A serious vulnerability in FreeBSD's default DHCP client — tracked as CVE-2026-42511 — lets attackers on the same local network execute commands as root, taking complete control of affected machines. Discovered by Joshua Rogers of the AISLE Research Team, the flaw stems from dhclient(8) failing to properly escape double-quotes when processing DHCP server responses, allowing injected commands to run with full system privileges. Every supported FreeBSD release is affected, including versions 13.5, 14.3, 14.4, and 15.0. Patches are already available. Admins should update immediately — and enabling DHCP snooping on network switches adds an effective extra layer of defense.
Source: Cybersecurity News