MNBSD-2026-9: Remote code execution via malicious DHCP options

Severity: Unknown

Affected Package: dhclient

Summary: Remote code execution via malicious DHCP options

Description

The BOOTP file field is written to the lease file without escaping embedded double-quotes, allowing injection of arbitrary dhclient.conf directives. When the lease file is subsequently re-parsed by dhclient, e.g., after a system restart, an attacker-controlled field from the lease is passed to dhclient-script(8), which evaluates it. A rogue DHCP server may be able to execute arbitrary code as root on a system running dhclient.

Affected Versions

dhclient

Recommendations

No specific recommendations provided.

References

https://security.FreeBSD.org/advisories/FreeBSD-SA-26:12.dhclient.asc
https://www.cve.org/CVERecord?id=CVE-2026-42511

Additional Information

Aliases: CVE-2026-42511

Published: April 29, 2026
Last Modified: April 29, 2026