CVE-2026-42511

Summary

The BOOTP file field is written to the lease file without escaping embedded double-quotes, allowing injection of arbitrary dhclient.conf directives. When the lease file is subsequently re-parsed by dhclient, e.g., after a system restart, an attacker-controlled field from the lease is passed to dhclient-script(8), which evaluates it.

A rogue DHCP server may be able to execute arbirary code as root on a system running dhclient.

Affected Software

VendorProductVersion RangeStatus
FreeBSDFreeBSD15.0-RELEASE < p7affected
FreeBSDFreeBSD14.4-RELEASE < p3affected
FreeBSDFreeBSD14.3-RELEASE < p12affected
FreeBSDFreeBSD13.5-RELEASE < p13affected

Weaknesses

  • CWE-149: CWE-149: Improper Neutralization of Quoting Syntax

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References