FreeBSD DHCP Client Vulnerability Enables Remote Code Execution as Root

HomeCyber Security News FreeBSD DHCP Client Vulnerability Enables Remote Code Execution as Root By Abinaya May 4, 2026 The FreeBSD Project has released a critical security advisory addressing a severe flaw in its default IPv4 DHCP client. Tracked as CVE-2026-42511, this vulnerability allows a local network attacker to execute arbitrary code as root, granting them complete control over the compromised machine. Discovered by Joshua Rogers of the AISLE Research Team, the vulnerability affects all currently supported versions of FreeBSD. FreeBSD DHCP Client Vulnerability The core issue resides in how dhclient(8) processes network configuration parameters from DHCP servers. When a device joins a network, it requests IP configuration data. The DHCP client takes the provided BOOTP file field and writes it to a local DHCP lease file. However, a critical parsing error occurs during this process: the software fails to escape embedded double-quotes properly. This oversight allows a malicious actor to inject arbitrary configuration directives directly into the dhclient.conf file. When the lease file is later re-parsed, such as during a system restart or a network service reload, these attacker-controlled fields are passed to dhclient-script(8). Because this script evaluates the input with high-level system privileges, the injected commands are executed as root. To successfully exploit CVE-2026-42511, an attacker must be on the same broadcast domain (local network) as the target. By deploying a rogue DHCP server, the attacker can intercept and respond to the victim’s DHCP requests with maliciously crafted data packets. Once triggered, the vulnerability results in total system compromise. An attacker could establish persistent backdoors, deploy ransomware, or pivot deeper into the corporate network. From a threat intelligence perspective, this aligns with MITRE ATT&CK techniques for Adversary-in-the-Middle (T1557) and Command and Scripting Interpreter (T1059). The vulnerability is present across all supported FreeBSD releases and stable branches, specifically: FreeBSD 15.0 (15.0-RELEASE and 15.0-STABLE) FreeBSD 14.4 and 14.3 (14.4-RELEASE, 14.3-RELEASE, and 14.4-STABLE) FreeBSD 13.5 (13.5-RELEASE and 13.5-STABLE) Remediation and Mitigation Strategies The FreeBSD Project has already rolled out security patches. System administrators should update their operating systems immediately using one of the following methods, as outlined in the FreeBSD advisory (FreeBSD-SA-26:12.dhclient). 1. Base System Packages: For systems installed using base packages (amd64/arm64 on FreeBSD 15.0), run: # pkg upgrade -r FreeBSD-base 2. Binary Distributions: For other release versions, utilize the update utility: # freebsd-update fetch # freebsd-update install There is no direct software workaround for devices that must run dhclient. However, network administrators can neutralize this threat by enabling DHCP snooping on enterprise network switches. DHCP snooping acts as a firewall between untrusted hosts and trusted DHCP servers, effectively blocking rogue DHCP servers from delivering the malicious payload to vulnerable endpoints. Systems not running dhclient(8) are completely unaffected. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. Tags cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Email Bombing and Fake IT Support Calls Fuel New Microsoft Teams Phishing Attacks Critical Wireshark Vulnerabilities Let Attackers Execute Arbitrary Code Via Malformed Packets Chinese Silk Typhoon Hacker Extradited to the U.S. from Italy New DDoS Malware Exploits Jenkins to Attack Valve Source Engine Game Servers New EtherRAT Variant Uses Trojanized Tftpd64 Installer to Bridge Web2 Malware and Web3 Theft Latest News Cyber Security Microsoft Defender Mistakenly Flags DigiCert Root Certificates as Malware Cyber Security Trellix Source Code Breach – Hackers Gain Unauthorized Access to Repository Cyber Attack News Hackers Breach Government and Military Servers by Exploiting cPanel Vulnerability Cyber Security News Multiple Exim Mail Server Vulnerabilities Leads to Crash with Malicious DNS data Cyber Security News Attackers Deploy AiTM Phishing Pages to Access SharePoint, HubSpot, and Google Workspace