Vulnerability Overview
A critical flaw has been discovered in FreeBSD’s default DHCP client, tracked as CVE-2026-42511 on cve.org. This vulnerability allows an attacker on the same local network to execute arbitrary code with root privileges, leading to full system compromise. The issue was identified by Joshua Rogers from the AISLE Research Team and affects all currently supported FreeBSD releases.
The problem stems from how the dhclient software processes BOOTP file fields from DHCP servers. When the client writes this data to a local lease file, it fails to properly escape embedded double quotes. This oversight enables a malicious actor to inject unauthorized configuration directives into the dhclient.conf file.
How the Exploit Works
To exploit this vulnerability, an attacker must be present on the same broadcast domain as the target system. By deploying a rogue DHCP server, the attacker intercepts the victim’s DHCP requests and responds with specially crafted data packets. The injected fields are later parsed by dhclient-script during system restart or network service reload, causing the malicious commands to execute as root.
This attack aligns with MITRE ATT&CK techniques including Adversary-in-the-Middle (T1557) and Command and Scripting Interpreter (T1059). A successful exploit allows attackers to establish persistent backdoors, deploy ransomware, or move laterally through the corporate network.
Impact and Mitigation
The vulnerability affects FreeBSD 15.0, 14.4, 14.3, and 13.5 releases along with their stable branches. The FreeBSD Project has released security patches, and administrators should update their systems immediately. For systems that must run dhclient, enabling DHCP snooping on enterprise network switches can neutralize the threat by blocking rogue DHCP servers before they deliver malicious payloads. Systems not using dhclient are unaffected.
Source: Cybersecuritynews
