CVE-2026-56116

MEDIUM 6.5

dhcpcd Memory Leak DoS via IPv6 Router Advertisement Handling

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

dhcpcd through 10.3.2, fixed in commit 708b4a5, contains a memory leak vulnerability in the IPv6 Router Advertisement route information handling that allows an unauthenticated same-link attacker to cause denial of service by sending crafted Router Advertisements. Attackers can repeatedly send Router Advertisements containing Route Information options with a lifetime of zero, triggering unfreed allocations in routeinfo_findalloc() that cause linear memory exhaustion and eventual daemon crash.

CWE	CWE-401
Vendor	networkconfiguration
Product	dhcpcd
Published	Jun 23, 2026
Last Updated	Jun 23, 2026

Stay Ahead of the Next One

Get instant alerts for networkconfiguration dhcpcd

Be the first to know when new medium vulnerabilities affecting networkconfiguration dhcpcd are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Affected Versions

NetworkConfiguration / dhcpcd

0 ≤ 10.3.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/NetworkConfiguration/dhcpcd/commit/708b4a56bae080a5b18c2e0c4c6fbe103131a2b0 vulncheck.com: https://www.vulncheck.com/advisories/dhcpcd-memory-leak-dos-via-ipv6-router-advertisement-handling

Credits

CuB3y0nd VulnCheck