FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- Remotely triggerable out-of-bounds heap write in dhclient

Affected packages
15.0 <= FreeBSD < 15.0_7
14.4 <= FreeBSD < 14.4_3
14.3 <= FreeBSD < 14.3_12
13.5 <= FreeBSD < 13.5_13

Details

VuXML ID 58acf4c5-4435-11f1-bb07-bc241121aa0a
Discovery 2026-04-29
Entry 2026-04-30

Problem Description:

As dhclient is building an environment to pass to dhclient-script, it may need to resize the array of string pointers. The code which expands the array incorrectly calculates its new size when requesting memory, resulting in a heap buffer overrun.

Impact:

A specially crafted packet can cause dhclient to overrun its buffer of environment entries. This can result in a crash, but it may be possible to leverage this bug to achieve remote code execution.

References

CVE Name CVE-2026-42512
FreeBSD Advisory SA-26:15.dhclient

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.