CVE-2026-56113 NetworkConfiguration CVE debrief

Who should care

Organizations that use dhcpcd should be aware of this vulnerability and take steps to mitigate it. This includes upgrading to a version of dhcpcd that is not vulnerable, or applying patches or workarounds as available. Additionally, organizations should monitor their systems for signs of exploitation and be prepared to respond quickly in the event of an attack.

Technical summary

The vulnerability is caused by a use-after-free error in the dhcp6_deprecateaddrs() function. This function is used to deprecate IPv6 addresses that are no longer needed. However, due to a logic error, the function can free a delegated child address while an outer TAILQ_FOREACH_SAFE iterator still holds the freed pointer. This can cause a use-after-free error when TAILQ_REMOVE is reached. An attacker can trigger this vulnerability by sending a crafted DHCPv6 RENEW reply with RFC6603 OPTION_PD_EXCLUDE and both preferred and valid lifetimes set to zero.

Defensive priority

This vulnerability has a CVSS score of 6 and a severity rating of MEDIUM. Organizations should prioritize patching or mitigating this vulnerability as soon as possible.

Recommended defensive actions

• Upgrade to a version of dhcpcd that is not vulnerable
• Apply patches or workarounds as available
• Monitor systems for signs of exploitation
• Be prepared to respond quickly in the event of an attack
• Review and update incident response plans

Evidence notes

The vulnerability was reported by Vulncheck and is described in CVE-2026-56113. The vulnerability is caused by a use-after-free error in the dhcp6_deprecateaddrs() function. The CVSS score for this vulnerability is 6, with a severity rating of MEDIUM.

Official resources