Critical RCE Flaw in FreeBSD dhclient: Exploiting CVE-2026-42511
The FreeBSD Project has issued a critical security advisory (FreeBSD-SA-26:12.dhclient) to address a severe Remote Code Execution (RCE) vulnerability in its default IPv4 DHCP client. Tracked under the identifier CVE-2026-42511, this flaw allows local network attackers to execute arbitrary code with root privileges. Discovered by Joshua Rogers of the AISLE Research Team, the vulnerability affects all currently supported versions of FreeBSD.
This isn’t a bug that triggers immediately upon connection; it requires a malicious actor on your local broadcast domain and a specific configuration trigger to execute, but the stakes are high due to the root privilege elevation.
Technical Vulnerability Analysis
The security flaw originates in how the dhclient(8) utility handles malicious DHCP lease options. Specifically, the vulnerability is triggered when the BOOTP file field is written to the system’s lease file. Because the software fails to escape embedded double-quotes during this process properly, threat actors can inject arbitrary directives directly into the dhclient.conf file.
Unlike many buffer overflow exploits, the malicious payload remains dormant until the DHCP lease file is re-parsed. This typically occurs during a system restart or network interface initialization. When re-parsed, the attacker-controlled field is passed directly to the dhclient-script(8) service, which evaluates and executes the injected code.
The Attack Vector
To successfully exploit CVE-2026-42511, an attacker must be positioned on the same local broadcast domain as the target. By deploying a rogue DHCP server, the attacker can intercept legitimate DHCP requests and reply with the maliciously crafted BOOTP file field. If successful, this attack vector results in complete system compromise. The injected code executes with root permissions, allowing the threat actor to install persistence mechanisms, deploy malware, or pivot laterally within the compromised network.
Affected Versions
The vulnerability affects multiple supported FreeBSD branches. Systems running the following versions are at risk if they actively use the dhclient service:
- FreeBSD 15: 15.0-STABLE, 15.0-RELEASE-p7
- FreeBSD 14: 14.4-STABLE, 14.4-RELEASE-p3, 14.3-RELEASE-p12
- FreeBSD 13: 13.5-STABLE, 13.5-RELEASE-p13
Note: Systems that do not utilize dhclient(8) for network configuration are not affected by this vulnerability.
Mitigation and Defense
Currently, there is no direct software workaround for systems relying on dhclient. However, administrators can implement robust network-level defenses to neutralize the attack vector.
Configuring DHCP snooping on managed network switches is an effective strategy. This feature validates DHCP messages, ensuring that only trusted servers can hand out IP addresses, effectively blocking rogue DHCP servers from operating on the local segment.
How to Patch
The FreeBSD Project strongly urges administrators to apply the latest security patches immediately. Depending on your system configuration, use one of the following methods:
1. Binary Updates
For standard releases, fetch and install the binary patches using the built-in update tool:
# freebsd-update fetch
# freebsd-update install
2. Package Updates
For environments utilizing base system packages, upgrade via the package manager:
# pkg upgrade -r FreeBSD-base
Following the update, administrators must reboot the system or restart the applicable networking daemons to ensure the patch is applied and any previously poisoned lease files are neutralized.