CVE-2026-56116

dhcpcd through 10.3.2, fixed in commit 708b4a5, contains a memory leak vulnerability in the IPv6 Router Advertisement route information handling that allows an unauthenticated same-link attacker to cause denial of service by sending crafted Router Advertisements. Attackers can repeatedly send Router Advertisements containing Route Information options with a lifetime of zero, triggering unfreed allocations in routeinfo_findalloc() that cause linear memory exhaustion and eventual daemon crash.
Configurations

Configuration 1 (hide)

cpe:2.3:a:dhcpcd_project:dhcpcd:*:*:*:*:*:*:*:*

History

28 Jun 2026, 00:27

Type Values Removed Values Added
CPE cpe:2.3:a:dhcpcd_project:dhcpcd:*:*:*:*:*:*:*:*
References () https://github.com/NetworkConfiguration/dhcpcd/commit/708b4a56bae080a5b18c2e0c4c6fbe103131a2b0 - () https://github.com/NetworkConfiguration/dhcpcd/commit/708b4a56bae080a5b18c2e0c4c6fbe103131a2b0 - Patch
References () https://www.vulncheck.com/advisories/dhcpcd-memory-leak-dos-via-ipv6-router-advertisement-handling - () https://www.vulncheck.com/advisories/dhcpcd-memory-leak-dos-via-ipv6-router-advertisement-handling - Third Party Advisory
First Time Dhcpcd Project
Dhcpcd Project dhcpcd

23 Jun 2026, 17:17

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-23 17:17

Updated : 2026-07-14 22:17


NVD link : CVE-2026-56116

Mitre link : CVE-2026-56116

CVE.ORG link : CVE-2026-56116


JSON object : View

Products Affected

dhcpcd_project

  • dhcpcd
CWE
CWE-401

Missing Release of Memory after Effective Lifetime