Cyber Resilience

CVE-2026-42511

High

Published: 30 April 2026

Published
30 April 2026
Modified
01 May 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0043 34.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-42511 is a high-severity Improper Neutralization of Quoting Syntax (CWE-149) vulnerability in Freebsd Freebsd. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 34.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-42511 is a vulnerability in the dhclient DHCP client where the BOOTP file field is written to the lease file without escaping embedded double-quotes. This flaw enables the injection of arbitrary dhclient.conf directives into the lease file. When the lease file is subsequently re-parsed by dhclient, such as after a system restart, the attacker-controlled content is passed to dhclient-script(8) for evaluation. The issue affects systems running dhclient and is associated with CWE-149.

A rogue DHCP server can exploit this vulnerability by supplying a malicious BOOTP file field to a victim system. No special privileges or user interaction are required from the attacker or victim, though the attack has high complexity (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, score 8.1). Successful exploitation leads to arbitrary code execution as root when the tainted lease is processed.

The FreeBSD Security Advisory SA-26:12.dhclient provides details on mitigation and patches at https://security.freebsd.org/advisories/FreeBSD-SA-26:12.dhclient.asc.

EU & UK References

Vulnerability details

The BOOTP file field is written to the lease file without escaping embedded double-quotes, allowing injection of arbitrary dhclient.conf directives. When the lease file is subsequently re-parsed by dhclient, e.g., after a system restart, an attacker-controlled field from the lease…

more

is passed to dhclient-script(8), which evaluates it. A rogue DHCP server may be able to execute arbirary code as root on a system running dhclient.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Vulnerability in dhclient allows rogue DHCP server to inject arbitrary directives into lease file, leading to code execution via dhclient-script upon re-parsing; directly enables client-side exploitation (T1203) and Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42512Same product: Freebsd Freebsd
CVE-2026-45255Same product: Freebsd Freebsd
CVE-2025-14558Same product: Freebsd Freebsd
CVE-2026-39457Same product: Freebsd Freebsd
CVE-2026-4652Same product: Freebsd Freebsd
CVE-2026-7164Same product: Freebsd Freebsd
CVE-2026-5398Same product: Freebsd Freebsd
CVE-2026-4748Same product: Freebsd Freebsd
CVE-2026-35547Same product: Freebsd Freebsd
CVE-2026-7270Same product: Freebsd Freebsd

Affected Assets

freebsd
freebsd
13.5, 14.3, 14.4, 15.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely patching of the dhclient flaw that fails to escape BOOTP file field double-quotes.

prevent

Addresses the core issue of improper validation by requiring sanitization of untrusted DHCP inputs like the BOOTP file field before writing to and parsing the lease file.

preventdetect

Protects dhclient and dhclient-script integrity through verification, preventing or detecting exploitation via tampered software components.

References