HIGHCVE-2026-42511Published Modified CNA freebsd
CVE-2026-42511: Remote code execution via malicious DHCP options
The BOOTP file field is written to the lease file without escaping embedded double-quotes, allowing injection of arbitrary dhclient.conf directives. When the lease file is subsequently re-parsed by dhclient, e.g., after a system restart, an attacker-controlled field from the lease is passed to dhclient-script(8), which evaluates it. A rogue DHCP server may be able to execute arbirary code as root on a system running dhclient.
Metrics
- CVSS v3.1
- 8.1
- Severity
- HIGH
- Fixed in
- p12
- Affected Products
- 1
Fix available
p12p13p3p7
Affected packages
- FreeBSD / FreeBSD< p7 (from 15.0-RELEASE) · < p3 (from 14.4-RELEASE) · < p12 (from 14.3-RELEASE) · < p13 (from 13.5-RELEASE)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HReferences