Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-56115

CVE-2026-56115: dhcpcd Buffer Overflow Vulnerability

CVE-2026-56115 is a one-byte stack buffer overflow in dhcpcd through 10.3.2 that enables same-link attackers to corrupt memory via crafted DHCPv6 messages. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2026-56115 Overview

CVE-2026-56115 is a one-byte stack out-of-bounds write vulnerability [CWE-787] in the dhcp6_makemessage() function within src/dhcp6.c of dhcpcd through version 10.3.2. The flaw allows unauthenticated same-link attackers to write beyond a fixed local buffer by serializing an oversized RFC6603 OPTION_PD_EXCLUDE option body. An attacker on the adjacent network can send a crafted DHCPv6 ADVERTISE message containing an IA_PDIAPREFIX/0 with a valid OPTION_PD_EXCLUDE using an exclude prefix length between /121 and /128 to trigger the overflow and potentially corrupt adjacent stack memory. The issue is fixed in commit 2f00c7b.

Critical Impact

Adjacent-network attackers can corrupt stack memory in the DHCPv6 client, potentially causing process crash or denial of service on affected hosts.

Affected Products

  • dhcpcd versions through 10.3.2
  • Linux and BSD distributions shipping dhcpcd as their DHCP client
  • Embedded systems and routers using dhcpcd for DHCPv6 prefix delegation

Discovery Timeline

  • 2026-06-23 - CVE-2026-56115 published to NVD
  • 2026-06-23 - Last updated in NVD database

Technical Details for CVE-2026-56115

Vulnerability Analysis

The vulnerability resides in the DHCPv6 message construction path of dhcpcd, the widely deployed DHCP client. When the client serializes a Prefix Exclude option as defined in RFC 6603 Section 4.2, the code allocates a fixed 16-byte local buffer (uint8_t exb[16]) on the stack to hold the encoded exclude prefix. The encoding logic does not enforce that the resulting serialized length fits within this 16-byte buffer.

An attacker can craft a DHCPv6 ADVERTISE message containing an IA_PD option with an IAPREFIX of /0 and a valid OPTION_PD_EXCLUDE body using exclude prefix lengths between /121 and /128. These edge-case prefix lengths produce a 17-octet serialized output, causing a one-byte write past the end of exb and corrupting adjacent stack memory.

Root Cause

The root cause is an undersized stack buffer in dhcp6_makemessage(). The original code declared uint8_t exb[16], which fails to accommodate the maximum 17-octet encoding required for RFC 6603 prefix exclude options when the delegated prefix is /0 and the excluded prefix length reaches /121 through /128.

Attack Vector

Exploitation requires adjacent-network access. An attacker on the same link as the victim must respond to or solicit a DHCPv6 exchange and return a malicious ADVERTISE message. No authentication or user interaction is required. The vulnerability primarily impacts availability through stack corruption that can crash the dhcpcd process.

c
				/* RFC6603 Section 4.2 */
				if (ap->prefix_exclude_len) {
-					uint8_t exb[16], *ep, u8;
+					uint8_t exb[17], *ep, u8;
					const uint8_t *pp;

					n = (size_t)((ap->prefix_exclude_len -

Source: GitHub commit 2f00c7b — the patch enlarges the exb stack buffer from 16 to 17 bytes to hold the maximum RFC 6603 encoding.

Detection Methods for CVE-2026-56115

Indicators of Compromise

  • Unexpected crashes or restarts of the dhcpcd process on Linux or BSD endpoints.
  • DHCPv6 ADVERTISE packets on the local link containing OPTION_PD_EXCLUDE (option code 67) with exclude prefix lengths between /121 and /128.
  • DHCPv6 IA_PD entries advertising an IAPREFIX with prefix length /0 paired with a Prefix Exclude option.

Detection Strategies

  • Deploy network IDS signatures that flag DHCPv6 ADVERTISE messages containing OPTION_PD_EXCLUDE with prefix lengths greater than /120.
  • Monitor host telemetry for abnormal termination of dhcpcd and correlate with inbound DHCPv6 traffic captured on the same interface.
  • Audit running dhcpcd versions across the fleet and flag any host running 10.3.2 or earlier.

Monitoring Recommendations

  • Enable verbose dhcpcd logging on managed endpoints to capture parsing of incoming DHCPv6 options.
  • Capture pcap traces on interfaces processing DHCPv6 and review for malformed IA_PD or PD_EXCLUDE structures.
  • Alert on repeated DHCPv6 client restarts within short time windows, which can indicate exploitation attempts.

How to Mitigate CVE-2026-56115

Immediate Actions Required

  • Upgrade dhcpcd to a release containing commit 2f00c7b or later as soon as distribution packages become available.
  • Apply vendor-supplied backports for dhcpcd 10.3.2 and earlier on systems where upgrade is not yet possible.
  • Restrict DHCPv6 traffic on untrusted network segments using switch-level RA Guard and DHCPv6 snooping.

Patch Information

The upstream fix is available in dhcpcd commit 2f00c7bfc408b6582d331932dfa47829c4819029, which increases the exb stack buffer in dhcp6_makemessage() from 16 to 17 bytes. See the VulnCheck advisory and the upstream GitHub commit for details.

Workarounds

  • Disable DHCPv6 prefix delegation (ia_pd) in dhcpcd.conf on hosts that do not require it.
  • Use an alternate DHCPv6 client on critical systems until patched packages are deployed.
  • Enforce link-layer filtering to block untrusted DHCPv6 servers from sending ADVERTISE messages to clients.
bash
# /etc/dhcpcd.conf - disable DHCPv6 prefix delegation as a temporary workaround
# Comment out or remove any ia_pd lines:
# ia_pd 1/::/60

# Optionally disable DHCPv6 entirely on interfaces that do not require it:
noipv6

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.