A critical security vulnerability has been disclosed in the FreeBSD operating system’s default IPv4 DHCP client, enabling local network attackers to execute arbitrary commands with root-level privileges. Tracked as CVE-2026-42511, the flaw affects every currently supported FreeBSD release and demands immediate patching by system administrators worldwide.
How the Vulnerability Works
The root cause of CVE-2026-42511 lies in how dhclient(8), the FreeBSD DHCP client, processes network configuration parameters provided by DHCP servers. When a FreeBSD device joins a network and requests an IP address, dhclient receives a collection of configuration parameters, including the BOOTP “file” field, and writes them into a local DHCP lease file for later reference.
The critical flaw is a parsing error: the software fails to properly escape embedded double-quote characters within that field. This oversight allows a malicious DHCP server to inject arbitrary configuration directives directly into the dhclient.conf file. When FreeBSD subsequently re-reads that lease file — for example, during a system restart or a network service reload — the attacker-controlled input is passed without sanitisation to dhclient-script(8), a shell script that executes with the highest system privileges. The injected commands run as root.
Attack Scenario and Real-World Risk
Exploitation of CVE-2026-42511 requires the attacker to be on the same broadcast domain as the target system — meaning a rogue DHCP server must be deployed on the local network segment. While this prerequisite limits opportunistic remote exploitation over the internet, it remains highly relevant in corporate environments, shared hosting facilities, cloud virtual networks, and Wi-Fi environments where an attacker has gained initial network access.
Once a malicious DHCP response is delivered and processed, the result is total system compromise. A successful attacker could:
- Establish persistent backdoors for long-term access and lateral movement
- Deploy ransomware or wiper malware across the affected host
- Exfiltrate sensitive configuration files, credentials, and cryptographic material
- Pivot deeper into corporate network infrastructure from the compromised endpoint
Security researchers have mapped this attack chain to MITRE ATT&CK techniques T1557 (Adversary-in-the-Middle) and T1059 (Command and Scripting Interpreter), confirming its alignment with documented, real-world threat actor behaviour.
Affected Versions
The vulnerability was discovered by Joshua Rogers of the AISLE Research Team. All currently supported FreeBSD releases are affected:
- FreeBSD 15.0 — 15.0-RELEASE and 15.0-STABLE
- FreeBSD 14.4 and 14.3 — 14.4-RELEASE, 14.3-RELEASE, and 14.4-STABLE
- FreeBSD 13.5 — 13.5-RELEASE and 13.5-STABLE
Systems that do not run dhclient(8) are not affected.
Patching and Mitigation
The FreeBSD Project responded promptly, releasing security advisory FreeBSD-SA-26:12.dhclient with patches for all supported branches. Administrators should update immediately using one of these methods:
- Base system packages (amd64/arm64 on FreeBSD 15.0):
pkg upgrade -r FreeBSD-base - Binary update tool (all other versions):
freebsd-update fetch && freebsd-update install
There is no direct software workaround for systems that must continue running dhclient. Network defenders can significantly reduce exposure by enabling DHCP snooping on managed enterprise switches, which blocks unauthorised DHCP servers from injecting malicious responses onto the local network segment.
Why This Matters
CVE-2026-42511 is a reminder that foundational network protocols such as DHCP are not immune to critical security flaws, and that implicit trust in local network traffic can be catastrophically exploited. FreeBSD underpins a wide range of infrastructure — from firewalls and routers built on pfSense and OPNsense derivatives, to web servers, storage appliances, and embedded systems. Organisations running any of these should treat this advisory as an urgent priority, apply available patches without delay, and verify that DHCP snooping controls are enforced across all switching infrastructure.