Newline Injection Vulnerability in OpenWrt's odhcpd Client
CVE-2026-62948

9.6CRITICAL

Key Information:

Vendor

Openwrt

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-62948?

The odhcpd client in OpenWrt, prior to version 25.12.5, is vulnerable to newline injection due to improper handling of DHCPv6 client FQDN option 39 hostnames. This vulnerability allows attackers to inject forged lease lines that the LuCI interface displays as live HTML content in the Active DHCPv6 Leases admin page. The vulnerability is addressed in the update to version 25.12.5, emphasizing the importance of keeping your OpenWrt installation current to mitigate risks.

Affected Version(s)

openwrt < 25.12.5

References

CVSS V3.1

Score:
9.6
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.