CVE-2026-56113

MEDIUM 5.3

dhcpcd Heap Use-After-Free in dhcp6_deprecateaddrs via DHCPv6 RENEW

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

0th

dhcpcd through 10.3.2, fixed in commit 5733d3c, contains a heap use-after-free vulnerability that allows unauthenticated same-link attackers to crash the daemon by sending a crafted DHCPv6 RENEW reply with RFC6603 OPTION_PD_EXCLUDE and both preferred and valid lifetimes set to zero. Attackers acting as or impersonating a DHCPv6 server can trigger dhcp6_deprecatedele() to free a delegated child address while an outer TAILQ_FOREACH_SAFE iterator in dhcp6_deprecateaddrs() still holds the freed pointer, causing a use-after-free when TAILQ_REMOVE is reached.

CWE	CWE-416
Vendor	networkconfiguration
Product	dhcpcd
Published	Jun 23, 2026
Last Updated	Jun 23, 2026

Stay Ahead of the Next One

Get instant alerts for networkconfiguration dhcpcd

Be the first to know when new medium vulnerabilities affecting networkconfiguration dhcpcd are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Adjacent

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Affected Versions

NetworkConfiguration / dhcpcd

0 ≤ 10.3.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/NetworkConfiguration/dhcpcd/commit/5733d3c59a5651f64357ac11c98b4f39895c8d25 vulncheck.com: https://www.vulncheck.com/advisories/dhcpcd-heap-use-after-free-in-dhcp6-deprecateaddrs-via-dhcpv6-renew

Credits

CuB3y0nd VulnCheck