Threat Intelligence Database

A heap use-after-free vulnerability exists in dhcpcd through version 10.3.2 in the control socket handling code. This flaw allows local unprivileged attackers to cause memory corruption when privilege separation is disabled or fails. The issue arises when a privileged command triggers freeing of a client object while a stale pointer is still processed, leading to use-after-free. The vulnerability is fixed in a commit identified as 78ea09e.

dhcpcd through 10.3.2, fixed in commit 708b4a5, contains a memory leak vulnerability in the IPv6 Router Advertisement route information handling that allows an unauthenticated same-link attacker to cause denial of service by sending crafted Router Advertisements. Attackers can repeatedly send Router Advertisements containing Route Information options with a lifetime of zero, triggering unfreed allocations in routeinfo_findalloc() that cause linear memory exhaustion and eventual daemon crash.

dhcpcd through 10.3.2, fixed in commit 2f00c7b, contains a one-byte stack out-of-bounds write vulnerability in dhcp6_makemessage() in src/dhcp6.c that allows unauthenticated same-link attackers to write beyond a fixed local buffer by serializing an oversized RFC6603 OPTION_PD_EXCLUDE option body. Attackers can send a crafted DHCPv6 ADVERTISE message containing an IA_PD IAPREFIX /0 with a valid OPTION_PD_EXCLUDE using an exclude prefix length of /121 through /128 to trigger the out-of-bounds write and potentially corrupt adjacent stack memory.

dhcpcd versions up to and including 10.3.2 contain a one-byte stack out-of-bounds write vulnerability in the dhcp6_makemessage() function. This flaw allows unauthenticated attackers on the same link to send a crafted DHCPv6 ADVERTISE message with a specially formed OPTION_PD_EXCLUDE option, causing a write beyond a fixed buffer. This can lead to corruption of adjacent stack memory. The issue is fixed in a commit identified as 2f00c7b, but no official patch or vendor advisory is provided in the data.

dhcpcd through 10.3.2, fixed in commit 5733d3c, contains a heap use-after-free vulnerability that allows unauthenticated same-link attackers to crash the daemon by sending a crafted DHCPv6 RENEW reply with RFC6603 OPTION_PD_EXCLUDE and both preferred and valid lifetimes set to zero. Attackers acting as or impersonating a DHCPv6 server can trigger dhcp6_deprecatedele() to free a delegated child address while an outer TAILQ_FOREACH_SAFE iterator in dhcp6_deprecateaddrs() still holds the freed pointer, causing a use-after-free when TAILQ_REMOVE is reached.

CVE-2025-70102 is a medium severity vulnerability in Roy Marples NetworkConfiguration/dhcpcd version 10.3.0. It involves a NULL pointer dereference in the parse_option() function when parsing configuration options, leading to a runtime error and program abort. This occurs due to member access on a NULL pointer of type 'struct dhcp_opt' when an unexpected or invalid option token causes a lookup to return NULL.