The FreeBSD Project has issued a critical security advisory (FreeBSD-SA-26:12.dhclient) addressing a severe Remote Code Execution (RCE) vulnerability in its default IPv4 DHCP client.
Tracked as CVE-2026-42511, the flaw enables local network attackers to execute arbitrary code with full root privileges posing a significant risk to exposed systems across all supported FreeBSD branches.
The vulnerability was discovered by Joshua Rogers of the AISLE Research Team and reported through responsible disclosure.
FreeBSD DHCP Client RCE Vulnerabiltiy
The security flaw originates in the dhclient(8) utility’s handling of malicious DHCP lease options. Specifically, the bug is triggered when the BOOTP file field is written to the system’s lease file during the DHCP negotiation process.
The core issue is a failure to properly escape embedded double-quotes within that field. This oversight allows threat actors to inject arbitrary directives directly into the dhclient.conf configuration file, effectively poisoning the system’s network configuration.
The malicious payload remains dormant until the DHCP lease file is re-parsed an event that commonly occurs during a system restart or network interface reinitialization.
Once re-parsed, the attacker-controlled field is passed directly to the dhclient-script(8) service, which evaluates and executes the injected code with root-level permissions.
To exploit CVE-2026-42511, an attacker must be positioned within the same local broadcast domain as the target system.
By deploying a rogue DHCP server, the attacker intercepts legitimate DHCP requests and responds with a specially crafted BOOTP file field containing the malicious payload.
A successful attack results in complete system compromise. With root access, a threat actor can install persistence mechanisms, deploy malware, exfiltrate sensitive data, or pivot laterally across the internal network.
Affected FreeBSD Versions
The vulnerability impacts all actively supported FreeBSD branches. Systems running the following versions are at risk if they actively use the dhclient service:
- FreeBSD 15: 15.0-STABLE, 15.0-RELEASE-p7
- FreeBSD 14: 14.4-STABLE, 14.4-RELEASE-p3, 14.3-RELEASE-p12
- FreeBSD 13: 13.5-STABLE, 13.5-RELEASE-p13Systems that do not utilize
dhclient(8)for network configuration are not affected by this vulnerability.
Mitigation and Patch
No direct software workaround exists for systems relying on dhclient. However, administrators can implement DHCP snooping on managed network switches as a network-level defense, effectively blocking rogue DHCP servers and neutralizing the primary attack vector.
The FreeBSD Project strongly urges administrators to apply security patches immediately using one of the following methods:
Binary Updates
# freebsd-update fetch
# freebsd-update installPackage-Based Updates
# pkg upgrade -r FreeBSD-baseAfter patching, administrators must reboot the system or restart the applicable networking daemons to fully apply the fix and neutralize any previously poisoned lease files.
Given the critical severity of CVE-2026-42511 and its potential for full root compromise via a rogue DHCP server, patching should be treated as an urgent priority for all FreeBSD deployments on shared or untrusted network segments.
No Comment! Be the first one.