The FreeBSD Challenge has launched a vital safety advisory addressing a extreme flaw in its default IPv4 DHCP consumer.
Tracked as CVE-2026-42511, this vulnerability permits a neighborhood community attacker to execute arbitrary code as root, granting them full management over the compromised machine.
Found by Joshua Rogers of the AISLE Analysis Group, the vulnerability impacts all at the moment supported variations of FreeBSD.
FreeBSD DHCP Consumer Vulnerability
The core problem resides in how dhclient(8) processes community configuration parameters from DHCP servers.
When a tool joins a community, it requests IP configuration information. The DHCP consumer takes the supplied BOOTP file subject and writes it to a neighborhood DHCP lease file.
Nonetheless, a vital parsing error happens throughout this course of: the software program fails to flee embedded double-quotes correctly.
This oversight permits a malicious actor to inject arbitrary configuration directives instantly into the dhclient.conf file.
When the lease file is later re-parsed, equivalent to throughout a system restart or a community service reload, these attacker-controlled fields are handed to dhclient-script(8).
As a result of this script evaluates the enter with high-level system privileges, the injected instructions are executed as root.
To efficiently exploit CVE-2026-42511, an attacker should be on the identical broadcast area (native community) because the goal.
By deploying a rogue DHCP server, the attacker can intercept and reply to the sufferer’s DHCP requests with maliciously crafted information packets.
As soon as triggered, the vulnerability ends in complete system compromise. An attacker may set up persistent backdoors, deploy ransomware, or pivot deeper into the company community.
From a menace intelligence perspective, this aligns with MITRE ATT&CK strategies for Adversary-in-the-Center (T1557) and Command and Scripting Interpreter (T1059).
The vulnerability is current throughout all supported FreeBSD releases and steady branches, particularly:
- FreeBSD 15.0 (15.0-RELEASE and 15.0-STABLE)
- FreeBSD 14.4 and 14.3 (14.4-RELEASE, 14.3-RELEASE, and 14.4-STABLE)
- FreeBSD 13.5 (13.5-RELEASE and 13.5-STABLE)
The FreeBSD Challenge has already rolled out safety patches.
System directors ought to replace their working techniques instantly utilizing one of many following strategies, as outlined in the FreeBSD advisory (FreeBSD-SA-26:12.dhclient).
1. Base System Packages:
For techniques put in utilizing base packages (amd64/arm64 on FreeBSD 15.0), run:
# pkg improve -r FreeBSD-base
2. Binary Distributions:
For different launch variations, make the most of the replace utility:
# freebsd-update fetch
# freebsd-update set up
There isn’t any direct software program workaround for units that should run dhclient.
Nonetheless, community directors can neutralize this menace by enabling DHCP snooping on enterprise community switches.
DHCP snooping acts as a firewall between untrusted hosts and trusted DHCP servers, successfully blocking rogue DHCP servers from delivering the malicious payload to weak endpoints. Techniques not working dhclient(8) are fully unaffected.
Observe us on Google News, LinkedIn, and X for every day cybersecurity updates. Contact us to function your tales.