Unrated severityNVD Advisory· Published Jun 23, 2026· Updated Jun 23, 2026

dhcpcd Stack Out-of-Bounds Write in dhcp6_makemessage()

CVE-2026-56115

Description

dhcpcd through 10.3.2, fixed in commit 2f00c7b, contains a one-byte stack out-of-bounds write vulnerability in dhcp6_makemessage() in src/dhcp6.c that allows unauthenticated same-link attackers to write beyond a fixed local buffer by serializing an oversized RFC6603 OPTION_PD_EXCLUDE option body. Attackers can send a crafted DHCPv6 ADVERTISE message containing an IA_PD IAPREFIX /0 with a valid OPTION_PD_EXCLUDE using an exclude prefix length of /121 through /128 to trigger the out-of-bounds write and potentially corrupt adjacent stack memory.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

NetworkConfiguration/Dhcpcdinferred
Range: <=10.3.2

Patches

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/NetworkConfiguration/dhcpcd/commit/2f00c7bfc408b6582d331932dfa47829c4819029mitrepatch
www.vulncheck.com/advisories/dhcpcd-stack-out-of-bounds-write-in-dhcp6-makemessagemitrethird-party-advisory

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000