Heap Use-After-Free Vulnerability in dhcpcd by Network Configuration
CVE-2026-56113

6MEDIUM

Key Information:

Vendor: Networkconfiguration
Status: Dhcpcd
Vendor: CVE Published:; 23 June 2026

🔔 Create Networkconfiguration Vulnerability Alert

What is CVE-2026-56113?

The identified vulnerability in dhcpcd versions up to 10.3.2 allows unauthenticated attackers to exploit a heap use-after-free condition. This is executed by sending a specially crafted DHCPv6 RENEW reply that includes the OPTION_PD_EXCLUDE with both preferred and valid lifetimes set to zero. If exploited, this vulnerability can cause the daemon to crash when attackers impersonate a DHCPv6 server, resulting in the freeing of a delegated child address while an iterator still holds a pointer to it. This scenario leads to a use-after-free condition during address deprecation, severely undermining the stability and security of affected systems.

Affected Version(s)

dhcpcd 0 <= 10.3.2

dhcpcd 5733d3c59a5651f64357ac11c98b4f39895c8d25

References

https://github.com/NetworkConfiguration/dhcpcd/commit/573...

patch

https://www.vulncheck.com/advisories/dhcpcd-heap-use-afte...

third-party-advisory

CVSS V4

Score:

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
Jun 18, 2026

Credit

CuB3y0nd

VulnCheck

CVE-2026-56113 Data

JSON