dhcpcd 10.3 CVE-2026-56114 and 56116#676
Conversation
Fixes a memory leak vulnerability in the IPv6 Router Advertisement route information handling that allows an unauthenticated same-link attacker to cause denial of service by sending crafted Router Advertisements. Attackers can repeatedly send Router Advertisements containing Route Information options with a lifetime of zero, triggering unfreed allocations in routeinfo_findalloc() that cause linear memory exhaustion and eventual daemon crash. Reported-by: CuB3y0nd <root@cubeyond.net> CVE: CVE-2026-56116
) Fixes a one-byte stack out-of-bounds write vulnerability in dhcp6_makemessage() in src/dhcp6.c that allows unauthenticated same-link attackers to write beyond a fixed local buffer by serializing an oversized RFC6603 OPTION_PD_EXCLUDE option body. Attackers can send a crafted DHCPv6 ADVERTISE message containing an IA_PD IAPREFIX /0 with a valid OPTION_PD_EXCLUDE using an exclude prefix length of /121 through /128 to trigger the out-of-bounds write and potentially corrupt adjacent stack memory. Reported-by: CuB3y0nd <root@cubeyond.net> CVE: CVE-2026-56114
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
@ColinMcInnes I merged these as patches for all Debian releases: I also made a best effort to backport at least some of these to oldstable: |
DHCPv6: Prefix exclude option can be 17 octets (#671)
https://www.cve.org/CVERecord?id=CVE-2026-56114
IPv6ND: Free routeinfo when it expires (#670)
https://www.cve.org/CVERecord?id=CVE-2026-56116