Home / mailings FreeBSD Security Advisory FreeBSD-SA-26:12.dhclient
Posted on 29 April 2026
FreeBSD security notificat=============================================================================FreeBSD-SA-26:12.dhclient Security Advisory
The FreeBSD Project
Topic: Remote code execution via malicious DHCP options
Category: core
Module: dhclient
Announced: 2026-04-29
Credits: Joshua Rogers of AISLE Research Team
Affects: All supported versions of FreeBSD.
Corrected: 2026-04-29 14:47:47 UTC (stable/15, 15.0-STABLE)
2026-04-29 14:48:28 UTC (releng/15.0, 15.0-RELEASE-p7)
2026-04-29 14:48:50 UTC (stable/14, 14.4-STABLE)
2026-04-29 14:49:41 UTC (releng/14.4, 14.4-RELEASE-p3)
2026-04-29 14:49:22 UTC (releng/14.3, 14.3-RELEASE-p12)
2026-04-29 14:50:06 UTC (stable/13, 13.5-STABLE)
2026-04-29 14:50:18 UTC (releng/13.5, 13.5-RELEASE-p13)
CVE Name: CVE-2026-42511
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.
I. Background
dhclient(8) is the default IPv4 DHCP client used on FreeBSD. It is
responsible for contacting DHCP servers on a network segment and for
initialising and configuring network interfaces based on received
information.
II. Problem Description
The BOOTP file field is written to the lease file without escaping embedded
double-quotes, allowing injection of arbitrary dhclient.conf directives.
When the lease file is subsequently re-parsed by dhclient, e.g., after a
system restart, an attacker-controlled field from the lease is passed to
dhclient-script(8), which evaluates it.
III. Impact
A rogue DHCP server may be able to execute arbirary code as root on a system
running dhclient.
IV. Workaround
No workaround is available. Systems not running dhclient(8) are not
affected.
The attacker needs to be on the same broadcast domain and respond to DHCP
requests. A well-managed network will configure DHCP snooping on switches to
prevent rogue DHCP servers from operating.
V. Solution
Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.
Perform one of the following:
1) To update your vulnerable system installed from base system packages:
Systems running a 15.0-RELEASE version of FreeBSD on the amd64 or arm64
platforms, which were installed using base system packages, can be updated
via the pkg(8) utility:
# pkg upgrade -r FreeBSD-base
2) To update your vulnerable system installed from binary distribution sets:
Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
or the i386 platform on FreeBSD 13, which were not installed using base
system packages, can be updated via the freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install
3) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-26:12/dhclient.patch
# fetch https://security.FreeBSD.org/patches/SA-26:12/dhclient.patch.asc
# gpg --verify dhclient.patch.asc
b) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
Restart the applicable daemons, or reboot the system.
VI. Correction details
This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:
Branch/path Hash Revision
- -------------------------------------------------------------------------
stable/15/ 2621f6c5d4ae stable/15-n283377
releng/15.0/ e7b4fb41aafa releng/15.0-n281029
stable/14/ b3087e05e848 stable/14-n274076
releng/14.4/ 73b801e3b5b3 releng/14.4-n273691
releng/14.3/ dda71167a101 releng/14.3-n271492
stable/13/ 46c01e4dd102 stable/13-n259859
releng/13.5/ a2d45189b9ee releng/13.5-n259215
- -------------------------------------------------------------------------
Run the following command to see which files were modified by a
particular commit:
# git show --stat <commit hash>
Or visit the following URL, replacing NNNNNN with the hash:
<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:
# git rev-list --count --first-parent HEAD
VII. References
<URL:https://www.cve.org/CVERecord?id=CVE-2026-42511>
The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-26:12.dhclient.asc>
