CVE-2026-56113
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk7th percentile — higher than 7% of all known CVEs
Summary
In dhcpcd up to version 10.3.2, a heap use-after-free vulnerability allows unauthenticated same-link attackers to crash the daemon by sending a crafted DHCPv6 RENEW reply with RFC6603 OPTION_PD_EXCLUDE and both preferred and valid lifetimes set to zero. Attackers impersonating a DHCPv6 server can trigger dhcp6_deprecatedele() to free a delegated child address while an outer TAILQ_FOREACH_SAFE iterator in dhcp6_deprecateaddrs() still holds the freed pointer, causing a use-after-free when TAILQ_REMOVE is reached.
Risk Assessment
The risk is that an attacker on the same network can remotely crash the DHCP service, disrupting DHCP clients and potentially causing network connectivity loss in the organization.
Recommendation
Immediately update dhcpcd to a version containing commit 5733d3c or later, which fixes this vulnerability. If an update is not possible, restrict trust to DHCPv6 servers on the local network.
Original NVD description (English source)
dhcpcd through 10.3.2, fixed in commit 5733d3c, contains a heap use-after-free vulnerability that allows unauthenticated same-link attackers to crash the daemon by sending a crafted DHCPv6 RENEW reply with RFC6603 OPTION_PD_EXCLUDE and both preferred and valid lifetimes set to zero. Attackers acting as or impersonating a DHCPv6 server can trigger dhcp6_deprecatedele() to free a delegated child address while an outer TAILQ_FOREACH_SAFE iterator in dhcp6_deprecateaddrs() still holds the freed pointer, causing a use-after-free when TAILQ_REMOVE is reached.

