Critical FreeBSD DHCP Client Bug Lets Attackers Run Code as Root
Key Takeaways A critical vulnerability (CVE-2026-42511) has been identified in the default IPv4 DHCP client of FreeBSD. The flaw allows a local network attacker to execute arbitrary code with root...
Key Takeaways
- A critical vulnerability (CVE-2026-42511) has been identified in the default IPv4 DHCP client of FreeBSD.
- The flaw allows a local network attacker to execute arbitrary code with root privileges on affected systems.
- All currently supported versions of FreeBSD (15.0, 14.4, 14.3, and 13.5) are impacted.
- Patches are available, and immediate system updates are strongly recommended.
The FreeBSD Project has issued a significant security advisory concerning a severe vulnerability within the operating system’s default IPv4 DHCP client. This flaw, assigned CVE-2026-42511, presents a critical risk, enabling a local network attacker to achieve root-level code execution and gain complete control over a compromised machine.
Table Of Content
Joshua Rogers of the AISLE Research Team is credited with discovering this vulnerability, which affects all supported FreeBSD versions.
FreeBSD DHCP Client Vulnerability Explained
The root cause of the vulnerability lies in the way the dhclient(8) utility processes network configuration parameters received from DHCP servers. When a device initiates a request to join a network, it obtains IP configuration data. The DHCP client then writes the provided BOOTP file field into a local DHCP lease file.
A crucial parsing error occurs during this write operation: the software fails to properly escape embedded double-quote characters. This oversight creates an opening for a malicious actor to inject arbitrary configuration directives directly into the dhclient.conf file.
Subsequently, when this lease file is re-parsed—for instance, during a system reboot or a network service restart—the attacker-controlled fields are passed to the dhclient-script(8). Since this script executes with elevated system privileges, any injected commands are run as root, leading to total system compromise.
Exploitation Scenario
Successful exploitation of CVE-2026-42511 requires the attacker to be present on the same local network (broadcast domain) as the target system. By setting up a rogue DHCP server, the attacker can intercept legitimate DHCP requests from the victim and respond with specially crafted data packets containing the malicious payload.
Once triggered, the vulnerability grants the attacker full control over the compromised system. This could enable them to establish persistent backdoors, deploy ransomware, or move laterally within a corporate network. From a threat intelligence perspective, this aligns with MITRE ATT&CK techniques such as Adversary-in-the-Middle (T1557) and Command and Scripting Interpreter (T1059).
Affected Versions
The vulnerability is present across all currently supported FreeBSD releases and their stable branches:
- FreeBSD 15.0: 15.0-RELEASE and 15.0-STABLE
- FreeBSD 14.4 and 14.3: 14.4-RELEASE, 14.3-RELEASE, and 14.4-STABLE
- FreeBSD 13.5: 13.5-RELEASE and 13.5-STABLE
What You Should Do
The FreeBSD Project has promptly released security patches to address this vulnerability. System administrators are urged to update their operating systems immediately. The recommended update procedures are detailed in the official FreeBSD advisory (FreeBSD-SA-26:12.dhclient):
- For systems using base packages (amd64/arm64 on FreeBSD 15.0):
# pkg upgrade -r FreeBSD-base - For other release versions using binary distributions:
# freebsd-update fetch # freebsd-update install - Network-level mitigation: While no direct software workaround exists for devices that must run
dhclient, network administrators can implement DHCP snooping on enterprise network switches. This feature acts as a protective barrier, preventing rogue DHCP servers from delivering malicious payloads to vulnerable endpoints. - Systems that do not utilize
dhclient(8)are not affected by this vulnerability.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.