Hi,

The following vulnerabilities were published for dhcpcd.

CVE-2026-56113[0]:
| dhcpcd through 10.3.2, fixed in commit 5733d3c, contains a heap use-
| after-free vulnerability that allows unauthenticated same-link
| attackers to crash the daemon by sending a crafted DHCPv6 RENEW
| reply with RFC6603 OPTION_PD_EXCLUDE and both preferred and valid
| lifetimes set to zero. Attackers acting as or impersonating a DHCPv6
| server can trigger dhcp6_deprecatedele() to free a delegated child
| address while an outer TAILQ_FOREACH_SAFE iterator in
| dhcp6_deprecateaddrs() still holds the freed pointer, causing a use-
| after-free when TAILQ_REMOVE is reached.


CVE-2026-56114[1]:
| dhcpcd through 10.3.2, fixed in commit 2f00c7b, contains a one-byte
| stack out-of-bounds write vulnerability in dhcp6_makemessage() in
| src/dhcp6.c that allows unauthenticated same-link attackers to write
| beyond a fixed local buffer by serializing an oversized RFC6603
| OPTION_PD_EXCLUDE option body. Attackers can send a crafted DHCPv6
| ADVERTISE message containing an IA_PD IAPREFIX /0 with a valid
| OPTION_PD_EXCLUDE using an exclude prefix length of /121 through
| /128 to trigger the out-of-bounds write and potentially corrupt
| adjacent stack memory.


CVE-2026-56115[2]:
| Bootimus through 0.1.70 contains a broken access control
| vulnerability that allows authenticated low-privileged users to
| perform administrative actions by exploiting missing role
| enforcement in the JWTMiddleware function in internal/auth/auth.go,
| which validates JWT tokens and account status but fails to inspect
| the is_admin flag. Attackers can send requests to any endpoint under
| the /api/users path to create new administrator accounts or reset
| administrator passwords, thereby gaining full control of the server
| and the ability to modify boot menus and installation scripts served
| to PXE clients.


CVE-2026-56116[3]:
| dhcpcd through 10.3.2, fixed in commit 708b4a5, contains a memory
| leak vulnerability in the IPv6 Router Advertisement route
| information handling that allows an unauthenticated same-link
| attacker to cause denial of service by sending crafted Router
| Advertisements. Attackers can repeatedly send Router Advertisements
| containing Route Information options with a lifetime of zero,
| triggering unfreed allocations in routeinfo_findalloc() that cause
| linear memory exhaustion and eventual daemon crash.


CVE-2026-56117[4]:
| dhcpcd through 10.3.2, fixed in commit 78ea09e, contains a heap use-
| after-free vulnerability in the control socket handling within
| src/control.c that allows local unprivileged attackers to trigger
| memory corruption when privilege separation is disabled. Attackers
| can connect to the control socket and send a privileged command such
| as -x, causing control_recvdata() to free the client object while
| the same READ+HANGUP event subsequently reaches control_hangup()
| with the stale pointer, resulting in a use-after-free condition
| exploitable in deployments using --disable-privsep or where privsep
| initialization has failed with the control socket operating in mode
| 0666.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-56113
https://www.cve.org/CVERecord?id=CVE-2026-56113
[1] https://security-tracker.debian.org/tracker/CVE-2026-56114
https://www.cve.org/CVERecord?id=CVE-2026-56114
[2] https://security-tracker.debian.org/tracker/CVE-2026-56115
https://www.cve.org/CVERecord?id=CVE-2026-56115
[3] https://security-tracker.debian.org/tracker/CVE-2026-56116
https://www.cve.org/CVERecord?id=CVE-2026-56116
[4] https://security-tracker.debian.org/tracker/CVE-2026-56117
https://www.cve.org/CVERecord?id=CVE-2026-56117

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Thanks for the heads-up. CVE-2026-56115 doesn't seem to concern dhcpcd, though.

Martin-Éric

pe 26.6.2026 klo 7.15 Salvatore Bonaccorso (carnil@debian.org) kirjoitti:

Control: retitle -1 dhcpcd: CVE-2026-56113 CVE-2026-56114 CVE-2026-56116 CVE-2026-56117

No, that seems to have been an issue while we triaged the issues. I
have updated as well the security-tracker metadata, thanks!

Regards,
Salvatore

We believe that the bug you reported is fixed in the latest version of
dhcpcd, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1140767@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Martin-Éric Racine <martin-eric.racine@iki.fi> (supplier of updated dhcpcd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Fri, 26 Jun 2026 15:24:47 +0300
Source: dhcpcd
Architecture: source
Version: 1:10.3.2-4
Distribution: unstable
Urgency: medium
Maintainer: Martin-Éric Racine <martin-eric.racine@iki.fi>
Changed-By: Martin-Éric Racine <martin-eric.racine@iki.fi>
Closes: 1140767
Changes:
 dhcpcd (1:10.3.2-4) unstable; urgency=medium
 .
   * [patches] (Closes: #1140767)
     + Cherry-pick upstream fix for CVE-2026-56113 (commit 5733d3c).
     + Cherry-pick upstream fix for CVE-2026-56114 (commit 2f00c7b).
     + Cherry-pick upstream fix for CVE-2026-56116 (commit 708b4a5).
     + Cherry-pick upstream fix for CVE-2026-56117 (commit 78ea09e).
Checksums-Sha1:
 1024acf28631d9b4c90d50a15550ca0410a6cb02 2470 dhcpcd_10.3.2-4.dsc
 b07174c442fde138efcfe8ebfeb2484f145c5f49 23096 dhcpcd_10.3.2-4.debian.tar.xz
 bdd10747043e2bd6e29024db5a90391a737f7063 6156 dhcpcd_10.3.2-4_source.buildinfo
Checksums-Sha256:
 a8363deac6d6affffdde57ef2511377183214e6bee8d03a60bcb403e67e7e814 2470 dhcpcd_10.3.2-4.dsc
 558d006dbc49053d9a1a07a18dab7cd6658a5a5ca1f3ea818f971549c6bd4921 23096 dhcpcd_10.3.2-4.debian.tar.xz
 4f0e786df2bc4710ef69908a37966592aab063f30a4394ff684c2642c16552be 6156 dhcpcd_10.3.2-4_source.buildinfo
Files:
 93cf00f8c899f3be6448e5cb2aea6e3d 2470 net optional dhcpcd_10.3.2-4.dsc
 b4e145e5f26d7bd6e6c8a32e611a425c 23096 net optional dhcpcd_10.3.2-4.debian.tar.xz
 deee17a4f1dc82db2b116d7b5b6885c8 6156 net optional dhcpcd_10.3.2-4_source.buildinfo
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEyJACx3qL7GpObXOQrh+Cd8S017YFAmo+gtUACgkQrh+Cd8S0
17bzDhAArX3EVJ2C7KhpVFhdkrNlcvg/ZXEZix9wFmiyHMHxB+EqPRJ6YgjAjX3J
3ERUF6rjBPYwLOQMQTaKY+mNy3JWFFX0XaanrjCd+AEaZCiPwsGDemX8he9k7fPM
pfoxkkvuiUPAfbw1tmyVwI8gKBYsyOCq+8jkdMDwVSnst85qx7Q+K7V5DAnnKR/h
NAi1z2ovvdN9X/5Rp0/qCtIcWL3p3EG5rvY8A7lnX71h16uHs8LoH+SgyxHyow/F
IBZVdTtFEGjea4yYoF/U7LlYLnhF+ytvf4QQJZUX7E2d+VNS7A/3JOE8o+zRdhWI
T6tWU9TPC/nJ60W7+U9ImluvlSj9JawrHNWMLcU1sFW+6FrGxK0wuybC/w2Inhou
5T+u+08Wrk3V0GuCQzgcmov6T6hLVozhoc8yhAVEDzB4JxpbU6ebwVrW+l1iSf24
pEr492+l//KY2YNTTV0rcTdl7lXGMzPeKsPzG85LUnCwGRsiJ2RHDH/E4RS++/Ts
WfMNccAsF4knWjyrlbMOspBobRqunEfQOJ9+Weqty1aEwqB8STP7jvfooev7F87T
1oRvfg6+eeWB/nK3lLrwcRA90F5CnX91sh8bv+JvfAKe4SzqiFGt17VNZ50D7/QM
Ud4EZrf4qF6OhT4e/2Lx4lyRORvrDIGIeVtHuDVGGEo8JTmcaJc=
=Fcb4
-----END PGP SIGNATURE-----