dhcpcd through 10.3.2, fixed in commit 708b4a5, contains a memory leak vulnerability in the IPv6 Router Advertisement route information handling that allows an unauthenticated same-link attacker to cause denial of service by sending crafted Router Advertisements. Attackers can repeatedly send Router Advertisements containing Route Information options with a lifetime of zero, triggering unfreed allocations in routeinfo_findalloc() that cause linear memory exhaustion and eventual daemon crash.
References
Configurations
History
28 Jun 2026, 00:27
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:dhcpcd_project:dhcpcd:*:*:*:*:*:*:*:* | |
| References | () https://github.com/NetworkConfiguration/dhcpcd/commit/708b4a56bae080a5b18c2e0c4c6fbe103131a2b0 - Patch | |
| References | () https://www.vulncheck.com/advisories/dhcpcd-memory-leak-dos-via-ipv6-router-advertisement-handling - Third Party Advisory | |
| First Time |
Dhcpcd Project
Dhcpcd Project dhcpcd |
23 Jun 2026, 17:17
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-06-23 17:17
Updated : 2026-07-14 22:17
NVD link : CVE-2026-56116
Mitre link : CVE-2026-56116
CVE.ORG link : CVE-2026-56116
JSON object : View
Products Affected
dhcpcd_project
- dhcpcd
CWE
CWE-401
Missing Release of Memory after Effective Lifetime
