CVE-2026-56116 HIGH

CVE-2026-56116: dhcpcd Memory Leak DoS via IPv6 Router Advertisement Handling

Vendor Networkconfiguration
Product dhcpcd
Weakness CWE-401
Published June 23, 2026
Last update July 1, 2026

CVSS base score

7.1/10
Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

dhcpcd through 10.3.2, fixed in commit 708b4a5, contains a memory leak vulnerability in the IPv6 Router Advertisement route information handling that allows an unauthenticated same-link attacker to cause denial of service by sending crafted Router Advertisements. Attackers can repeatedly send Router Advertisements containing Route Information options with a lifetime of zero, triggering unfreed allocations in routeinfo_findalloc() that cause linear memory exhaustion and eventual daemon crash.

Key dates

02Disclosure timeline

June 23, 2026 CVE published
July 1, 2026 Record updated