TP-EXP-2026-0023 CVE-2026-42511 high Patched AI Draft

FreeBSD dhclient Remote Code Execution via DHCP BOOTP File Field Injection (CVE-2026-42511)

CVE CVE-2026-42511 Platform FreeBSD 13.5, 14.3, 14.4, and 15.0 (supported stable and releng branches) Type Remote Code Execution

Severity HIGH

Status Patched

Zero-Day No

Disclosed April 29, 2026

Patched April 29, 2026

Researcher Joshua Rogers (AISLE Research Team)

CISA KEV Not Listed

Severity Assessment

Exploitability: 7/10
Impact: 9/10
Weaponization Risk: 8/10
Patch Urgency: 9/10
Detection Coverage: 3/10

Summary

CVE-2026-42511 is a vulnerability in FreeBSD’s dhclient(8) DHCP client where the BOOTP file field is written into the lease file without escaping embedded double quotes. When a malformed lease is later re-parsed, attacker-controlled content can reach dhclient-script(8), which evaluates directives and can allow unintended command execution as root.

FreeBSD classifies the flaw as remote code execution with a high severity classification. The advisory indicates affected installations include supported versions of FreeBSD. Publicly available advisory data does not require a specific remote precondition beyond the attacker being reachable as a DHCP responder on the local segment.

Attackers would need local network access on the same broadcast domain and to deliver crafted DHCP responses; this requirement is described in the official advisory and is reflected in FreeBSD’s remediation guidance.

Exploit Chain

Stage 1: Malformed DHCP lease data received

A rogue DHCP server on the same broadcast network sends a lease response containing a crafted BOOTP file field that includes unescaped quoting characters.

Stage 2: Unsafe lease writing by dhclient

dhclient writes the BOOTP file value directly to the lease file. Because quoting is not sanitized, this malformed field is preserved and can carry control-like text.

Stage 3: Reparse and directive injection path

On restart or subsequent processing, dhclient reparses the lease file and forwards values to dhclient-script(8), where the injected content can be interpreted as directives.

Stage 4: Script evaluation under privileged context

The advisory reports that crafted input in this path can allow execution of arbitrary root-level code, consistent with a remote code execution chain where the attacker controls DHCP options in a privileged system service flow.

Detection Guidance

Enforce DHCP source controls on managed networks. Restrict unauthorized DHCP servers using VLAN segmentation, DHCP snooping, and trusted uplink binding where available.
Inventory and monitor hosts running dhclient on local network segments where untrusted DHCP servers may be present.
Compare lease file behavior and content changes around DHCP renewal events for injected or malformed BOOTP file values containing unexpected quoting.
Harden endpoint logging for DHCP client renewals and restart behavior to catch repeated lease reparsing with abnormal dhclient-script invocation patterns.
Apply FreeBSD patches from official branches as soon as supported maintenance windows allow.

Indicators of Compromise

DHCP transactions on a segment showing unexpected rogue DHCP Offer or DHCP Ack sources during sensitive network transitions.
Repeated unexpected dhclient lease file rewrites carrying atypical quoting in BOOTP file values before service restart/reparse.
Privileged script execution paths triggered during network interface renewals without normal administrative initiation.
Systems receiving DHCP responses from unknown infrastructure where dhclient-script behavior changes in unexpected ways.

Disclosure Timeline

2026-04-29 — FreeBSD Security Advisory published

FreeBSD published Security Advisory SA-26:12.dhclient, naming CVE-2026-42511 and identifying a remote code execution risk via malicious DHCP options. The advisory published no workaround and noted required patching paths for supported branches.

2026-04-30 — NVD entry published

The National Vulnerability Database added a public CVE record for CVE-2026-42511 with high severity under CVSS 3.1 and referenced the BOOTP field injection and reparse-to-script evaluation chain.

2026-04-30 to 2026-05-01 — CVE metadata and ADP enrichment

MITRE’s CVE Program API record identifies the vulnerability as affecting FreeBSD dhclient, includes the FreeBSD advisory as source reference, and records the same underlying attack behavior for cross-source reconciliation.

Sources & References

FreeBSD Project: Security Advisory SA-26:12.dhclient — FreeBSD Project, 2026-04-29
National Vulnerability Database: CVE-2026-42511 — National Vulnerability Database, 2026-04-30
MITRE CVE Program: CVE-2026-42511 API Record — MITRE CVE Program, 2026-05-01
AISLE: AISLE Discovers CVE-2026-42511: A 21-Year-Old FreeBSD Remote Command Execution Vulnerability — AISLE, 2026-05-07