MNBSD-2026-6: Remotely triggerable out-of-bounds heap write in dhclient

Severity: Unknown

Affected Package: dhclient

Summary: Remotely triggerable out-of-bounds heap write in dhclient

Description

As dhclient is building an environment to pass to dhclient-script, it may need to resize the array of string pointers. The code which expands the array incorrectly calculates its new size when requesting memory, resulting in a heap buffer overrun. A specially crafted packet can cause dhclient to overrun its buffer of environment entries. This can result in a crash, but it may be possible to leverage this bug to achieve remote code execution.

Affected Versions

dhclient

Recommendations

No specific recommendations provided.

References

https://security.FreeBSD.org/advisories/FreeBSD-SA-26:15.dhclient.asc
https://www.cve.org/CVERecord?id=CVE-2026-42512

Additional Information

Aliases: CVE-2026-42512

Published: April 29, 2026
Last Modified: April 29, 2026