Stack Out-of-Bounds Write Vulnerability in dhcpcd by Network Configuration
CVE-2026-56114

6MEDIUM

Key Information:

Vendor: Networkconfiguration
Status: Dhcpcd
Vendor: CVE Published:; 23 June 2026

🔔 Create Networkconfiguration Vulnerability Alert

What is CVE-2026-56114?

The dhcpcd product prior to version 10.3.2 is susceptible to a stack out-of-bounds write vulnerability in the dhcp6_makemessage() function located in src/dhcp6.c. This flaw enables unauthenticated attackers on the same network link to exploit an oversized RFC6603 OPTION_PD_EXCLUDE option body, resulting in potential overwrites of adjacent stack memory. By sending a specifically crafted DHCPv6 ADVERTISE message that includes an IA_PD IAPREFIX /0 with a legitimate OPTION_PD_EXCLUDE of prefix lengths between /121 and /128, an attacker can trigger this vulnerability, leading to unpredictable behavior or system compromise.

Affected Version(s)

dhcpcd 0 <= 10.3.2

dhcpcd 2f00c7bfc408b6582d331932dfa47829c4819029

References

https://github.com/NetworkConfiguration/dhcpcd/commit/2f0...

patch

https://www.vulncheck.com/advisories/dhcpcd-stack-out-of-...

third-party-advisory

CVSS V4

Score:

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
Jun 18, 2026

Credit

CuB3y0nd

VulnCheck

CVE-2026-56114 Data

JSON