FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- Remote code execution via malicious DHCP options

Affected packages
15.0 <= FreeBSD < 15.0_7
14.4 <= FreeBSD < 14.4_3
14.3 <= FreeBSD < 14.3_12
13.5 <= FreeBSD < 13.5_13

Details

VuXML ID 9eb2533e-4434-11f1-bb07-bc241121aa0a
Discovery 2026-04-29
Entry 2026-04-30

Problem Description:

The BOOTP file field is written to the lease file without escaping embedded double-quotes, allowing injection of arbitrary dhclient.conf directives. When the lease file is subsequently re-parsed by dhclient, e.g., after a system restart, an attacker-controlled field from the lease is passed to dhclient-script(8), which evaluates it.

Impact:

A rogue DHCP server may be able to execute arbirary code as root on a system running dhclient.

References

CVE Name CVE-2026-42511
FreeBSD Advisory SA-26:12.dhclient

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.