cbcvebase.
CVE-2019-11577
published 2019-04-28

CVE-2019-11577: dhcpcd before 7.2.1 contains a buffer overflow in dhcp6_findna in dhcp6.c when reading NA/TA addresses.

PriorityP261critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
53.10%
98.8th percentile
dhcpcd before 7.2.1 contains a buffer overflow in dhcp6_findna in dhcp6.c when reading NA/TA addresses.

Affected

2 ranges
VendorProductVersion rangeFixed in
debiandhcpcd5< dhcpcd5 7.1.0-2 (bookworm)dhcpcd5 7.1.0-2 (bookworm)
dhcpcd_projectdhcpcd< 7.2.17.2.1

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerable function is dhcp6_findna in dhcp6.c — monitor for crashes or anomalous DHCPv6 NA/TA address processing in dhcpcd versions before 7.2.1
  • Upstream fix commit 8d11b33f6c60e2db257130fa383ba76b6018bcf6 can be used as a patch-level indicator to confirm whether a build is patched
  • ·Vulnerability is scoped as local exploitation; attack surface is limited to DHCPv6 NA/TA address parsing, so exposure requires DHCPv6 to be active on the interface
  • ·Debian resolved the issue in package version 7.1.0-2 (bookworm and bullseye), which is earlier than the upstream fix version of 7.2.1 — verify the actual patch content rather than relying solely on version number when assessing Debian-based systems

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.