Skip to content

dhcpcd 10.3 CVE-2026-56114 and 56116#675

Closed
ColinMcInnes wants to merge 5 commits into
NetworkConfiguration:masterfrom
ColinMcInnes:dhcpcd-10
Closed

dhcpcd 10.3 CVE-2026-56114 and 56116#675
ColinMcInnes wants to merge 5 commits into
NetworkConfiguration:masterfrom
ColinMcInnes:dhcpcd-10

Conversation

@ColinMcInnes

@ColinMcInnes ColinMcInnes commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

rsmarples and others added 5 commits May 21, 2026 18:49
Event if kevent or epoll return an error from the operation.
We still return the error so the caller can log a diagnostic.

Thanks to Graham Northup for the hint.
May help with NetworkConfiguration#596.
This only happens when dhcpcd is running on a specific interface
and can trigger erroneous logs deleting the socket from
kqueue/epoll.
With the prior eloop it could also trigger ia events from a
non related fd if re-used.

Hopefully fixes NetworkConfiguration#596.
Final call to the control queue used the wrong 'buflen'
variable. Change so the function stays consistent.

Signed-off-by: Cezar Craciunoiu <cezar@unikraft.io>
Fixes a memory leak vulnerability in the IPv6 Router Advertisement route
information handling that allows an unauthenticated same-link attacker
to cause denial of service by sending crafted Router Advertisements.

Attackers can repeatedly send Router Advertisements containing Route
Information options with a lifetime of zero, triggering unfreed
allocations in routeinfo_findalloc() that cause linear memory
exhaustion and eventual daemon crash.

Reported-by: CuB3y0nd <root@cubeyond.net>
CVE: CVE-2026-56116
)

Fixes a one-byte stack out-of-bounds write vulnerability in dhcp6_makemessage()
in src/dhcp6.c that allows unauthenticated same-link attackers to write beyond
a fixed local buffer by serializing an oversized RFC6603 OPTION_PD_EXCLUDE
option body.

Attackers can send a crafted DHCPv6 ADVERTISE message containing an IA_PD
IAPREFIX /0 with a valid OPTION_PD_EXCLUDE using an exclude prefix length
of /121 through /128 to trigger the out-of-bounds write and potentially
corrupt adjacent stack memory.

Reported-by: CuB3y0nd <root@cubeyond.net>
CVE: CVE-2026-56114
@coderabbitai

coderabbitai Bot commented Jun 26, 2026

Copy link
Copy Markdown

Review Change Stack

Walkthrough

The PR updates DHCPv6 prefix-delegation payload sizing, event deletion handling, IPv6 address cleanup order, route-information expiration cleanup, and the listener notification length passed to control_queue().

Changes

Runtime cleanup and bookkeeping

Layer / File(s) Summary
Event deletion and fd cleanup
src/eloop.c, src/ipv6.c
eloop_event_delete() stores backend delete status, clears internal event state even on syscall failure, and ipv6_freeaddr() deletes the DHCPv6 event before closing the FD.
PD exclude scratch buffer
src/dhcp6.c
dhcp6_makemessage() changes the temporary PD exclude buffer to 17 bytes and adds a local byte variable while building the option payload.
Expired routeinfo cleanup
src/ipv6nd.c
ipv6nd_expirera() frees each removed routeinfo after taking it out of rap->rinfos.
Control queue length argument
src/script.c
script_runreason() passes (size_t)buflen to control_queue() in the listener notification loop.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title references the dhcpcd 10.3 security fixes covered by this changeset, even though it is broader than the individual code changes.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description check ✅ Passed The description directly matches two of the implemented fixes in DHCPv6 prefix exclude handling and IPv6ND routeinfo cleanup.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@ColinMcInnes ColinMcInnes changed the title dhcpcd 10 dhcpcd 10.3 CVE-2026-56114 and 56116 Jun 26, 2026
@ColinMcInnes

Copy link
Copy Markdown
Contributor Author

gh CLI broke, this was supposed to go into -10 branch.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants