Unrated severityNVD Advisory· Published Jun 23, 2026

dhcpcd Heap Use-After-Free via Control Socket Handling

CVE-2026-56117

Description

dhcpcd through 10.3.2, fixed in commit 78ea09e, contains a heap use-after-free vulnerability in the control socket handling within src/control.c that allows local unprivileged attackers to trigger memory corruption when privilege separation is disabled. Attackers can connect to the control socket and send a privileged command such as -x, causing control_recvdata() to free the client object while the same READ+HANGUP event subsequently reaches control_hangup() with the stale pointer, resulting in a use-after-free condition exploitable in deployments using --disable-privsep or where privsep initialization has failed with the control socket operating in mode 0666.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

NetworkConfiguration/Dhcpcdllm-fuzzy
Range: <=10.3.2

Patches

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/NetworkConfiguration/dhcpcd/commit/78ea09ed1633a583dbcde6e7bab9df4639ec8a34mitrepatch
www.vulncheck.com/advisories/dhcpcd-heap-use-after-free-via-control-socket-handlingmitrethird-party-advisory

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000