dhclient BOOTP Field Injection Enables Root Code Exec
CVE-2026-42511 Published on April 30, 2026
Remote code execution via malicious DHCP options
The BOOTP file field is written to the lease file without escaping embedded double-quotes, allowing injection of arbitrary dhclient.conf directives. When the lease file is subsequently re-parsed by dhclient, e.g., after a system restart, an attacker-controlled field from the lease is passed to dhclient-script(8), which evaluates it.
A rogue DHCP server may be able to execute arbirary code as root on a system running dhclient.
Vulnerability Analysis
CVE-2026-42511 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Weakness Type
Improper Neutralization of Quoting Syntax
Quotes injected into an application can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions.
Products Associated with CVE-2026-42511
Want to know whenever a new CVE is published for FreeBSD? stack.watch will email you.
Affected Versions
FreeBSD:- Version 15.0-RELEASE and below p7 is affected.
- Version 14.4-RELEASE and below p3 is affected.
- Version 14.3-RELEASE and below p12 is affected.
- Version 13.5-RELEASE and below p13 is affected.