dhcpcd Heap Use-After-Free in dhcp6_deprecateaddrs via DHCPv6 RENEW

Advisories

dhcpcd Heap Use-After-Free in dhcp6_deprecateaddrs via DHCPv6 RENEW

severity: medium
date: 6/23/2026
Affecting: dhcpcd <= 10.3.2, fixed in commit 5733d3c
CVE: CVE-2026-56113
CWE: CWE-416 Use After Free
CVSS: 6
CVSS V4 Vector: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
References: Patch Commit
Credit: CuB3y0nd
Description: dhcpcd through 10.3.2, fixed in commit 5733d3c, contains a heap use-after-free vulnerability that allows unauthenticated same-link attackers to crash the daemon by sending a crafted DHCPv6 RENEW reply with RFC6603 OPTION_PD_EXCLUDE and both preferred and valid lifetimes set to zero. Attackers acting as or impersonating a DHCPv6 server can trigger dhcp6_deprecatedele() to free a delegated child address while an outer TAILQ_FOREACH_SAFE iterator in dhcp6_deprecateaddrs() still holds the freed pointer, causing a use-after-free when TAILQ_REMOVE is reached.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo