Description
As dhclient is building an environment to pass to dhclient-script, it may need to resize the array of string pointers. The code which expands the array incorrectly calculates its new size when requesting memory, resulting in a heap buffer overrun. A specially crafted packet can cause dhclient to overrun its buffer of environment entries. This can result in a crash, but it may be possible to leverage this bug to achieve remote code execution.
Scores
EPSS
0.0010
EPSS Percentile
26.4%
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-122
Status
published
Products (4)
FreeBSD/FreeBSD
13.5-RELEASE - p13
FreeBSD/FreeBSD
14.3-RELEASE - p12
FreeBSD/FreeBSD
14.4-RELEASE - p3
FreeBSD/FreeBSD
15.0-RELEASE - p7
Published
Apr 30, 2026
Tracked Since
Apr 30, 2026