Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-56113

CVE-2026-56113: dhcpcd Use-After-Free Vulnerability

CVE-2026-56113 is a heap use-after-free flaw in dhcpcd through 10.3.2 that allows attackers to crash the daemon via crafted DHCPv6 packets. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-56113 Overview

CVE-2026-56113 is a heap use-after-free vulnerability [CWE-416] in dhcpcd through version 10.3.2. The flaw resides in the DHCPv6 address deprecation logic and is triggered by a crafted DHCPv6 RENEW reply containing an RFC6603 OPTION_PD_EXCLUDE option with both preferred and valid lifetimes set to zero. An unauthenticated attacker on the same link, acting as or impersonating a DHCPv6 server, can crash the daemon. The issue is fixed in upstream commit 5733d3c.

Critical Impact

Same-link attackers can remotely crash the dhcpcd daemon, disrupting IPv6 address management and network connectivity on affected hosts.

Affected Products

  • dhcpcd versions through 10.3.2
  • Linux and BSD distributions packaging dhcpcd as the DHCP client
  • Embedded and network appliances relying on dhcpcd for DHCPv6 prefix delegation

Discovery Timeline

  • 2026-06-23 - CVE-2026-56113 published to NVD
  • 2026-06-23 - Last updated in NVD database

Technical Details for CVE-2026-56113

Vulnerability Analysis

The vulnerability lives in the DHCPv6 address deprecation path of dhcpcd. When the daemon processes a RENEW reply, it walks delegated prefix children to mark deprecated addresses. The function dhcp6_deprecatedele() frees a delegated child address inline, but the outer iterator in dhcp6_deprecateaddrs() still references that freed memory. When the loop reaches TAILQ_REMOVE, it operates on a dangling pointer, producing a use-after-free condition on the heap.

The trigger requires the attacker to send a DHCPv6 RENEW reply that includes RFC6603 OPTION_PD_EXCLUDE with both preferred and valid lifetimes equal to zero. This combination forces the deprecation routine into the vulnerable code path. Successful exploitation crashes the daemon, denying DHCPv6-managed addressing to the host.

Root Cause

The root cause is an iterator-invalidation defect. dhcp6_deprecateaddrs() uses TAILQ_FOREACH_SAFE over ia->pd_pfxs, but the body calls dhcp6_deprecatedele() which may free entries from the same list. Once an entry is freed, the cached next pointer in the outer iterator references unmapped or reused memory, violating the list's safe-iteration contract.

Attack Vector

The attack vector is adjacent network (same link). An attacker must be able to send DHCPv6 traffic to the victim, either by running a rogue DHCPv6 server, racing a legitimate server, or hijacking link-local multicast on the segment. No authentication or user interaction is required.

c
 }
 
 #ifndef SMALL
-static void
+static bool
 dhcp6_deprecatedele(struct ipv6_addr *ia)
 {
 	struct ipv6_addr *da, *dan, *dda;
 	struct timespec now;
 	struct dhcp6_state *state;
+	bool freed = false;
 
 	timespecclear(&now);
 	TAILQ_FOREACH_SAFE(da, &ia->pd_pfxs, pd_next, dan) {

Source: GitHub Commit 5733d3c. The patch changes the return type of dhcp6_deprecatedele() to bool so the outer iterator in dhcp6_deprecateaddrs() can detect that a prefix was freed and restart the walk instead of continuing with a stale pointer.

Detection Methods for CVE-2026-56113

Indicators of Compromise

  • Unexpected termination of the dhcpcd process or segmentation faults logged by the kernel or systemd.
  • Loss of IPv6 connectivity following receipt of a DHCPv6 RENEW message on a host running a vulnerable dhcpcd build.
  • DHCPv6 RENEW replies on the local link containing OPTION_PD_EXCLUDE (RFC6603) with both preferred and valid lifetimes set to zero.

Detection Strategies

  • Inspect link-local DHCPv6 traffic for replies that combine OPTION_PD_EXCLUDE with zero lifetimes, which is anomalous in benign deployments.
  • Correlate daemon crash events from journalctl -u dhcpcd or /var/log/messages with preceding DHCPv6 packet captures on the affected interface.
  • Inventory hosts running dhcpcd versions at or below 10.3.2 using package management queries such as dpkg -l dhcpcd or rpm -q dhcpcd.

Monitoring Recommendations

  • Enable host-level monitoring for unexpected restarts of network configuration daemons and alert on repeated dhcpcd failures.
  • Capture DHCPv6 traffic on trusted links and flag unsolicited RENEW or REPLY messages from non-authorized sources.
  • Forward syslog and packet metadata into a centralized analytics platform to correlate same-link DHCPv6 anomalies with endpoint stability events.

How to Mitigate CVE-2026-56113

Immediate Actions Required

  • Upgrade dhcpcd to a build that includes upstream commit 5733d3c or a distribution package backporting that fix.
  • Restrict layer-2 access to trusted devices and enable port security or DHCPv6 snooping on managed switches to block rogue servers.
  • Audit endpoints for outdated dhcpcd installations and prioritize patching of hosts on shared or untrusted broadcast domains.

Patch Information

The fix is upstream in the NetworkConfiguration/dhcpcd repository as commit 5733d3c. The patch returns a bool from dhcp6_deprecatedele() indicating whether a delegated address was freed and restarts the outer iteration in dhcp6_deprecateaddrs() when a deletion occurs. Refer to the VulnCheck advisory for additional technical context.

Workarounds

  • Disable DHCPv6 client functionality on hosts that do not require it by removing dhcpcd from IPv6 interfaces or switching to static addressing.
  • Deploy DHCPv6 guard or RA guard features on access switches to drop unauthorized server messages at the network edge.
  • Segment untrusted endpoints onto isolated VLANs so that a compromised same-link host cannot reach DHCPv6 clients on production segments.
bash
# Verify installed dhcpcd version and apply distribution updates
dhcpcd --version

# Debian / Ubuntu
sudo apt update && sudo apt install --only-upgrade dhcpcd dhcpcd5

# RHEL / Fedora
sudo dnf upgrade dhcpcd

# Disable DHCPv6 client where IPv6 addressing is static
sudo systemctl disable --now dhcpcd

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.