CVE-2026-56117 Overview
CVE-2026-56117 is a heap use-after-free vulnerability [CWE-416] in dhcpcd through version 10.3.2, affecting the control socket handling in src/control.c. The flaw allows local unprivileged attackers to trigger memory corruption when privilege separation is disabled. When a client sends a privileged command such as -x to the control socket, control_recvdata() frees the client object while a subsequent READ+HANGUP event reaches control_hangup() with the stale pointer. The vulnerability is fixed in commit 78ea09e.
Critical Impact
Local attackers can corrupt heap memory in dhcpcd deployments using --disable-privsep or where privsep initialization fails and the control socket operates in mode 0666.
Affected Products
- dhcpcd versions through 10.3.2
- Deployments configured with --disable-privsep
- Deployments where privsep initialization has failed and the control socket is in mode 0666
Discovery Timeline
- 2026-06-23 - CVE-2026-56117 published to NVD
- 2026-06-24 - Last updated in NVD database
Technical Details for CVE-2026-56117
Vulnerability Analysis
The dhcpcd daemon manages DHCP client operations and exposes a UNIX domain control socket for runtime commands. The control socket dispatcher in src/control.c handles read events from connected clients. When a client connection is closed mid-transaction, the code path frees the associated fd_list client structure while a pending hangup event still references that pointer. The resulting use-after-free corrupts heap state and can be triggered reliably by any local user with access to the control socket.
Root Cause
The defect stems from control_recvdata() invoking control_hangup() on read errors and then returning -1. The event loop subsequently dispatches the HANGUP portion of the multiplexed READ+HANGUP event, invoking control_hangup() a second time on the already-freed fd_list structure. The function's void return type prevented callers from distinguishing successful processing from a hangup that already released the client.
Attack Vector
Exploitation requires local access to the control socket. In hardened builds, privilege separation restricts the socket to root, but when dhcpcd is built or invoked with --disable-privsep, or when privsep initialization fails, the socket falls back to mode 0666, exposing it to any local user. An attacker connects to the socket, issues a privileged command such as -x, and races the close to trigger the dangling pointer. Successful exploitation results in heap memory corruption affecting the integrity and availability of the dhcpcd process.
The upstream patch in src/control.c removes the redundant hangup call and changes the function signature to return the byte count to its caller:
bytes = read(fd->fd, buffer, sizeof(buffer) - 1);
if (bytes == -1)
logerr(__func__);
- if (bytes == -1 || bytes == 0) {
- control_hangup(fd);
- return -1;
- }
+ if (bytes == -1 || bytes == 0)
+ return (int)bytes;
#ifdef PRIVSEP
if (IN_PRIVSEP(fd->ctx)) {
The header signature was updated accordingly in src/control.h:
void control_free(struct fd_list *);
void control_delete(struct fd_list *);
int control_queue(struct fd_list *, void *, size_t);
-void control_recvdata(struct fd_list *fd, char *, size_t);
+int control_recvdata(struct fd_list *fd, char *, size_t);
#endif
Source: NetworkConfiguration/dhcpcd commit 78ea09e
Detection Methods for CVE-2026-56117
Indicators of Compromise
- Unexpected crashes or restarts of the dhcpcd daemon, particularly with SIGSEGV or SIGABRT signals indicative of heap corruption.
- Presence of a control socket with world-writable permissions (0666) at the path used by dhcpcd, typically under /var/run/.
- Log entries from dhcpcd reporting privsep initialization failures followed by client connection events from non-root UIDs.
Detection Strategies
- Inventory all hosts running dhcpcd and verify the installed version is at or below 10.3.2 by querying the package manager.
- Audit build flags and init scripts for use of --disable-privsep or environments where privsep is unavailable.
- Monitor process telemetry for abnormal terminations of dhcpcd correlated with local user connections to its control socket.
Monitoring Recommendations
- Enable core dump collection on systems running dhcpcd and forward signatures of heap-related crashes to a centralized log platform.
- Apply file integrity monitoring to the dhcpcd control socket path and alert on permission changes to 0666.
- Track local process executions invoking dhcpcd -x or similar privileged commands from non-administrative accounts.
How to Mitigate CVE-2026-56117
Immediate Actions Required
- Upgrade dhcpcd to a version that includes commit 78ea09e or later as soon as distribution packages are available.
- Re-enable privilege separation by removing --disable-privsep from build configurations and service invocations.
- Verify the control socket is owned by root and not set to world-writable mode 0666.
Patch Information
The fix is available in upstream commit 78ea09e of the NetworkConfiguration/dhcpcd repository. The patch eliminates the duplicate control_hangup() invocation in the read path and propagates the byte count return value to the event dispatcher. Refer to the VulnCheck Security Advisory and the upstream commit for full technical details.
Workarounds
- Restrict access to the dhcpcd control socket by enforcing root-only permissions until a patched build is deployed.
- Confirm that privsep initialization succeeds at daemon startup and treat any privsep failure as a critical operational event requiring service shutdown.
- Limit local user access on multi-user systems hosting dhcpcd until the upgraded binary is in production.
# Verify dhcpcd control socket ownership and mode
ls -l /var/run/dhcpcd.sock
# Confirm dhcpcd was not built or launched with --disable-privsep
ps -ef | grep dhcpcd
dhcpcd --version
# Tighten socket permissions as a temporary mitigation
chown root:root /var/run/dhcpcd.sock
chmod 0600 /var/run/dhcpcd.sock
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

