Source: dhcpcd Version: 1:10.3.2-3 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for dhcpcd. CVE-2026-56113[0]: | dhcpcd through 10.3.2, fixed in commit 5733d3c, contains a heap use- | after-free vulnerability that allows unauthenticated same-link | attackers to crash the daemon by sending a crafted DHCPv6 RENEW | reply with RFC6603 OPTION_PD_EXCLUDE and both preferred and valid | lifetimes set to zero. Attackers acting as or impersonating a DHCPv6 | server can trigger dhcp6_deprecatedele() to free a delegated child | address while an outer TAILQ_FOREACH_SAFE iterator in | dhcp6_deprecateaddrs() still holds the freed pointer, causing a use- | after-free when TAILQ_REMOVE is reached. CVE-2026-56114[1]: | dhcpcd through 10.3.2, fixed in commit 2f00c7b, contains a one-byte | stack out-of-bounds write vulnerability in dhcp6_makemessage() in | src/dhcp6.c that allows unauthenticated same-link attackers to write | beyond a fixed local buffer by serializing an oversized RFC6603 | OPTION_PD_EXCLUDE option body. Attackers can send a crafted DHCPv6 | ADVERTISE message containing an IA_PD IAPREFIX /0 with a valid | OPTION_PD_EXCLUDE using an exclude prefix length of /121 through | /128 to trigger the out-of-bounds write and potentially corrupt | adjacent stack memory. CVE-2026-56115[2]: | Bootimus through 0.1.70 contains a broken access control | vulnerability that allows authenticated low-privileged users to | perform administrative actions by exploiting missing role | enforcement in the JWTMiddleware function in internal/auth/auth.go, | which validates JWT tokens and account status but fails to inspect | the is_admin flag. Attackers can send requests to any endpoint under | the /api/users path to create new administrator accounts or reset | administrator passwords, thereby gaining full control of the server | and the ability to modify boot menus and installation scripts served | to PXE clients. CVE-2026-56116[3]: | dhcpcd through 10.3.2, fixed in commit 708b4a5, contains a memory | leak vulnerability in the IPv6 Router Advertisement route | information handling that allows an unauthenticated same-link | attacker to cause denial of service by sending crafted Router | Advertisements. Attackers can repeatedly send Router Advertisements | containing Route Information options with a lifetime of zero, | triggering unfreed allocations in routeinfo_findalloc() that cause | linear memory exhaustion and eventual daemon crash. CVE-2026-56117[4]: | dhcpcd through 10.3.2, fixed in commit 78ea09e, contains a heap use- | after-free vulnerability in the control socket handling within | src/control.c that allows local unprivileged attackers to trigger | memory corruption when privilege separation is disabled. Attackers | can connect to the control socket and send a privileged command such | as -x, causing control_recvdata() to free the client object while | the same READ+HANGUP event subsequently reaches control_hangup() | with the stale pointer, resulting in a use-after-free condition | exploitable in deployments using --disable-privsep or where privsep | initialization has failed with the control socket operating in mode | 0666. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-56113 https://www.cve.org/CVERecord?id=CVE-2026-56113 [1] https://security-tracker.debian.org/tracker/CVE-2026-56114 https://www.cve.org/CVERecord?id=CVE-2026-56114 [2] https://security-tracker.debian.org/tracker/CVE-2026-56115 https://www.cve.org/CVERecord?id=CVE-2026-56115 [3] https://security-tracker.debian.org/tracker/CVE-2026-56116 https://www.cve.org/CVERecord?id=CVE-2026-56116 [4] https://security-tracker.debian.org/tracker/CVE-2026-56117 https://www.cve.org/CVERecord?id=CVE-2026-56117 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
