dhcpcd 10.3 CVE-2026-56114 and 56116#675
Closed
ColinMcInnes wants to merge 5 commits into
Closed
Conversation
Event if kevent or epoll return an error from the operation. We still return the error so the caller can log a diagnostic. Thanks to Graham Northup for the hint. May help with NetworkConfiguration#596.
This only happens when dhcpcd is running on a specific interface and can trigger erroneous logs deleting the socket from kqueue/epoll. With the prior eloop it could also trigger ia events from a non related fd if re-used. Hopefully fixes NetworkConfiguration#596.
Final call to the control queue used the wrong 'buflen' variable. Change so the function stays consistent. Signed-off-by: Cezar Craciunoiu <cezar@unikraft.io>
Fixes a memory leak vulnerability in the IPv6 Router Advertisement route information handling that allows an unauthenticated same-link attacker to cause denial of service by sending crafted Router Advertisements. Attackers can repeatedly send Router Advertisements containing Route Information options with a lifetime of zero, triggering unfreed allocations in routeinfo_findalloc() that cause linear memory exhaustion and eventual daemon crash. Reported-by: CuB3y0nd <root@cubeyond.net> CVE: CVE-2026-56116
) Fixes a one-byte stack out-of-bounds write vulnerability in dhcp6_makemessage() in src/dhcp6.c that allows unauthenticated same-link attackers to write beyond a fixed local buffer by serializing an oversized RFC6603 OPTION_PD_EXCLUDE option body. Attackers can send a crafted DHCPv6 ADVERTISE message containing an IA_PD IAPREFIX /0 with a valid OPTION_PD_EXCLUDE using an exclude prefix length of /121 through /128 to trigger the out-of-bounds write and potentially corrupt adjacent stack memory. Reported-by: CuB3y0nd <root@cubeyond.net> CVE: CVE-2026-56114
WalkthroughThe PR updates DHCPv6 prefix-delegation payload sizing, event deletion handling, IPv6 address cleanup order, route-information expiration cleanup, and the listener notification length passed to ChangesRuntime cleanup and bookkeeping
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Contributor
Author
|
gh CLI broke, this was supposed to go into -10 branch. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
DHCPv6: Prefix exclude option can be 17 octets (DHCPv6: Prefix exclude option can be 17 octets #671)
https://www.cve.org/CVERecord?id=CVE-2026-56114
IPv6ND: Free routeinfo when it expires (IPv6ND: Free routeinfo when it expires #670)
https://www.cve.org/CVERecord?id=CVE-2026-56116