FreeBSD DHCP Client Vulnerability Enables Remote Code Execution as Root

The FreeBSD Project has released a critical security advisory addressing a severe flaw in its default IPv4 DHCP client.

Tracked as CVE-2026-42511, this vulnerability allows a local network attacker to execute arbitrary code as root, granting them complete control over the compromised machine.

Discovered by Joshua Rogers of the AISLE Research Team, the vulnerability affects all currently supported versions of FreeBSD.

FreeBSD DHCP Client Vulnerability

The core issue resides in how dhclient(8) processes network configuration parameters from DHCP servers.

When a device joins a network, it requests IP configuration data. The DHCP client takes the provided BOOTP file field and writes it to a local DHCP lease file.

However, a critical parsing error occurs during this process: the software fails to escape embedded double-quotes properly.

This oversight allows a malicious actor to inject arbitrary configuration directives directly into the dhclient.conf file.

When the lease file is later re-parsed, such as during a system restart or a network service reload, these attacker-controlled fields are passed to dhclient-script(8).

Because this script evaluates the input with high-level system privileges, the injected commands are executed as root.

To successfully exploit CVE-2026-42511, an attacker must be on the same broadcast domain (local network) as the target.

By deploying a rogue DHCP server, the attacker can intercept and respond to the victim’s DHCP requests with maliciously crafted data packets.

Once triggered, the vulnerability results in total system compromise. An attacker could establish persistent backdoors, deploy ransomware, or pivot deeper into the corporate network.

From a threat intelligence perspective, this aligns with MITRE ATT&CK techniques for Adversary-in-the-Middle (T1557) and Command and Scripting Interpreter (T1059).

The vulnerability is present across all supported FreeBSD releases and stable branches, specifically:

• FreeBSD 15.0 (15.0-RELEASE and 15.0-STABLE)
• FreeBSD 14.4 and 14.3 (14.4-RELEASE, 14.3-RELEASE, and 14.4-STABLE)
• FreeBSD 13.5 (13.5-RELEASE and 13.5-STABLE)

Remediation and Mitigation Strategies

The FreeBSD Project has already rolled out security patches.

System administrators should update their operating systems immediately using one of the following methods, as outlined in the FreeBSD advisory (FreeBSD-SA-26:12.dhclient).

1. Base System Packages:

For systems installed using base packages (amd64/arm64 on FreeBSD 15.0), run:

# pkg upgrade -r FreeBSD-base

2. Binary Distributions:

For other release versions, utilize the update utility:

# freebsd-update fetch

# freebsd-update install

There is no direct software workaround for devices that must run dhclient.

However, network administrators can neutralize this threat by enabling DHCP snooping on enterprise network switches.

DHCP snooping acts as a firewall between untrusted hosts and trusted DHCP servers, effectively blocking rogue DHCP servers from delivering the malicious payload to vulnerable endpoints. Systems not running dhclient(8) are completely unaffected.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post FreeBSD DHCP Client Vulnerability Enables Remote Code Execution as Root appeared first on Cyber Security News.