The BOOTP file field is written to the lease file without escaping embedded double-quotes, allowing injection of arbitrary dhclient.conf directives. When the lease file is subsequently re-parsed by dhclient, e.g., after a system restart, an attacker-controlled field from the lease is passed to dhclient-script(8), which evaluates it.
A rogue DHCP server may be able to execute arbirary code as root on a system running dhclient.
Metrics
Affected Vendors & Products
| Vendors | Products |
|---|---|
| Freebsd |
|
No data.
No data.
OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.
| Vendors | Products |
|---|---|
| Freebsd |
|
References
History
Thu, 30 Apr 2026 08:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Freebsd
Freebsd freebsd |
|
| Vendors & Products |
Freebsd
Freebsd freebsd |
Thu, 30 Apr 2026 07:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The BOOTP file field is written to the lease file without escaping embedded double-quotes, allowing injection of arbitrary dhclient.conf directives. When the lease file is subsequently re-parsed by dhclient, e.g., after a system restart, an attacker-controlled field from the lease is passed to dhclient-script(8), which evaluates it. A rogue DHCP server may be able to execute arbirary code as root on a system running dhclient. | |
| Title | Remote code execution via malicious DHCP options | |
| Weaknesses | CWE-149 | |
| References |
|
MITRE
Status: PUBLISHED
Assigner: freebsd
Published:
Updated: 2026-04-30T06:56:36.929Z
Reserved: 2026-04-28T05:31:44.956Z
Link: CVE-2026-42511
Vulnrichment
No data.
NVD
Status : Received
Published: 2026-04-30T07:16:37.290
Modified: 2026-04-30T07:16:37.290
Link: CVE-2026-42511
Redhat
No data.
OpenCVE Enrichment
Updated: 2026-04-30T08:20:16Z