Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-56114

CVE-2026-56114: dhcpcd Buffer Overflow Vulnerability

CVE-2026-56114 is a buffer overflow vulnerability in dhcpcd through 10.3.2 that allows same-link attackers to write beyond a fixed local buffer. This post covers the technical details, affected versions, and mitigations.

Published:

CVE-2026-56114 Overview

CVE-2026-56114 is a one-byte stack out-of-bounds write vulnerability in dhcpcd through version 10.3.2. The flaw resides in the dhcp6_makemessage() function within src/dhcp6.c and is triggered when the client serializes an oversized RFC6603 OPTION_PD_EXCLUDE option body. Unauthenticated same-link attackers can corrupt adjacent stack memory by sending a crafted DHCPv6 ADVERTISE message. The issue is classified under CWE-787 (Out-of-bounds Write) and was fixed in commit 2f00c7b.

Critical Impact

An adjacent-network attacker can trigger a stack out-of-bounds write in a DHCPv6 client without authentication, potentially affecting process integrity and availability on any host running a vulnerable dhcpcd.

Affected Products

  • dhcpcd through version 10.3.2
  • Linux and BSD distributions shipping dhcpcd as the default DHCPv6 client
  • Embedded systems and network appliances bundling dhcpcd for IPv6 prefix delegation

Discovery Timeline

  • 2026-06-23 - CVE-2026-56114 published to NVD
  • 2026-06-24 - Last updated in NVD database

Technical Details for CVE-2026-56114

Vulnerability Analysis

The vulnerability lives in dhcp6_makemessage() in src/dhcp6.c. When constructing a DHCPv6 message that includes RFC6603 prefix exclude data, the function allocates a fixed 16-byte stack buffer (uint8_t exb[16]) to hold the serialized exclude prefix. RFC6603 permits exclude prefix lengths up to /128, which requires 17 octets of storage. When the supplied exclude prefix length falls between /121 and /128, serialization writes 17 bytes into the 16-byte buffer, producing a one-byte stack out-of-bounds write. The overflow corrupts adjacent stack memory and can affect control data depending on compiler layout and stack protector configuration.

Root Cause

The root cause is an undersized local buffer. The original code declared uint8_t exb[16] based on the assumption that an IPv6 prefix never exceeds 16 octets, ignoring the RFC6603 packing rules that may require an additional trailing byte when the exclude prefix length is between 121 and 128. No length validation gated the write against the buffer size, leaving the serialization loop free to overrun by exactly one byte.

Attack Vector

An attacker on the same link as a vulnerable host sends a crafted DHCPv6 ADVERTISE message containing an IA_PD with an IAPREFIX of /0 and a valid OPTION_PD_EXCLUDE carrying an exclude prefix length of /121 through /128. When the dhcpcd client processes the response and attempts to serialize the option back into a DHCPv6 message, the off-by-one write occurs on the stack. No authentication or user interaction is required, but the attacker must be on the local network segment (Adjacent Network).

c
				/* RFC6603 Section 4.2 */
				if (ap->prefix_exclude_len) {
-					uint8_t exb[16], *ep, u8;
+					uint8_t exb[17], *ep, u8;
					const uint8_t *pp;

					n = (size_t)((ap->prefix_exclude_len -

Source: NetworkConfiguration/dhcpcd commit 2f00c7b — the patch enlarges the stack buffer from 16 to 17 octets to accommodate the maximum RFC6603 exclude prefix serialization.

Detection Methods for CVE-2026-56114

Indicators of Compromise

  • Unexpected dhcpcd process crashes, segmentation faults, or stack smashing aborts logged via syslog or systemd-journald.
  • DHCPv6 ADVERTISE packets on the local segment containing OPTION_PD_EXCLUDE (option code 67) with exclude prefix lengths between 121 and 128.
  • Rogue or unexpected DHCPv6 servers responding to client solicitations on networks that do not legitimately delegate IPv6 prefixes.

Detection Strategies

  • Inspect DHCPv6 traffic with packet capture tools to identify IA_PD options containing IAPREFIX entries with prefix length 0 paired with OPTION_PD_EXCLUDE payloads.
  • Monitor host process telemetry for dhcpcd abnormal termination, core dumps, or stack canary violations that correlate with DHCPv6 message receipt.
  • Audit installed dhcpcd versions across the fleet and flag any builds at or below 10.3.2 that do not include commit 2f00c7b.

Monitoring Recommendations

  • Enable verbose dhcpcd logging (-d) on critical hosts to capture option parsing details during incident response.
  • Forward DHCPv6 server logs and switch port mirroring data to a central analytics platform to baseline normal prefix delegation behavior.
  • Alert on the appearance of unauthorized DHCPv6 servers using DHCPv6 snooping or RA Guard equivalents on managed switches.

How to Mitigate CVE-2026-56114

Immediate Actions Required

  • Upgrade dhcpcd to a build that includes commit 2f00c7b or any vendor backport addressing CVE-2026-56114.
  • Apply distribution security updates for dhcpcd packages on all Linux and BSD systems performing DHCPv6 client operations.
  • Restrict DHCPv6 traffic at Layer 2 using DHCPv6 snooping or port-based access controls to limit exposure to untrusted devices on the same link.

Patch Information

The upstream fix is in NetworkConfiguration/dhcpcd commit 2f00c7b, titled "DHCPv6: Prefix exclude option can be 17 octets (#671)". Refer to the VulnCheck advisory for additional context on affected builds and downstream packaging.

Workarounds

  • Disable IPv6 prefix delegation in dhcpcd.conf by removing or commenting out ia_pd directives where prefix delegation is not required.
  • Disable the DHCPv6 client entirely on hosts that do not need IPv6 address assignment via DHCPv6.
  • Enforce link-layer filtering of unauthorized DHCPv6 servers using switch features such as DHCPv6 Guard until patches can be deployed.
bash
# Example: disable IPv6 prefix delegation in /etc/dhcpcd.conf
# Comment out the IA_PD request line to avoid processing OPTION_PD_EXCLUDE
# ia_pd 1/::/60 eth0

# Verify the running dhcpcd version includes the fix
dhcpcd --version

# After patching, restart the service
sudo systemctl restart dhcpcd

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.