Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-56116

CVE-2026-56116: dhcpcd IPv6 Memory Leak DoS Vulnerability

CVE-2026-56116 is a memory leak denial of service vulnerability in dhcpcd through version 10.3.2. Attackers can send crafted IPv6 Router Advertisements to exhaust memory and crash the daemon. This article covers technical details, affected versions, impact, and mitigation steps.

Published:

CVE-2026-56116 Overview

CVE-2026-56116 is a memory leak vulnerability in dhcpcd through version 10.3.2 that enables denial of service on hosts running the daemon. The flaw resides in IPv6 Router Advertisement (RA) route information handling, specifically in the routeinfo_findalloc() function. An unauthenticated attacker on the same link can repeatedly send crafted Router Advertisements containing Route Information options with a lifetime of zero. Each malformed advertisement triggers an allocation that is never freed, producing linear memory growth until the daemon crashes. The issue is tracked under [CWE-401] (Missing Release of Memory after Effective Lifetime) and was fixed in commit 708b4a5.

Critical Impact

Adjacent-network attackers can crash the dhcpcd daemon by flooding zero-lifetime Route Information options, disrupting network configuration on affected hosts.

Affected Products

  • dhcpcd versions up to and including 10.3.2
  • Linux and BSD distributions shipping dhcpcd as the default DHCP client
  • Embedded and IoT systems using dhcpcd for IPv6 configuration

Discovery Timeline

  • 2026-06-23 - CVE-2026-56116 published to NVD
  • 2026-06-23 - Last updated in NVD database
  • Fix commit - 708b4a56bae080a5b18c2e0c4c6fbe103131a2b0 published to the dhcpcd repository

Technical Details for CVE-2026-56116

Vulnerability Analysis

The dhcpcd daemon parses IPv6 Router Advertisements as defined in RFC 4861 and RFC 4191. RFC 4191 introduces Route Information options that advertise more-specific routes than the default gateway. When dhcpcd receives an RA containing a Route Information option, it invokes routeinfo_findalloc() to locate an existing route entry or allocate a new one.

When the advertised lifetime is zero, the route should be treated as expired and removed from the per-RA route list (rap->rinfos). The pre-patch code path called TAILQ_REMOVE() to detach the expired entry but never released the allocated memory. Repeated processing of zero-lifetime advertisements leaks an allocation per option, producing unbounded heap growth.

Because the parsing occurs before any authentication or rate-limiting, the daemon processes every well-formed multicast RA observed on the local link. The cumulative effect is daemon termination by the kernel out-of-memory killer or by allocation failure.

Root Cause

The defect is a missing free() call following TAILQ_REMOVE() in the IPv6 ND route expiration path inside src/ipv6nd.c. The route information structure is detached from its queue but never returned to the heap.

Attack Vector

The attacker must reside on the same Layer 2 segment as the target. They send ICMPv6 Router Advertisements to the all-nodes multicast group, embedding Route Information options with a Route Lifetime field set to zero. No prior credentials, prompts, or user interaction are required.

c
// Patch from src/ipv6nd.c - IPv6ND: Free routeinfo when it expires (#670)
				logwarnx("%s: expired route %s",
				    rap->iface->name, rinfo->sprefix);
				TAILQ_REMOVE(&rap->rinfos, rinfo, next);
+				free(rinfo);
			}
		}

Source: GitHub Commit 708b4a5

The added free(rinfo) call releases the allocation immediately after it is removed from the tail queue, closing the leak.

Detection Methods for CVE-2026-56116

Indicators of Compromise

  • Steady growth of resident memory for the dhcpcd process without corresponding configuration changes.
  • Frequent ICMPv6 Router Advertisements on the local segment from unexpected link-local sources.
  • dhcpcd process termination entries in system logs referencing out-of-memory conditions.
  • Repeated expired route warnings emitted by dhcpcd for the same prefixes.

Detection Strategies

  • Monitor dhcpcd resident set size (RSS) over time and alert on sustained linear growth.
  • Capture ICMPv6 type 134 (Router Advertisement) traffic and flag bursts of RAs carrying Route Information options with a zero lifetime.
  • Correlate kernel OOM-killer events with dhcpcd process identifiers.

Monitoring Recommendations

  • Enable RA Guard on managed switches to restrict which ports may originate Router Advertisements.
  • Forward dhcpcd syslog output to a central log platform and create rules on repeated route expiration messages.
  • Baseline normal RA volume per VLAN to surface anomalous adjacent-network activity.

How to Mitigate CVE-2026-56116

Immediate Actions Required

  • Upgrade dhcpcd to a build that includes commit 708b4a5 or later.
  • Restart the dhcpcd service after upgrade to clear any already-leaked allocations.
  • Apply distribution security updates as vendor packages become available.

Patch Information

The upstream fix is commit 708b4a56bae080a5b18c2e0c4c6fbe103131a2b0 in the NetworkConfiguration/dhcpcd repository. Additional context is available in the VulnCheck Advisory for dhcpcd. Rebuild from source or install the patched package shipped by your distribution.

Workarounds

  • Enable IPv6 RA Guard on access switches to drop unauthorized Router Advertisements.
  • Disable IPv6 router discovery on hosts that do not require dynamic IPv6 configuration.
  • Configure systemd or service supervisors to restart dhcpcd automatically on crash while patching is scheduled.
  • Restrict link-local access by segmenting untrusted devices into isolated VLANs.
bash
# Example: enable IPv6 RA Guard policy on a Cisco access port
ipv6 nd raguard policy HOST-POLICY
 device-role host
!
interface GigabitEthernet0/1
 ipv6 nd raguard attach-policy HOST-POLICY

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.