CVE-2026-14258
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
A flaw was found in dhcpcd's IPv6 Neighbor Discovery Router Advertisement processing. A specially crafted IPv6 Router Advertisement containing a zero-length Neighbor Discovery option can bypass validation during packet storage and later be reparsed without adequate validation, causing the parser to enter a non-advancing loop. Successful exploitation may result in excessive CPU consumption, leading to a denial of service.
Affected Software
| Vendor | Product | Version Range | Status |
|---|
Weaknesses
- CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')
Workarounds
Until an updated package is available, administrators should disable IPv6 Router Advertisement processing on interfaces where it is not required or restrict acceptance of untrusted ICMPv6 Router Advertisements using appropriate network filtering.
Systems that rely on IPv6 Stateless Address Autoconfiguration (SLAAC) or Router Advertisement-based network configuration should carefully evaluate the operational impact before applying these mitigations.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
Additional References
References
- https://access.redhat.com/security/cve/CVE-2026-14258
- https://bugzilla.redhat.com/show_bug.cgi?id=2462305
- https://github.com/NetworkConfiguration/dhcpcd/commit/75289ca
- https://github.com/NetworkConfiguration/dhcpcd/issues/415
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.