CVE-2016-1504 Dhcpcd Project CVE debrief

Who should care

System administrators and maintainers running dhcpcd versions before 6.10.0, especially where DHCP client crashes would disrupt network connectivity. Security teams should also review vendor backports or distro-specific fixes if dhcpcd is packaged by the operating system.

Technical summary

The vulnerability is a memory-safety flaw (CWE-119) in dhcpcd’s handling of option length data. NVD describes it as an invalid read that can lead to a crash, producing availability impact only. The attack is network-reachable, requires no privileges or user interaction, and is described as remotely triggerable.

Defensive priority

High. This is a remotely reachable, no-authentication denial-of-service affecting network configuration software. Prioritize remediation on systems still running vulnerable dhcpcd releases or unpatched vendor packages.

Recommended defensive actions

• Upgrade dhcpcd to 6.10.0 or later, or apply the vendor/distro backport that addresses the issue.
• Confirm whether any deployed packages are in the vulnerable range listed by NVD (through 6.9.4).
• Review the vendor advisory and release notes to verify the exact fixed build for your distribution.
• Inventory systems that depend on dhcpcd for network connectivity so a crash would not cause unexpected outages.
• Monitor for repeated dhcpcd crashes or DHCP-related service disruption until remediation is complete.

Evidence notes

NVD describes CVE-2016-1504 as affecting dhcpcd before 6.10.0 and enabling a denial of service via an invalid read and crash related to option length. The NVD CPE criteria mark dhcpcd versions through 6.9.4 as vulnerable. The record’s weaknesses section identifies CWE-119. MITRE-linked references include a vendor patch/advisory, release notes, and third-party advisories, which support the existence of a fix and external reporting.

Official resources