outer iterator in dhcp6_deprecateaddrs() can detect that a prefix was freed and restart the walk instead of continuing with a stale pointer.
Detection Methods for CVE-2026-56113
Indicators of Compromise
- Unexpected termination of the dhcpcd process or segmentation faults logged by the kernel or systemd.
- Loss of IPv6 connectivity following receipt of a DHCPv6 RENEW message on a host running a vulnerable dhcpcd build.
- DHCPv6 RENEW replies on the local link containing OPTION_PD_EXCLUDE (RFC6603) with both preferred and valid lifetimes set to zero.
Detection Strategies
- Inspect link-local DHCPv6 traffic for replies that combine OPTION_PD_EXCLUDE with zero lifetimes, which is anomalous in benign deployments.
- Correlate daemon crash events from journalctl -u dhcpcd or /var/log/messages with preceding DHCPv6 packet captures on the affected interface.
- Inventory hosts running dhcpcd versions at or below 10.3.2 using package management queries such as dpkg -l dhcpcd or rpm -q dhcpcd.
Monitoring Recommendations
- Enable host-level monitoring for unexpected restarts of network configuration daemons and alert on repeated dhcpcd failures.
- Capture DHCPv6 traffic on trusted links and flag unsolicited RENEW or REPLY messages from non-authorized sources.
- Forward syslog and packet metadata into a centralized analytics platform to correlate same-link DHCPv6 anomalies with endpoint stability events.
How to Mitigate CVE-2026-56113
Immediate Actions Required
- Upgrade dhcpcd to a build that includes upstream commit 5733d3c or a distribution package backporting that fix.
- Restrict layer-2 access to trusted devices and enable port security or DHCPv6 snooping on managed switches to block rogue servers.
- Audit endpoints for outdated dhcpcd installations and prioritize patching of hosts on shared or untrusted broadcast domains.
Patch Information
The fix is upstream in the NetworkConfiguration/dhcpcd repository as commit 5733d3c. The patch returns a bool from dhcp6_deprecatedele() indicating whether a delegated address was freed and restarts the outer iteration in dhcp6_deprecateaddrs() when a deletion occurs. Refer to the VulnCheck advisory for additional technical context.
Workarounds
- Disable DHCPv6 client functionality on hosts that do not require it by removing dhcpcd from IPv6 interfaces or switching to static addressing.
- Deploy DHCPv6 guard or RA guard features on access switches to drop unauthorized server messages at the network edge.
- Segment untrusted endpoints onto isolated VLANs so that a compromised same-link host cannot reach DHCPv6 clients on production segments.
# Verify installed dhcpcd version and apply distribution updates
dhcpcd --version
# Debian / Ubuntu
sudo apt update && sudo apt install --only-upgrade dhcpcd dhcpcd5
# RHEL / Fedora
sudo dnf upgrade dhcpcd
# Disable DHCPv6 client where IPv6 addressing is static
sudo systemctl disable --now dhcpcd
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

