Remote Code Execution Vulnerability in FreeBSD's dhclient Component
CVE-2026-42511

8.1HIGH

Key Information:

Vendor

FreeBSD

Status
FreeBSD
Vendor
CVE Published:
30 April 2026

Badges

📈 Trended📈 Score: 7,250📰 News Worthy

What is CVE-2026-42511?

CVE-2026-42511 is a remote code execution vulnerability found in the dhclient component of the FreeBSD operating system. FreeBSD is an open-source operating system widely used for servers and network appliances. The vulnerability arises when the BOOTP file field is written to the lease file without proper escaping of embedded double-quotes. This improper handling allows an attacker to inject arbitrary directives into the dhclient.conf configuration file. When the lease file is parsed again, such as after a system reboot, the attacker-controlled input can be executed by the dhclient-script with root privileges. This presents a serious risk as it could enable an attacker to execute arbitrary code on a targeted system, leading to unauthorized access and control.

Potential impact of CVE-2026-42511

  1. Remote Code Execution: The vulnerability can allow a malicious actor controlling a rogue DHCP server to execute arbitrary code on a vulnerable system with root privileges. This level of access provides the attacker extensive control over the compromised machine.

  2. System Compromise: With root access, an attacker can manipulate system files, install malicious software, or create backdoors for future access. This can lead to significant data breaches, loss of sensitive information, and compromise of other systems within the network.

  3. Widespread Exploitation Risk: While active exploitation has not yet been reported, the nature of this vulnerability indicates a potential for widespread targeting, especially in environments where FreeBSD is deployed. Attackers may focus on scanning for vulnerable systems, heightening the urgency for organizations to address and patch this vulnerability promptly.

Affected Version(s)

FreeBSD 15.0-RELEASE

FreeBSD 14.4-RELEASE

FreeBSD 14.3-RELEASE

News Articles

favicon imageIt Security News

FreeBSD DHCP Client Vulnerability Enables Remote Code Execution as Root - IT Security News

The FreeBSD Project has released a critical security advisory addressing a severe flaw in its default IPv4 DHCP client. Tracked as CVE-2026-42511, this vulnerability allows a local network attacker to execute arbitrary code as root, granting them complete control over the…Read more →

2 weeks ago

favicon imageCybersecuritynews

FreeBSD DHCP Client Vulnerability Enables Remote Code Execution as Root

FreeBSD issued an advisory for CVE-2026-42511, a DHCP flaw enabling local attackers to gain root control.

2 weeks ago

References

https://security.freebsd.org/advisories/FreeBSD-SA-26:12....
vendor-advisory

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 📈

    Vulnerability started trending

  • 📰

    First article discovered by Cybersecuritynews

  • Vulnerability published

  • Vulnerability Reserved

Credit

Joshua Rogers of AISLE Research Team
.