CVE-2026-42511

The BOOTP file field is written to the lease file without escaping embedded double-quotes, allowing injection of arbitrary dhclient.conf directives. When the lease file is subsequently re-parsed by dhclient, e.g., after a system restart, an attacker-controlled field from the lease is passed to dhcl...

high 8.1 CVSS 3.1
Published: Apr 30, 2026
Modified: May 1, 2026
Vendor: Freebsd
Product: Freebsd
Versions: 13.5,14.3,14.4,15.0

Description

The BOOTP file field is written to the lease file without escaping embedded double-quotes, allowing injection of arbitrary dhclient.conf directives. When the lease file is subsequently re-parsed by dhclient, e.g., after a system restart, an attacker-controlled field from the lease is passed to dhclient-script(8), which evaluates it.

A rogue DHCP server may be able to execute arbirary code as root on a system running dhclient.

References

Related CVEs

CVE-2026-35547 high · 8.1
When processing the header of an incoming message, libnv failed to properly validate the message size. The lack of validation allows a malicious program to write outside the bound
CVE-2026-39457 high · 7.8
When exchanging data over a socket, libnv uses select(2) to wait for data to arrive. However, it does not verify whether the provided socket descriptor fits in select(2)'s file de
CVE-2026-42512 high · 8.1
As dhclient is building an environment to pass to dhclient-script, it may need to resize the array of string pointers. The code which expands the array incorrectly calculates its
CVE-2026-7164 high · 7.5
Incorrect packet validation allowed unbounded recursion parsing SCTP chunk parameters. This can eventually result in a stack overflow and panic. Remote attackers can craft packet
CVE-2026-7270 high · 7.8
An operator precedence bug in the kernel results in a scenario where a buffer overflow causes attacker-controlled data to overwrite adjacent execve(2) argument buffers. The bug ma