Skip to content

dhcpcd 10.3 CVE-2026-56114 and 56116#676

Open
ColinMcInnes wants to merge 2 commits into
NetworkConfiguration:dhcpcd-10from
ColinMcInnes:dhcpcd-10
Open

dhcpcd 10.3 CVE-2026-56114 and 56116#676
ColinMcInnes wants to merge 2 commits into
NetworkConfiguration:dhcpcd-10from
ColinMcInnes:dhcpcd-10

Conversation

@ColinMcInnes

Copy link
Copy Markdown
Contributor

DHCPv6: Prefix exclude option can be 17 octets (#671)
https://www.cve.org/CVERecord?id=CVE-2026-56114

IPv6ND: Free routeinfo when it expires (#670)
https://www.cve.org/CVERecord?id=CVE-2026-56116

Fixes a memory leak vulnerability in the IPv6 Router Advertisement route
information handling that allows an unauthenticated same-link attacker
to cause denial of service by sending crafted Router Advertisements.

Attackers can repeatedly send Router Advertisements containing Route
Information options with a lifetime of zero, triggering unfreed
allocations in routeinfo_findalloc() that cause linear memory
exhaustion and eventual daemon crash.

Reported-by: CuB3y0nd <root@cubeyond.net>
CVE: CVE-2026-56116
)

Fixes a one-byte stack out-of-bounds write vulnerability in dhcp6_makemessage()
in src/dhcp6.c that allows unauthenticated same-link attackers to write beyond
a fixed local buffer by serializing an oversized RFC6603 OPTION_PD_EXCLUDE
option body.

Attackers can send a crafted DHCPv6 ADVERTISE message containing an IA_PD
IAPREFIX /0 with a valid OPTION_PD_EXCLUDE using an exclude prefix length
of /121 through /128 to trigger the out-of-bounds write and potentially
corrupt adjacent stack memory.

Reported-by: CuB3y0nd <root@cubeyond.net>
CVE: CVE-2026-56114
@coderabbitai

coderabbitai Bot commented Jun 26, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7bca767c-5f73-4bfc-b33a-6f28e037d162

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants