NEWS
FreeBSD dhclient Bug Hands Root to Anyone on Your Wi-Fi
The FreeBSD Project pushed an emergency patch on April 29, 2026 for a flaw in its default DHCP client that hands full root access to anyone sharing the same network. CVE-2026-42511 carries a CVSS 3.1 base score of 8.1 and lets a rogue DHCP server slip arbitrary commands into a lease file. Those commands run as root the next time the machine reboots. Every currently supported FreeBSD branch is on the patch list.
Joshua Rogers of the AISLE Research Team filed the disclosure, his third FreeBSD advisory of the same release cycle. There is no software workaround for hosts that must keep running dhclient(8). Administrators have to install the patch or block rogue DHCP servers at the switch.
- 8.1 CVSS 3.1 base score, rated High by the NVD entry for CVE-2026-42511.
- Four supported FreeBSD branches in scope: 13.5, 14.3, 14.4, and 15.0.
- April 29, 2026 patch date across every fixed branch.
- Zero working software workarounds for hosts that must keep running dhclient.
- 24,529 companies tracked as FreeBSD users in enterprise telemetry data.
How a Quote Mark Becomes Root
Dhclient(8), FreeBSD’s default IPv4 DHCP client, is where the fault lives. When a host joins a network, it pulls down configuration data and writes part of that response, the BOOTP file field, into a local lease file at /var/db/dhclient.leases.<interface>.
The advisory describes the parser failure plainly. “The BOOTP file field is written to the lease file without escaping embedded double-quotes, allowing injection of arbitrary dhclient.conf directives,” reads the FreeBSD-SA-26:12.dhclient advisory issued April 30, 2026. Translation: a malicious DHCP server can stuff a closing quote into the filename, then append any directive it wants.
Once the lease file is re-read, dhclient hands those directives to dhclient-script(8). That script runs as root. Any shell command the attacker injected runs with it.
The weakness sits in CWE-149 Improper Neutralization of Quoting Syntax, the same general bug class that breaks SQL escapers and shell quoters. It is a 1990s-era oversight surfacing in 2026 plumbing.

Every Supported Branch Is on the Patch List
The advisory covers four release lines and three stable branches simultaneously. Anything older than 13.5 is already out of support and will not receive a fix.
| Branch | Vulnerable Up To | Patched Version |
|---|---|---|
| FreeBSD 15.0-RELEASE | 15.0-p6 | 15.0-RELEASE-p7 |
| FreeBSD 14.4-RELEASE | 14.4-p2 | 14.4-RELEASE-p3 |
| FreeBSD 14.3-RELEASE | 14.3-p11 | 14.3-RELEASE-p12 |
| FreeBSD 13.5-RELEASE | 13.5-p12 | 13.5-RELEASE-p13 |
STABLE branches received the same fix on the same day. Hosts running 14.4-STABLE, 14.3-STABLE, 13.5-STABLE, or 15.0-STABLE need a fresh build dated after April 29, 2026 to clear the bug.
Why a Coffee Shop Network Is Now a Root Shell
Exploitation is tame on paper and scary in practice. The attacker needs Layer 2 reach, meaning the same broadcast domain as the target. A shared office Wi-Fi qualifies. So does an apartment complex network, a hotel, a campus dorm, an airport lounge, or any switch where a hostile guest can plug in a laptop.
From there the steps are mechanical. Spin up a rogue DHCP server. Race the legitimate one to answer a victim’s DHCPDISCOVER. Craft a BOOTP file field that closes a quote and injects a directive. Wait.
The catalogue of consequences from a successful root execution reads like a standard worst-case set:
- Persistent backdoors written into rc.d boot scripts.
- Ransomware staged on local volumes with encryption keys keyed to the host.
- SSH key exfiltration for lateral movement into a corporate VPN.
- Silent installation of a kernel module that hides processes from ps.
- Pivot tooling dropped into /tmp for spreading to other FreeBSD hosts.
From a threat-intelligence point of view, this maps onto MITRE ATT&CK technique T1557 for Adversary-in-the-Middle and T1059 for Command and Scripting Interpreter. Both are well-trodden by ransomware crews and targeted intrusion teams.
The CVSS vector tells the same story differently. AV:N marks it remotely reachable on the broadcast network. AC:H reflects the rogue-server requirement. PR:N and UI:N mean no privileges or user clicks needed. C:H/I:H/A:H is full compromise of confidentiality, integrity, and availability.
The Reboot Is the Real Detonator
A detail worth dwelling on: the malicious payload does not run when dhclient first picks up the lease. It runs when the lease file is re-parsed. That usually means the next reboot, the next ifconfig down/up, or a manual service restart.
Wire writeups treat this as a footnote. It is the entire risk profile. A laptop can be poisoned at a coffee shop on Tuesday, walk back into the corporate network clean, and detonate root execution on Friday morning when the user reboots after a patch cycle. There is no obvious connection between the network the attacker used and the system that fires the payload.
“You can look at a code base and even if you can’t trigger a bug or a vulnerability, you can still say it’s wrong.”
Rogers said that line on the Open Source Security podcast episode on AI-assisted vulnerability discovery in October 2025, talking about how he runs source-code analyzers across mature open-source projects. The dhclient parsing logic is exactly the kind of looks-wrong code path that survived for years because nobody could spell out a working exploit.
An AI-Assisted Hunt Cracked dhclient
Rogers, a 12-year veteran of Linux and FreeBSD security work, runs his current research through the AISLE AI-native cybersecurity platform. His personal disclosure log and services page shows three CVEs against FreeBSD in the past two release cycles, including CVE-2026-42511, CVE-2026-42512, and CVE-2026-39457.
“You’re not just some chuckle head that’s like shoveling something into AI and just dumping what comes out into GitHub issues,” said Josh Bressers, host of the Open Source Security podcast and a long-time application-security practitioner. The point matters because triage teams are already drowning in low-quality AI-generated bug reports. Rogers’ productivity, by contrast, is producing High-severity advisories that ship same-day patches.
Patch in Under Five Minutes
Updating is the priority. There are two supported paths, depending on how the system was installed.
- Base packages (FreeBSD 15.0 amd64/arm64): run
pkg upgrade -r FreeBSD-baseas root, then reboot. - Binary distributions (everything else): run
freebsd-update fetch, thenfreebsd-update install, then reboot. - Source builds: sync to the appropriate stable-branch tag dated after April 29, 2026, rebuild world, install, reboot.
- Lease cleanup: remove existing /var/db/dhclient.leases.* files before the reboot, since a poisoned lease can fire even on patched binaries if the file already contains the injected directive.
That last step is the one most writeups skip. The patch fixes the parser, not the disk. A lease file already containing an injected directive will still load the next time dhclient starts. Deleting the file is cheap and forces a clean DHCP exchange against a trusted server.
Containers and jails inherit the host’s dhclient binary. They get the fix when the host is updated, but any container that runs its own dhclient under chroot needs the same purge of cached lease files.
Hosts that do not run dhclient at all, including most cloud images that take their network configuration from the hypervisor metadata service, are unaffected. A quick check is service dhclient status or pgrep dhclient. No process, no exposure.
DHCP Snooping Is the Network Backstop
For fleets that cannot reboot quickly, the network has the kill switch. DHCP snooping on managed switches treats every port as untrusted by default and only permits DHCP server traffic on the uplinks where real DHCP servers live. Juniper’s Junos OS configuration example for protecting against rogue DHCP server attacks walks through the trusted-port model used across Cisco, Juniper, Arista, and most modern enterprise gear.
The feature blocks rogue DHCP responses at Layer 2 before they reach the FreeBSD host. It also keeps DHCP starvation attacks and DHCP-based pivot tooling out of the picture as a side benefit. For environments where reboots are expensive, snooping is the practical mitigation while patches roll through change windows.
Who Actually Runs FreeBSD
The number of affected systems is harder to pin down than for Linux. W3Techs’ April 2026 FreeBSD usage data for the top 10 million sites measures it on roughly 0.05 percent of public-facing web servers, a small share that hides a concentrated population of high-value hosts.
FreeBSD’s installed base skews toward infrastructure. Netflix’s content-delivery edge runs on it. WhatsApp’s backend famously did. So do parts of Sony’s PlayStation network stack, Juniper’s Junos OS, and the pfSense and OPNsense firewall distributions. None of those public-facing edges are the immediate concern, since hardened CDN nodes do not run dhclient against a hostile network.
The exposed population is the workstation and developer-laptop segment. Researchers, sysadmins, BSD enthusiasts, and small operations teams who carry a FreeBSD machine onto a hotel network are the population the bug class was designed to hit. So are FreeBSD-based appliances that ship with dhclient on their WAN interface.
Higher education is the single largest FreeBSD vertical by company count, with research universities running it on lab and infrastructure hardware. A university’s open campus Wi-Fi is also one of the most generous broadcast domains a rogue DHCP attacker could ask for.
That combination makes the patch a real-world priority and not the theoretical one its low macroscopic share might suggest.
Frequently Asked Questions
Am I Affected if My Server Doesn’t Use DHCP?
No. CVE-2026-42511 fires only on hosts running dhclient(8) against an attacker-controlled DHCP server. Cloud instances on AWS, GCP, and most VPS providers pull network config from a hypervisor metadata channel, not dhclient, and are not exposed. Run pgrep dhclient on each host. If nothing returns, the bug cannot reach you. Patch anyway when you next update, since the fix ships in the base system.
Will the Fix Roll Out Through freebsd-update Automatically?
Only if you run freebsd-update on a schedule. The fix shipped April 29, 2026 across 13.5, 14.3, 14.4, and 15.0. Hosts on 15.0 amd64 or arm64 base packages need pkg upgrade -r FreeBSD-base; everything else uses freebsd-update fetch followed by freebsd-update install. Reboot after either. Then delete /var/db/dhclient.leases.* to clear any pre-poisoned lease.
Can a Hotel Wi-Fi Really Compromise My Laptop?
Yes, if the laptop runs FreeBSD with dhclient and the hotel network has no DHCP snooping. The attacker only needs a laptop on the same broadcast domain and a rogue DHCP daemon. The payload does not detonate immediately; it waits for a reboot or a network restart. Use a USB-tethered phone, a personal hotspot, or a wired upstream you control until the host is patched.
Do Jails and Bhyve VMs Need Their Own Patch?
Jails inherit the host’s dhclient binary and clear once the host is patched. Bhyve VMs running their own FreeBSD install need their own freebsd-update cycle. If a jail or VM caches its own /var/db/dhclient.leases.* file, delete that file before the next ifconfig down/up, even on a patched binary. The poisoned lease can still fire if the disk copy is unchanged.
Is There a Public Exploit Yet?
No public proof-of-concept code has been published as of May 6, 2026, six days after disclosure. Rogers has not released an exploit and the FreeBSD advisory does not include one. The bug class is well understood and the fix diff is public, so working exploits should be assumed within days. Treat the patch window as urgent rather than discretionary.
Rogers’ advisory is a tidy demonstration of how a string-handling oversight from the BOOTP era survived three decades and four major FreeBSD branches. The patch is small, the disclosure is clean, and the fix is one reboot away. Whether the lease files on disk get the same scrub is the part operations teams will quietly handle this week.
-
GAMING1 month agoMicrosoft Xbox Layoffs Start in July as Sharma Slams 3% Margin
-
NEWS1 month agoGoogle Search Profiles Build a Follow Graph Inside Discover
-
AI3 weeks agoOracle Cuts 21,000 Jobs in a Year, Cites AI in 10-K Filing
-
AI3 weeks agoGoogle DeepMind and A24 Sign $75 Million AI Partnership Deal
-
CRYPTO2 months agoOCC Issues AML Consent Order Against Wise and Crypto.com Sponsor Bank
-
NEWS1 month agoOppo’s ColorOS 17 Eligibility List Leaves A-Series Buyers Behind
-
APPS1 month agoDGO App Brings Rs 549 Mobile Pass for FIFA World Cup 2026 in Nepal
-
AI2 weeks agoAnthropic Tells Senators Alibaba Ran the Largest Claude Distillation Attack
