CVE-2026-56115
published 2026-06-23CVE-2026-56115: Bootimus through 0.1.70 contains a broken access control vulnerability that allows authenticated low-privileged users to perform administrative actions by…
PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.31%
22.3th percentile
Bootimus through 0.1.70 contains a broken access control vulnerability that allows authenticated low-privileged users to perform administrative actions by exploiting missing role enforcement in the JWTMiddleware function in internal/auth/auth.go, which validates JWT tokens and account status but fails to inspect the is_admin flag. Attackers can send requests to any endpoint under the /api/users path to create new administrator accounts or reset administrator passwords, thereby gaining full control of the server and the ability to modify boot menus and installation scripts served to PXE clients.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bootimus | bootimus | <= 0.1.70 | — |
| dhcpcd_project | dhcpcd | — | — |
| garybowers | bootimus | <= 0.1.70 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Trigger condition: crafted DHCPv6 ADVERTISE message containing an IA_PD IAPREFIX /0 with a valid OPTION_PD_EXCLUDE using an exclude prefix length of /121 through /128 ↗
- →Vulnerable function is dhcp6_makemessage() in src/dhcp6.c — monitor for crashes or anomalous stack behavior in this function when processing DHCPv6 ADVERTISE messages with oversized RFC6603 OPTION_PD_EXCLUDE option bodies ↗
- →Attack vector is same-link (link-local), unauthenticated — detection should focus on DHCPv6 traffic on the local network segment, specifically ADVERTISE messages with anomalous OPTION_PD_EXCLUDE option lengths ↗
- ·Fix is available in commit 2f00c7b; versions of dhcpcd through 10.3.2 are vulnerable. Red Hat Enterprise Linux 10 fix is listed as deferred. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
NetworkConfiguration dhcpcd up to 10.3.2 src/dhcp6.c dhcp6_makemessage out-of-bounds write
vuldb·2026-06-24·CVSS 5.3
CVE-2026-56115 [MEDIUM] NetworkConfiguration dhcpcd up to 10.3.2 src/dhcp6.c dhcp6_makemessage out-of-bounds write
A vulnerability described as critical has been identified in NetworkConfiguration dhcpcd up to 10.3.2. Affected by this vulnerability is the function dhcp6_makemessage of the file src/dhcp6.c. The manipulation results in out-of-bounds write.
This vulnerability was named CVE-2026-56115. The attack needs to be approached within the local network. There is no available exploit.
Upgrading the affected component is recommended.
GHSA
dhcpcd through 10.3.2, fixed in commit 2f00c7b, contains a one-byte stack out-of-bounds write vulnerability in dhcp6_makemessage() in src/dhcp6.c that allows unauthenticated same-link attackers to wri
ghsa_unreviewed·2026-06-23
CVE-2026-56115 [MEDIUM] CWE-787 dhcpcd through 10.3.2, fixed in commit 2f00c7b, contains a one-byte stack out-of-bounds write vulnerability in dhcp6_makemessage() in src/dhcp6.c that allows unauthenticated same-link attackers to wri
dhcpcd through 10.3.2, fixed in commit 2f00c7b, contains a one-byte stack out-of-bounds write vulnerability in dhcp6_makemessage() in src/dhcp6.c that allows unauthenticated same-link attackers to write beyond a fixed local buffer by serializing an oversized RFC6603 OPTION_PD_EXCLUDE option body. Attackers can send a crafted DHCPv6 ADVERTISE message containing an IA_PD IAPREFIX /0 with a valid OPTION_PD_EXCLUDE using an exclude prefix length of /121 through /128 to trigger the out-of-bounds write and potentially corrupt adjacent stack memory.
Red Hat
dhcpcd: dhcpcd: Denial of Service via crafted DHCPv6 ADVERTISE message
vendor_redhat·2026-06-23·CVSS 5.3
CVE-2026-56115 [MEDIUM] CWE-787 dhcpcd: dhcpcd: Denial of Service via crafted DHCPv6 ADVERTISE message
dhcpcd: dhcpcd: Denial of Service via crafted DHCPv6 ADVERTISE message
dhcpcd through 10.3.2, fixed in commit 2f00c7b, contains a one-byte stack out-of-bounds write vulnerability in dhcp6_makemessage() in src/dhcp6.c that allows unauthenticated same-link attackers to write beyond a fixed local buffer by serializing an oversized RFC6603 OPTION_PD_EXCLUDE option body. Attackers can send a crafted DHCPv6 ADVERTISE message containing an IA_PD IAPREFIX /0 with a valid OPTION_PD_EXCLUDE using an exclude prefix length of /121 through /128 to trigger the out-of-bounds write and potentially corrupt adjacent stack memory.
A flaw was found in dhcpcd. This vulnerability allows an unauthenticated attacker on the same network link to trigger a one-byte stack out-of-bounds write. By sending a specially
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-56115 dhcpcd: dhcpcd: Denial of Service via crafted DHCPv6 ADVERTISE message [epel-all]
bugzilla·2026-06-23·CVSS 5.3
CVE-2026-56115 [MEDIUM] CVE-2026-56115 dhcpcd: dhcpcd: Denial of Service via crafted DHCPv6 ADVERTISE message [epel-all]
CVE-2026-56115 dhcpcd: dhcpcd: Denial of Service via crafted DHCPv6 ADVERTISE message [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-56115 dhcpcd: dhcpcd: Denial of Service via crafted DHCPv6 ADVERTISE message
bugzilla·2026-06-23·CVSS 5.3
CVE-2026-56115 [MEDIUM] CVE-2026-56115 dhcpcd: dhcpcd: Denial of Service via crafted DHCPv6 ADVERTISE message
CVE-2026-56115 dhcpcd: dhcpcd: Denial of Service via crafted DHCPv6 ADVERTISE message
dhcpcd through 10.3.2, fixed in commit 2f00c7b, contains a one-byte stack out-of-bounds write vulnerability in dhcp6_makemessage() in src/dhcp6.c that allows unauthenticated same-link attackers to write beyond a fixed local buffer by serializing an oversized RFC6603 OPTION_PD_EXCLUDE option body. Attackers can send a crafted DHCPv6 ADVERTISE message containing an IA_PD IAPREFIX /0 with a valid OPTION_PD_EXCLUDE using an exclude prefix length of /121 through /128 to trigger the out-of-bounds write and potentially corrupt adjacent stack memory.
Bugzilla
CVE-2026-56115 dhcpcd: dhcpcd: Denial of Service via crafted DHCPv6 ADVERTISE message [fedora-all]
bugzilla·2026-06-23·CVSS 5.3
CVE-2026-56115 [MEDIUM] CVE-2026-56115 dhcpcd: dhcpcd: Denial of Service via crafted DHCPv6 ADVERTISE message [fedora-all]
CVE-2026-56115 dhcpcd: dhcpcd: Denial of Service via crafted DHCPv6 ADVERTISE message [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
2026-06-23
Published