CVE-2026-42511
Published: 30 April 2026
Summary
CVE-2026-42511 is a high-severity Improper Neutralization of Quoting Syntax (CWE-149) vulnerability in Freebsd Freebsd. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 18.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely patching of the dhclient flaw that fails to escape BOOTP file field double-quotes.
Addresses the core issue of improper validation by requiring sanitization of untrusted DHCP inputs like the BOOTP file field before writing to and parsing the lease file.
Protects dhclient and dhclient-script integrity through verification, preventing or detecting exploitation via tampered software components.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in dhclient allows rogue DHCP server to inject arbitrary directives into lease file, leading to code execution via dhclient-script upon re-parsing; directly enables client-side exploitation (T1203) and Unix shell command execution (T1059.004).
NVD Description
The BOOTP file field is written to the lease file without escaping embedded double-quotes, allowing injection of arbitrary dhclient.conf directives. When the lease file is subsequently re-parsed by dhclient, e.g., after a system restart, an attacker-controlled field from the lease…
more
is passed to dhclient-script(8), which evaluates it. A rogue DHCP server may be able to execute arbirary code as root on a system running dhclient.
Deeper analysisAI
CVE-2026-42511 is a vulnerability in the dhclient DHCP client where the BOOTP file field is written to the lease file without escaping embedded double-quotes. This flaw enables the injection of arbitrary dhclient.conf directives into the lease file. When the lease file is subsequently re-parsed by dhclient, such as after a system restart, the attacker-controlled content is passed to dhclient-script(8) for evaluation. The issue affects systems running dhclient and is associated with CWE-149.
A rogue DHCP server can exploit this vulnerability by supplying a malicious BOOTP file field to a victim system. No special privileges or user interaction are required from the attacker or victim, though the attack has high complexity (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, score 8.1). Successful exploitation leads to arbitrary code execution as root when the tainted lease is processed.
The FreeBSD Security Advisory SA-26:12.dhclient provides details on mitigation and patches at https://security.freebsd.org/advisories/FreeBSD-SA-26:12.dhclient.asc.
Details
- CWE(s)