CVE-2026-42512
Discovered by AISLEPUBLISHEDCWE-122
Description
As dhclient is building an environment to pass to dhclient-script, it may need to resize the array of string pointers. The code which expands the array incorrectly calculates its new size when requesting memory, resulting in a heap buffer overrun. A specially crafted packet can cause dhclient to overrun its buffer of environment entries. This can result in a crash, but it may be possible to leverage this bug to achieve remote code execution.
CVSS Base Scores
CVSS v3.1(Primary)
8.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Version | Status |
|---|---|---|---|
| FreeBSD | FreeBSD | 15.0-RELEASE | affected |
| FreeBSD | FreeBSD | 14.4-RELEASE | — |
| FreeBSD | FreeBSD | 14.3-RELEASE | — |
| FreeBSD | FreeBSD | 13.5-RELEASE | — |
Credits
- Joshua Rogers of AISLE Research Team(finder)