CVE-2026-42512

As dhclient is building an environment to pass to dhclient-script, it may need to resize the array of string pointers. The code which expands the array incorrectly calculates its new size when requesting memory, resulting in a heap buffer overrun. A specially crafted packet can cause dhclient to o...

high 8.1 CVSS 3.1
Published: Apr 30, 2026
Modified: May 1, 2026
Vendor: Freebsd
Product: Freebsd
Versions: 13.5,14.3,14.4,15.0

Description

As dhclient is building an environment to pass to dhclient-script, it may need to resize the array of string pointers. The code which expands the array incorrectly calculates its new size when requesting memory, resulting in a heap buffer overrun.

A specially crafted packet can cause dhclient to overrun its buffer of environment entries. This can result in a crash, but it may be possible to leverage this bug to achieve remote code execution.

References

Related CVEs

CVE-2026-35547 high · 8.1
When processing the header of an incoming message, libnv failed to properly validate the message size. The lack of validation allows a malicious program to write outside the bound
CVE-2026-39457 high · 7.8
When exchanging data over a socket, libnv uses select(2) to wait for data to arrive. However, it does not verify whether the provided socket descriptor fits in select(2)'s file de
CVE-2026-7164 high · 7.5
Incorrect packet validation allowed unbounded recursion parsing SCTP chunk parameters. This can eventually result in a stack overflow and panic. Remote attackers can craft packet
CVE-2026-7270 high · 7.8
An operator precedence bug in the kernel results in a scenario where a buffer overflow causes attacker-controlled data to overwrite adjacent execve(2) argument buffers. The bug ma
CVE-2026-42511 high · 8.1
The BOOTP file field is written to the lease file without escaping embedded double-quotes, allowing injection of arbitrary dhclient.conf directives. When the lease file is subsequ