← Back to Blogs
HN Story

CVE-2026-42511: A 21-Year-Old Root RCE in FreeBSD's dhclient

May 9, 2026

CVE-2026-42511: A 21-Year-Old Root RCE in FreeBSD's dhclient

FreeBSD has long maintained a reputation as one of the most secure operating systems in existence, powering critical infrastructure for giants like Netflix, Sony, and various networking hardware vendors. However, a recently discovered vulnerability, CVE-2026-42511, reveals a critical security gap that existed for over two decades.

Discovered by AISLE, this vulnerability allows for Remote Command Execution (RCE) with root privileges. The flaw is particularly dangerous because it is "wormable" by any system on the same local network, turning a standard network configuration process into a vector for full system compromise.

The Root of the Problem: A Two-Decade Legacy

The vulnerability resides in dhclient, FreeBSD's DHCP client. The flaw was introduced as far back as 2005 during the release of FreeBSD-6.0, when the dhclient implementation was imported from OpenBSD. While OpenBSD eventually deprecated the problematic dhclient-script in 2012—effectively neutralizing the threat—the code remained in FreeBSD, dormant and undetected until now.

At its core, CVE-2026-42511 is a logic flaw involving the improper sanitization of attacker-controlled protocol data. This data is persisted into a trusted configuration file and subsequently reinterpreted in a privileged execution path.

Technical Breakdown: From Packet to Root

1. The Poisoned Lease File

When dhclient receives a DHCP reply, it writes the lease information to a local file (typically /var/db/dhclient.leases.<if>). The function responsible for this, write_client_lease(), uses fprintf to serialize data. While most fields are sanitized or restricted to valid IP addresses, two specific fields from the Bootstrap Protocol (BOOTP) are written verbatim:

  • lease->filename
  • lease->server_name

Because these fields are not escaped, an attacker can inject double quotes, newlines, and semicolons. For example, a malicious DHCP server could send a file field containing: ";\n medium ";id>/tmp/pwned.

When dhclient writes this to the lease file, it breaks out of the filename string and injects a new medium directive. The resulting lease file remains syntactically valid but now contains a malicious payload: 

lease {
  interface "em1";
  fixed-address 192.168.100.50;
  next-server 192.168.100.2;
  filename "";
  medium ";id>/tmp/pwned";
}

2. The Privileged Execution Sink

The second stage of the exploit occurs when dhclient invokes /sbin/dhclient-script to apply the network configuration. This script is executed as root and contains a dangerous eval statement:

eval "$IFCONFIG $interface $medium"

When the poisoned lease file is reparsed during a lease renewal or system restart, the injected medium value is passed into this eval sink. The final command executed by the system becomes:

eval "/sbin/ifconfig -n em1 ;id>/tmp/pwned"

This results in the command id > /tmp/pwned (or any other arbitrary command) being executed with full root privileges.

The Attack Surface

This vulnerability is highly accessible to any attacker capable of operating or spoofing a DHCP server on the same broadcast domain. This includes:

  • Wired Networks: A rogue device on the same local network segment.
  • Wireless Networks: A malicious Wi-Fi access point or an attacker on the same Wi-Fi network capable of injecting DHCP traffic.

As FreeBSD increases its focus on laptop support and Wi-Fi compatibility, the risk increases for users connecting to untrusted networks in public spaces like coffee shops or airports.

Community Perspective and Critique

The discovery has sparked discussion regarding the architectural choices in FreeBSD's networking stack. Some observers have noted that using ad hoc file serialization for critical network protocols—rather than structured formats like JSON, TOML, or SQLite—and placing shell eval calls on the data path are fundamentally risky design patterns.

"Having shell functionality on the data path of … well, anything as critical as DHCP seems like a poor choice. Considering it appropriate to use shell eval there seems like such a poor choice as to reflect poorly on the whole system."

Summary of the Exploit Chain

  1. Injection: Malicious DHCP server sends a crafted BOOTP file field.
  2. Persistence: dhclient writes the unescaped string into the lease database.
  3. Reparsing: The system later reads the poisoned lease file, treating the injected medium directive as trusted state.
  4. Execution: dhclient passes the malicious medium value to /sbin/dhclient-script.
  5. Compromise: The eval command in the script executes the attacker's payload as root.

Conclusion

CVE-2026-42511 serves as a stark reminder that legacy code can harbor critical vulnerabilities for decades, even in systems renowned for their security. The combination of unescaped serialization and a privileged eval sink created a trivial path to root access. FreeBSD has since released a fix in advisory FreeBSD-SA-26:12.dhclient, and users are strongly encouraged to update their systems immediately.

References

HN Stories