Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-56117

CVE-2026-56117: dhcpcd Use-After-Free Vulnerability

CVE-2026-56117 is a heap use-after-free vulnerability in dhcpcd through version 10.3.2 that allows local attackers to trigger memory corruption. This post covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-56117 Overview

CVE-2026-56117 is a heap use-after-free vulnerability [CWE-416] in dhcpcd through version 10.3.2, affecting the control socket handling in src/control.c. The flaw allows local unprivileged attackers to trigger memory corruption when privilege separation is disabled. When a client sends a privileged command such as -x to the control socket, control_recvdata() frees the client object while a subsequent READ+HANGUP event reaches control_hangup() with the stale pointer. The vulnerability is fixed in commit 78ea09e.

Critical Impact

Local attackers can corrupt heap memory in dhcpcd deployments using --disable-privsep or where privsep initialization fails and the control socket operates in mode 0666.

Affected Products

  • dhcpcd versions through 10.3.2
  • Deployments configured with --disable-privsep
  • Deployments where privsep initialization has failed and the control socket is in mode 0666

Discovery Timeline

  • 2026-06-23 - CVE-2026-56117 published to NVD
  • 2026-06-24 - Last updated in NVD database

Technical Details for CVE-2026-56117

Vulnerability Analysis

The dhcpcd daemon manages DHCP client operations and exposes a UNIX domain control socket for runtime commands. The control socket dispatcher in src/control.c handles read events from connected clients. When a client connection is closed mid-transaction, the code path frees the associated fd_list client structure while a pending hangup event still references that pointer. The resulting use-after-free corrupts heap state and can be triggered reliably by any local user with access to the control socket.

Root Cause

The defect stems from control_recvdata() invoking control_hangup() on read errors and then returning -1. The event loop subsequently dispatches the HANGUP portion of the multiplexed READ+HANGUP event, invoking control_hangup() a second time on the already-freed fd_list structure. The function's void return type prevented callers from distinguishing successful processing from a hangup that already released the client.

Attack Vector

Exploitation requires local access to the control socket. In hardened builds, privilege separation restricts the socket to root, but when dhcpcd is built or invoked with --disable-privsep, or when privsep initialization fails, the socket falls back to mode 0666, exposing it to any local user. An attacker connects to the socket, issues a privileged command such as -x, and races the close to trigger the dangling pointer. Successful exploitation results in heap memory corruption affecting the integrity and availability of the dhcpcd process.

The upstream patch in src/control.c removes the redundant hangup call and changes the function signature to return the byte count to its caller:

c
 	bytes = read(fd->fd, buffer, sizeof(buffer) - 1);
 	if (bytes == -1)
 		logerr(__func__);
-	if (bytes == -1 || bytes == 0) {
-		control_hangup(fd);
-		return -1;
-	}
+	if (bytes == -1 || bytes == 0)
+		return (int)bytes;
 
 #ifdef PRIVSEP
 	if (IN_PRIVSEP(fd->ctx)) {

The header signature was updated accordingly in src/control.h:

c
 void control_free(struct fd_list *);
 void control_delete(struct fd_list *);
 int control_queue(struct fd_list *, void *, size_t);
-void control_recvdata(struct fd_list *fd, char *, size_t);
+int control_recvdata(struct fd_list *fd, char *, size_t);
 #endif

Source: NetworkConfiguration/dhcpcd commit 78ea09e

Detection Methods for CVE-2026-56117

Indicators of Compromise

  • Unexpected crashes or restarts of the dhcpcd daemon, particularly with SIGSEGV or SIGABRT signals indicative of heap corruption.
  • Presence of a control socket with world-writable permissions (0666) at the path used by dhcpcd, typically under /var/run/.
  • Log entries from dhcpcd reporting privsep initialization failures followed by client connection events from non-root UIDs.

Detection Strategies

  • Inventory all hosts running dhcpcd and verify the installed version is at or below 10.3.2 by querying the package manager.
  • Audit build flags and init scripts for use of --disable-privsep or environments where privsep is unavailable.
  • Monitor process telemetry for abnormal terminations of dhcpcd correlated with local user connections to its control socket.

Monitoring Recommendations

  • Enable core dump collection on systems running dhcpcd and forward signatures of heap-related crashes to a centralized log platform.
  • Apply file integrity monitoring to the dhcpcd control socket path and alert on permission changes to 0666.
  • Track local process executions invoking dhcpcd -x or similar privileged commands from non-administrative accounts.

How to Mitigate CVE-2026-56117

Immediate Actions Required

  • Upgrade dhcpcd to a version that includes commit 78ea09e or later as soon as distribution packages are available.
  • Re-enable privilege separation by removing --disable-privsep from build configurations and service invocations.
  • Verify the control socket is owned by root and not set to world-writable mode 0666.

Patch Information

The fix is available in upstream commit 78ea09e of the NetworkConfiguration/dhcpcd repository. The patch eliminates the duplicate control_hangup() invocation in the read path and propagates the byte count return value to the event dispatcher. Refer to the VulnCheck Security Advisory and the upstream commit for full technical details.

Workarounds

  • Restrict access to the dhcpcd control socket by enforcing root-only permissions until a patched build is deployed.
  • Confirm that privsep initialization succeeds at daemon startup and treat any privsep failure as a critical operational event requiring service shutdown.
  • Limit local user access on multi-user systems hosting dhcpcd until the upgraded binary is in production.
bash
# Verify dhcpcd control socket ownership and mode
ls -l /var/run/dhcpcd.sock

# Confirm dhcpcd was not built or launched with --disable-privsep
ps -ef | grep dhcpcd
dhcpcd --version

# Tighten socket permissions as a temporary mitigation
chown root:root /var/run/dhcpcd.sock
chmod 0600 /var/run/dhcpcd.sock

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.