Heap Use-After-Free Vulnerability in dhcpcd by NetworkConfiguration
CVE-2026-56117

5.7MEDIUM

Key Information:

Vendor: Networkconfiguration
Status: Dhcpcd
Vendor: CVE Published:; 23 June 2026

🔔 Create Networkconfiguration Vulnerability Alert

What is CVE-2026-56117?

The dhcpcd software, up to version 10.3.2, is affected by a heap use-after-free vulnerability in the handling of its control socket. When privilege separation is disabled, a local unprivileged attacker can exploit this flaw. By connecting to the control socket and sending certain privileged commands, the attacker can trigger memory corruption. This occurs because the control_recvdata() function frees the client object, while a subsequent READ+HANGUP event leads to a call to control_hangup() utilizing a now-invalid pointer. This condition allows for potential exploitation, particularly in configurations where privilege separation is either disabled or has failed.

Affected Version(s)

dhcpcd 0 <= 10.3.2

dhcpcd 78ea09ed1633a583dbcde6e7bab9df4639ec8a34

References

https://github.com/NetworkConfiguration/dhcpcd/commit/78e...

patch

https://www.vulncheck.com/advisories/dhcpcd-heap-use-afte...

third-party-advisory

CVSS V4

Score:

5.7

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
Jun 18, 2026

Credit

CuB3y0nd

VulnCheck

CVE-2026-56117 Data

JSON