CVE-2026-56115 Overview
CVE-2026-56115 is a one-byte stack out-of-bounds write vulnerability [CWE-787] in the dhcp6_makemessage() function within src/dhcp6.c of dhcpcd through version 10.3.2. The flaw allows unauthenticated same-link attackers to write beyond a fixed local buffer by serializing an oversized RFC6603 OPTION_PD_EXCLUDE option body. An attacker on the adjacent network can send a crafted DHCPv6 ADVERTISE message containing an IA_PDIAPREFIX/0 with a valid OPTION_PD_EXCLUDE using an exclude prefix length between /121 and /128 to trigger the overflow and potentially corrupt adjacent stack memory. The issue is fixed in commit 2f00c7b.
Critical Impact
Adjacent-network attackers can corrupt stack memory in the DHCPv6 client, potentially causing process crash or denial of service on affected hosts.
Affected Products
- dhcpcd versions through 10.3.2
- Linux and BSD distributions shipping dhcpcd as their DHCP client
- Embedded systems and routers using dhcpcd for DHCPv6 prefix delegation
Discovery Timeline
- 2026-06-23 - CVE-2026-56115 published to NVD
- 2026-06-23 - Last updated in NVD database
Technical Details for CVE-2026-56115
Vulnerability Analysis
The vulnerability resides in the DHCPv6 message construction path of dhcpcd, the widely deployed DHCP client. When the client serializes a Prefix Exclude option as defined in RFC 6603 Section 4.2, the code allocates a fixed 16-byte local buffer (uint8_t exb[16]) on the stack to hold the encoded exclude prefix. The encoding logic does not enforce that the resulting serialized length fits within this 16-byte buffer.
An attacker can craft a DHCPv6 ADVERTISE message containing an IA_PD option with an IAPREFIX of /0 and a valid OPTION_PD_EXCLUDE body using exclude prefix lengths between /121 and /128. These edge-case prefix lengths produce a 17-octet serialized output, causing a one-byte write past the end of exb and corrupting adjacent stack memory.
Root Cause
The root cause is an undersized stack buffer in dhcp6_makemessage(). The original code declared uint8_t exb[16], which fails to accommodate the maximum 17-octet encoding required for RFC 6603 prefix exclude options when the delegated prefix is /0 and the excluded prefix length reaches /121 through /128.
Attack Vector
Exploitation requires adjacent-network access. An attacker on the same link as the victim must respond to or solicit a DHCPv6 exchange and return a malicious ADVERTISE message. No authentication or user interaction is required. The vulnerability primarily impacts availability through stack corruption that can crash the dhcpcd process.
/* RFC6603 Section 4.2 */
if (ap->prefix_exclude_len) {
- uint8_t exb[16], *ep, u8;
+ uint8_t exb[17], *ep, u8;
const uint8_t *pp;
n = (size_t)((ap->prefix_exclude_len -
Source: GitHub commit 2f00c7b — the patch enlarges the exb stack buffer from 16 to 17 bytes to hold the maximum RFC 6603 encoding.
Detection Methods for CVE-2026-56115
Indicators of Compromise
- Unexpected crashes or restarts of the dhcpcd process on Linux or BSD endpoints.
- DHCPv6 ADVERTISE packets on the local link containing OPTION_PD_EXCLUDE (option code 67) with exclude prefix lengths between /121 and /128.
- DHCPv6 IA_PD entries advertising an IAPREFIX with prefix length /0 paired with a Prefix Exclude option.
Detection Strategies
- Deploy network IDS signatures that flag DHCPv6 ADVERTISE messages containing OPTION_PD_EXCLUDE with prefix lengths greater than /120.
- Monitor host telemetry for abnormal termination of dhcpcd and correlate with inbound DHCPv6 traffic captured on the same interface.
- Audit running dhcpcd versions across the fleet and flag any host running 10.3.2 or earlier.
Monitoring Recommendations
- Enable verbose dhcpcd logging on managed endpoints to capture parsing of incoming DHCPv6 options.
- Capture pcap traces on interfaces processing DHCPv6 and review for malformed IA_PD or PD_EXCLUDE structures.
- Alert on repeated DHCPv6 client restarts within short time windows, which can indicate exploitation attempts.
How to Mitigate CVE-2026-56115
Immediate Actions Required
- Upgrade dhcpcd to a release containing commit 2f00c7b or later as soon as distribution packages become available.
- Apply vendor-supplied backports for dhcpcd 10.3.2 and earlier on systems where upgrade is not yet possible.
- Restrict DHCPv6 traffic on untrusted network segments using switch-level RA Guard and DHCPv6 snooping.
Patch Information
The upstream fix is available in dhcpcd commit 2f00c7bfc408b6582d331932dfa47829c4819029, which increases the exb stack buffer in dhcp6_makemessage() from 16 to 17 bytes. See the VulnCheck advisory and the upstream GitHub commit for details.
Workarounds
- Disable DHCPv6 prefix delegation (ia_pd) in dhcpcd.conf on hosts that do not require it.
- Use an alternate DHCPv6 client on critical systems until patched packages are deployed.
- Enforce link-layer filtering to block untrusted DHCPv6 servers from sending ADVERTISE messages to clients.
# /etc/dhcpcd.conf - disable DHCPv6 prefix delegation as a temporary workaround
# Comment out or remove any ia_pd lines:
# ia_pd 1/::/60
# Optionally disable DHCPv6 entirely on interfaces that do not require it:
noipv6
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

