Newline Injection Vulnerability in OpenWrt's odhcpd Client
CVE-2026-62948
9.6CRITICAL
What is CVE-2026-62948?
The odhcpd client in OpenWrt, prior to version 25.12.5, is vulnerable to newline injection due to improper handling of DHCPv6 client FQDN option 39 hostnames. This vulnerability allows attackers to inject forged lease lines that the LuCI interface displays as live HTML content in the Active DHCPv6 Leases admin page. The vulnerability is addressed in the update to version 25.12.5, emphasizing the importance of keeping your OpenWrt installation current to mitigate risks.
Affected Version(s)
openwrt < 25.12.5
