← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-42511 · CWE-149 · Disclosed 2026-04-30

The BOOTP file field is written to the lease file without escaping embedded double-quotes

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a booby-trapped address card that only works if the attacker gets to hand it to you at check-in

CVE-2026-42511 is a FreeBSD dhclient injection bug: attacker-controlled BOOTP file and server_name fields are written into the on-disk lease file without escaping embedded quotes, so a malicious DHCP reply can smuggle new dhclient.conf-style directives into lease state. When that poisoned lease is later reparsed, the injected medium value can flow into /sbin/dhclient-script, which uses eval, yielding root code execution. FreeBSD says all supported versions were affected before the fixes in 13.5-RELEASE-p13, 14.3-RELEASE-p12, 14.4-RELEASE-p3, and 15.0-RELEASE-p7.

The vendor's HIGH 8.1 score is technically defensible if you look only at impact, but it overstates enterprise urgency in most fleets because this is not broad internet RCE. The decisive friction is attacker position: they must control or spoof DHCP on the same broadcast domain, or lure the target onto a malicious AP. That sharply narrows exposure for datacenter servers and segmented enterprise LANs, even though the blast radius on a successfully hit host is full root.

"Root RCE is real, but the attacker has to own your DHCP conversation first."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Get into the target's DHCP path

The attacker must operate a rogue DHCP server, spoof DHCP replies, or run a malicious wireless access point that the FreeBSD host will trust. This is a network-adjacent position, not a normal internet-reachable one, because DHCP is link-local and depends on winning the client's lease exchange.
Conditions required:
  • Attacker is on the same L2 segment as the target, or controls the Wi-Fi/AP the target joins
  • Target uses DHCP via FreeBSD dhclient on a vulnerable release
Where this breaks in practice:
  • Static-IP hosts are out of scope
  • DHCP snooping, NAC/802.1X, port security, or simply a well-managed wired LAN can block rogue responders
  • Many enterprise FreeBSD servers are not roaming clients and never hit hostile DHCP
Detection/coverage: Network scanners do not meaningfully detect this path from the outside; you need host inventory plus LAN/Wi-Fi control telemetry.
STEP 02

Poison the lease file

Using the BOOTP file or server_name fields, the attacker injects embedded quotes and a crafted directive so dhclient serializes malicious content into /var/db/dhclient.leases.<if>. The bug is the unsafe persistence layer: hostile network input becomes trusted local config-like state.
Conditions required:
  • Vulnerable dhclient accepts the malicious DHCP offer
  • Injected characters survive into the saved lease file
Where this breaks in practice:
  • The attacker has to shape DHCP fields precisely enough to keep the resulting lease syntactically valid
  • Lease acceptance still depends on timing and winning the DHCP exchange
Detection/coverage: EDR/FIM can catch unexpected changes to dhclient.leases.*; vuln scanners generally only do version checks.
STEP 03

Wait for lease reparse

The poisoned lease is not the end state; the exploit needs dhclient to reparse that lease during restart, renewal, rebinding, or normal DHCP lifecycle events. AISLE's write-up notes this is not just a boot-only edge case: the daemon revisits lease state over time.
Conditions required:
  • The host continues using the poisoned lease state
  • A later DHCP lifecycle event triggers reparse
Where this breaks in practice:
  • This may not fire instantly on every host
  • Reimaging, interface resets, or lease cleanup can break the chain before execution
Detection/coverage: Look for dhclient and dhclient-script activity following unusual lease-file writes; sequence correlation matters more than signature coverage.
STEP 04

Hit the eval sink as root

Once the injected medium directive is loaded into trusted lease state, /sbin/dhclient-script executes eval "$IFCONFIG $interface $medium". That turns the lease poisoning into command execution as root on the host.
Conditions required:
  • Injected medium value reaches dhclient-script
  • Script execution proceeds normally under root
Where this breaks in practice:
  • This is a single-host impact path, not tenant-wide control-plane compromise
  • Strong host telemetry can catch the shell execution even if it cannot prevent the initial DHCP spoofing
Detection/coverage: EDR/process telemetry should catch suspicious child shell behavior or odd ifconfig command-lines; most exposure platforms will miss exploitation and only flag vulnerable versions.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo confirmed in-the-wild exploitation found in reviewed sources. Not in CISA KEV.
Proof-of-concept availabilityAISLE says it developed a full PoC exploit chain, but I did not find a public exploit repo or Exploit-DB entry in the reviewed sources.
EPSSUser-supplied EPSS is 0.00035 (~0.035%), which is extremely low. Third-party EPSS trackers around early May 2026 also showed this CVE in the *very low likelihood* bucket.
KEV statusNo. Not present in the CISA Known Exploited Vulnerabilities Catalog as reviewed.
CVSS vector reality checkAV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H captures the end impact, but AV:N is misleading operationally: this is really DHCP-path / same-broadcast-domain exposure, not general internet RCE.
Affected versionsFreeBSD advisory says all supported versions of FreeBSD were affected at disclosure time; NVD lists affected 13.5/14.3/14.4/15.0 trains before the patched patchlevels.
Fixed versionsPatched in 13.5-RELEASE-p13, 14.3-RELEASE-p12, 14.4-RELEASE-p3, and 15.0-RELEASE-p7; source branches stable/13, stable/14, and stable/15 also received fixes.
Scanning / exposure dataThis is a client-side DHCP flaw, so Shodan/Censys-style internet census is mostly the wrong lens. External exposure counts do not map well to real risk; host inventory and NAC/Wi-Fi posture matter far more.
Disclosure timelineAISLE discovered it on 2026-04-13, disclosed on 2026-04-14, FreeBSD shipped fixes on 2026-04-29, and NVD published the CVE on 2026-04-30.
Researcher / reporterReported by Joshua Rogers of AISLE Research Team per the FreeBSD advisory and fixing commit message.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to MEDIUM (6.4/10)

The single biggest downgrade factor is attacker position: exploitation requires control of the victim's DHCP conversation on the same broadcast domain or via a malicious AP. That makes this a narrow, environment-dependent root RCE rather than a fleet-wide internet emergency, despite the severe host impact.

HIGH Technical impact on a successfully exploited host
HIGH Attack-path friction from same-segment / rogue-DHCP requirement
MEDIUM Population exposure across mixed enterprise FreeBSD deployments

Why this verdict

  • Downgrade for attacker position: the chain starts with rogue DHCP control on the same L2 segment or a malicious AP, which implies local-network adjacency rather than internet-wide reach.
  • Downgrade for exposed population: many enterprise FreeBSD systems are servers, appliances, or infrastructure nodes on managed VLANs or static IPs, so only a subset of deployments ever present this DHCP attack surface.
  • Downgrade for threat evidence: no KEV listing, no confirmed active exploitation in reviewed sources, and a very low EPSS all argue against treating this like an emergency patch-everything event.
  • Hold at MEDIUM, not LOW: if the attacker can reach the DHCP path once, the end state is full root code execution through a clean privileged sink in dhclient-script.

Why not higher?

If this were unauthenticated internet-reachable service RCE, the vendor's HIGH would stand. But the chain is bottlenecked by network adjacency, DHCP race/control, and deployment reality: this is usually a post-access or hostile-network scenario, not something random internet scanning converts into mass compromise.

Why not lower?

This is still real root RCE with no need for local credentials once the attacker owns the DHCP exchange. Roaming FreeBSD laptops, lab systems, branch gear, and devices on less-controlled access networks are meaningfully exposed, so writing it off as mere hygiene would understate the host-level blast radius.

05 · Compensating Control

What to do — in priority order.

  1. Block rogue DHCP — Turn on DHCP snooping, port security, NAC, or equivalent switch/Wi-Fi protections wherever FreeBSD DHCP clients live. This directly attacks the prerequisite that makes exploitation possible; for a MEDIUM verdict there is no noisgate mitigation SLA, so use this as targeted risk reduction while you work through the normal remediation window.
  2. Prioritize untrusted-network clients — Identify FreeBSD laptops, travel systems, lab devices, and branch/edge nodes that regularly join non-datacenter networks. These are the hosts where the attacker-position friction is weakest, so they should move to the front of the patch queue even though the overall fleet verdict is only MEDIUM.
  3. Monitor lease and script activity — Add file integrity or EDR watchpoints on /var/db/dhclient.leases.* and process telemetry for dhclient and /sbin/dhclient-script. This will not prevent the bug, but it can surface poisoning attempts or odd root-side command execution during the remediation window.
  4. Use static addressing where justified — For sensitive FreeBSD infrastructure that does not need DHCP, moving to static IPs removes the vulnerable path entirely. Do this selectively for crown-jewel systems as an architectural hardening measure, not as a substitute for patching.
What doesn't work
  • A perimeter WAF or internet IDS doesn't help much because the exploit traffic rides DHCP on the local segment, not HTTP from the internet.
  • MFA is irrelevant; the chain does not require user logon or account abuse.
  • Basic external attack-surface scanning will miss the real risk because this is a client-side network adjacency issue, not an exposed service banner problem.
06 · Verification

Crowdsourced verification payload.

Run this on the FreeBSD target host itself as root or with a shell account that can execute freebsd-version; example: sh ./check-cve-2026-42511.sh. It only needs local read/execute access and reports VULNERABLE, PATCHED, or UNKNOWN based on the installed FreeBSD release patchlevel.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/bin/sh
# check-cve-2026-42511.sh
# Purpose: Determine likely exposure to CVE-2026-42511 on FreeBSD release systems.
# Output: VULNERABLE / PATCHED / UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -eu

get_ver() {
  if command -v freebsd-version >/dev/null 2>&1; then
    freebsd-version -u 2>/dev/null || freebsd-version -k 2>/dev/null || freebsd-version 2>/dev/null || true
  else
    uname -r 2>/dev/null || true
  fi
}

VER="$(get_ver | head -n1 | tr -d '\r')"

if [ -z "$VER" ]; then
  echo "UNKNOWN: could not determine FreeBSD version"
  exit 2
fi

# Known fixed release patchlevels from FreeBSD-SA-26:12.dhclient
# 13.5-RELEASE-p13
# 14.3-RELEASE-p12
# 14.4-RELEASE-p3
# 15.0-RELEASE-p7

case "$VER" in
  *STABLE*|*CURRENT*|*ALPHA*|*BETA*|*RC* )
    echo "UNKNOWN: non-RELEASE build detected ($VER); verify source update includes FreeBSD-SA-26:12.dhclient"
    exit 2
    ;;
esac

# Parse forms like 14.4-RELEASE-p3 or 13.5-RELEASE
BASE="${VER%%-RELEASE*}"
PATCH=0
case "$VER" in
  *-RELEASE-p* ) PATCH="${VER##*-RELEASE-p}" ;;
  *-RELEASE* ) PATCH=0 ;;
  * )
    echo "UNKNOWN: unrecognized version format ($VER)"
    exit 2
    ;;
esac

# Keep numeric part only
PATCH="$(printf '%s' "$PATCH" | sed 's/[^0-9].*$//')"
[ -n "$PATCH" ] || PATCH=0

is_patched=1
case "$BASE" in
  13.5)
    [ "$PATCH" -ge 13 ] && is_patched=0 || is_patched=1
    ;;
  14.3)
    [ "$PATCH" -ge 12 ] && is_patched=0 || is_patched=1
    ;;
  14.4)
    [ "$PATCH" -ge 3 ] && is_patched=0 || is_patched=1
    ;;
  15.0)
    [ "$PATCH" -ge 7 ] && is_patched=0 || is_patched=1
    ;;
  *)
    echo "UNKNOWN: version $VER is outside the advisory's explicit release mapping"
    exit 2
    ;;
esac

if [ "$is_patched" -eq 0 ]; then
  echo "PATCHED: $VER meets or exceeds the FreeBSD-SA-26:12.dhclient fixed patchlevel"
  exit 0
else
  echo "VULNERABLE: $VER is below the FreeBSD-SA-26:12.dhclient fixed patchlevel"
  exit 1
fi
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning: query your asset inventory for FreeBSD hosts that still use DHCP, then split them into two piles — roaming/untrusted-network clients first, managed datacenter/server segments second. Because this landed at MEDIUM, there is no noisgate mitigation SLA — go straight to the 365-day remediation window; however, you should still apply DHCP-snooping/NAC controls where practical and finish vendor patching of exposed FreeBSD DHCP clients within the noisgate remediation SLA of 365 days, with roaming laptops, branch devices, and lab systems handled first.

Sources

  1. FreeBSD advisory mirror with full advisory text
  2. NVD CVE record
  3. AISLE technical write-up
  4. FreeBSD fixing commit message (stable/14 mirror)
  5. Ubuntu CVE page
  6. Debian security tracker
  7. CISA Known Exploited Vulnerabilities Catalog
  8. FIRST EPSS API documentation
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.