From e5455542859103404a7a62f2c376485839454c63 Mon Sep 17 00:00:00 2001 From: Roy Marples Date: Tue, 23 Jun 2026 00:34:58 +0100 Subject: [PATCH 1/2] IPv6ND: Free routeinfo when it expires (#670) Fixes a memory leak vulnerability in the IPv6 Router Advertisement route information handling that allows an unauthenticated same-link attacker to cause denial of service by sending crafted Router Advertisements. Attackers can repeatedly send Router Advertisements containing Route Information options with a lifetime of zero, triggering unfreed allocations in routeinfo_findalloc() that cause linear memory exhaustion and eventual daemon crash. Reported-by: CuB3y0nd CVE: CVE-2026-56116 --- src/ipv6nd.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/ipv6nd.c b/src/ipv6nd.c index ccf71241..557ff50e 100644 --- a/src/ipv6nd.c +++ b/src/ipv6nd.c @@ -1789,6 +1789,7 @@ ipv6nd_expirera(void *arg) logwarnx("%s: expired route %s", rap->iface->name, rinfo->sprefix); TAILQ_REMOVE(&rap->rinfos, rinfo, next); + free(rinfo); } } From fc21f52e21814976a550a55d7338e7d5ea033eb8 Mon Sep 17 00:00:00 2001 From: Roy Marples Date: Tue, 23 Jun 2026 02:06:55 +0100 Subject: [PATCH 2/2] DHCPv6: Prefix exclude option can be 17 octets (#671) Fixes a one-byte stack out-of-bounds write vulnerability in dhcp6_makemessage() in src/dhcp6.c that allows unauthenticated same-link attackers to write beyond a fixed local buffer by serializing an oversized RFC6603 OPTION_PD_EXCLUDE option body. Attackers can send a crafted DHCPv6 ADVERTISE message containing an IA_PD IAPREFIX /0 with a valid OPTION_PD_EXCLUDE using an exclude prefix length of /121 through /128 to trigger the out-of-bounds write and potentially corrupt adjacent stack memory. Reported-by: CuB3y0nd CVE: CVE-2026-56114 --- src/dhcp6.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/dhcp6.c b/src/dhcp6.c index 91341994..167b83a7 100644 --- a/src/dhcp6.c +++ b/src/dhcp6.c @@ -1093,7 +1093,7 @@ dhcp6_makemessage(struct interface *ifp) /* RFC6603 Section 4.2 */ if (ap->prefix_exclude_len) { - uint8_t exb[16], *ep, u8; + uint8_t exb[17], *ep, u8; const uint8_t *pp; n = (size_t)((ap->prefix_exclude_len -