FreeBSD DHCP Client Flaw Opens Door to Remote Code Execution as Root Privilege
Ddos 
FreeBSD has issued an urgent security advisory regarding a critical vulnerability in its default IPv4 DHCP client, dhclient(8). The flaw, tracked as CVE-2026-42511, carries a CVSS score of 8.1 and could allow a rogue DHCP server to execute arbitrary code with the highest possible privilegesβrootβon affected systems.
The vulnerability targets the core mechanism used to initialize and configure network interfaces, highlighting a significant risk for systems operating in unmanaged or hostile network environments.
The problem lies in how dhclient handles the BOOTP file field. When the client receives configuration data from a DHCP server, it writes this information to a local “lease file”. However, the software fails to escape embedded double-quotes in the BOOTP field, creating a classic injection vulnerability.
This oversight allows an attacker to inject arbitrary directives into the dhclient.conf configuration. The trap is sprung when the system is restarted or the lease file is re-parsed: the injected fields are passed to dhclient-script(8), which evaluates the malicious code as a root-level command.
“A rogue DHCP server may be able to execute arbitrary code as root on a system running dhclient,”Β the advisory warns.
To exploit this vulnerability, an attacker must be located on the same broadcast domain as the victim to respond to DHCP requests. While there is no direct software workaround for systems that must use dhclient, FreeBSD notes that a “well-managed network” can mitigate the risk by configuring DHCP snooping on switches to prevent rogue servers from operating.
Systems that do not run dhclient are unaffected by this vulnerability.
FreeBSD has released patches across its stable and security branches. Administrators are urged to upgrade their systems immediately using one of the following methods:
- For Base System Packages: Systems on FreeBSD 15.0-RELEASE can update via the package utility:
# pkg upgrade -r FreeBSD-base - For Binary Distributions: Most users on standard RELEASE versions can use the built-in update tool:
# freebsd-update fetch
# freebsd-update install - For Source Code Users: Verified patches are available at security.FreeBSD.org. After applying the patch, users must recompile the operating system using the standard buildworld and installworld process.
A system reboot is required after the update to ensure the patched client is active and all malicious leases are cleared.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
