FreeBSD DHCP Client Vulnerability CVE-2026-42511
-
is pfSense CD 2.8.1-RELEASE running a dhclient implementation vulnerable to CVE-2026-42511 that affects all currently supported versions of FreeBSD?
See: https://nvd.nist.gov/vuln/detail/CVE-2026-42511
-
Everything I read says likely
Practical exposure
The vulnerability only matters if your WAN uses DHCP and is exposed to untrusted DHCP servers.
Direct ISP DHCP → vulnerable
Behind your own router/ONT → low risk
Static IP → not exposedRecommended mitigation until Netgate patches it
Move WAN to static IP (if your ISP allows).
Or place pfSense behind a trusted router/ONT so it never sees rogue DHCP offers.
Or block DHCP server traffic from untrusted upstream devices if your modem supports filtering.
Monitor Netgate’s System Patches package for a future fix.In my case.
pfSense WAN using DHCP but sits behind an AT&T ONT + AT&T gateway in IP Passthrough—means CVE‑2026‑42511 is theoretically present but practically neutralized.
The attack surface collapses because pfSense never sees an untrusted DHCP server. -
@elvisimprsntr said in FreeBSD DHCP Client Vulnerability CVE-2026-42511:
Monitor Netgate’s System Patches package for a future fix.
Don't hold your breath.
dhclient is a executable, a binary, not a script.The BOOTP file field is written to the lease file without escaping embedded double-quotes, allowing injection of arbitrary dhclient.conf directives.
That's, imho, a source code "correct and recompile and rebuild executable" process.
The pfSense system patcher (now build in) can only patch 'text' script files, not binaries.That's why the good old console or SSH option 13,
and option 8 :pkg updateas these two will upgrade pfSense 'FreeBSD' packages, and can update binaries.
No "help me" PM's please. Use the forum, the community will thank you.
-
I'm a bit surprised by the radio-silence from netgate, unless I'm looking in the wrong places.
If this isn't going to get fixed in CE I hope at the very least the paid offerings get the fix and I can at least pay my way out :/ -
This post is deleted! -
@Gertjan It appears that neither the pfSense-core repository or the pfSense repository have had any recent updates. Is there a means to update dhclient while waiting for Netgate to incorporate it into their repositories?
-
Update to what ?
Upfront : I'm a pfSense user, just like you. What follows is 'imho'.
These condition apply:
You need a "FreeBSD 16.0-CURRENT" software development tree on a system, and then compile+build a new "dhclient" package. Then deploy it in your pfSense.
That's ... complicated.From what I've read in the past, pfSense (Netgate) uses a modified source version of the original FreeBSD dhclient package. They removed non applicable stuff, and add probably other stuff.
For "FreeBSD DHCP Client Vulnerability CVE-2026-42511" to be an issue, this means that your upstream (WAN, ISP ?) DHCP server must contain bugs, or is malicious.
Also, if "FreeBSD DHCP Client Vulnerability CVE-2026-42511" was really a 'dangerous', Netgate would have rebuild their own dhclient package and made it already available.
My point of view : Netgate isn't the local fruits and vegetables store doing also "firewalls", they are users (consumers) of FreeBSD, and active contributors of FreeBSD, which implies they are very aware of all outstanding issues, as they use FreeBSD in a security solution, pfSense.
Netgate receives CVE's before they go public. -
@Gertjan said in FreeBSD DHCP Client Vulnerability CVE-2026-42511:
You need a "FreeBSD 16.0-CURRENT" software development tree on a system, and then compile+build a new "dhclient" package. Then deploy it in your pfSense.
That's ... complicated.I've been building and administering FreeBSD/OpenBSD servers for about 24 years. I'm familiar with building from source.
From what I've read in the past, pfSense (Netgate) uses a modified source version of the original FreeBSD dhclient package. They removed non applicable stuff, and add probably other stuff.
Yup. I'm looking for a yes or no response to whether I can grab a patched dhclient binary and replace the vulnerable one without breaking anything in pfSense,
Also, if "FreeBSD DHCP Client Vulnerability CVE-2026-42511" was really a 'dangerous', Netgate would have rebuild their own dhclient package and made it already available.
The danger depends on how well protected the WAN you are attached to is from rogue DHCP servers.
-
@tweek said in FreeBSD DHCP Client Vulnerability CVE-2026-42511:
I've been building and administering FreeBSD/OpenBSD servers for about 24 years. I'm familiar with building from source.
Then you must be aware of the fact that building against the pfSense FreeBSD source tree isn't native FreeBSD.
Building (yourself) pfSense is what I would call 'complicated'. My info source is forum posts about the subject.
It isn't./configure make world make installThe make file isn't public afaik.
@tweek said in FreeBSD DHCP Client Vulnerability CVE-2026-42511:
Yup. I'm looking for a yes or no response to whether I can grab a patched dhclient binary and replace the vulnerable one without breaking anything in pfSense,
If it exists, it's here : github pfSense somewhere in the "FreeBSD-ports". I cant' find it. I can't say that because I can't find it it's 'yes' - or 'no'. I'll see 'probably'
-
C chpalmer referenced this topic
-
@tweek - Unbund 1.25.1 has just been released and it does contain many CVE fixes. This means that current Unbound included with pfsense is 2 versions behind.
I dont like the fact that its bundled with pfsense and not like a package that can be updated separately.This was (for me) the reason I run Unbound on a separate host where I am in full control and can compile as soon as new version is available.
Maybe that is the choice you have to consider. -
@markster said in FreeBSD DHCP Client Vulnerability CVE-2026-42511:
I dont like the fact that its bundled with pfsense and not like a package that can be updated separately.
I'll show you how to like it again
I guess this is what you mean.Netgate is of course already aware of the big 'CVE' list, and the latest unbound version 25.1.
Now, for the details : use the console or SSH access. Option 8.
pkg infoand that went to fast.
Let's check 'unbound'pkg info | grep unboundI guess you said "Aha !" just now.
So it's very possible that Netgate produces a updated 'unbound' package for pfSense in the near future, and pushes it out, or any FreeBSD-like package you saw with 'pkg info'.
You won't see the availability of this update in the GUI (Package Manager), which lists only 'pfSense GUI Packages".
That's why, years ago, some one made this. It's a script, and a cron task that executes it regularly. As soon as a update has a new version, you'll be the first to know. The scripts lists pfSense updates, pfSense Package updates, and all 'core' pfSense FreeBSD updates (like 'unbound in this case).
So, hurry now, "install" it (it's just one file) and make the cron task.
I'm pretty sure you'll get a mail soon that tells you a new pfSense unbound update is availableedit :
"1.25.1" probably doesn't need any GUI changes.
But the version before, 1.25.0 probably does. It you were using unbound on a server or desktop device, you could upgrade, read the release note, adapt, or not, unbound.conf, and restart.
Netgate has to go over every change, and checks if the GUI - the part that collects the setting and make the config files, needs to be changed. -
@Gertjan
I get what you are saying but for the component like DNS I would probably stay away with GUI configurations. Every time there are new modifications you are forced to update gui interface and add additional logic to read the values etc. That in fact creates dependency between components and potential additional errors in the interface codes between components.Good thing is we can use external DNS and as I mentioned, compile Unbound when we need to. I get that this may not be for everyone.
-
Every time there are new modifications you are forced to update gui interface and add additional logic to read the values etc. That in fact creates dependency between components and potential additional errors in the interface codes between components.
Kinda sorta what "
Custom options" is for. (And not just for the pfSense-packaged Unbound package). -
@markster said in FreeBSD DHCP Client Vulnerability CVE-2026-42511:
Unbund 1.25.1 has just been released and it does contain many CVE fixes.
I can't speak to CE, but FWIW the Plus repo contains Unbound 1.25.1 as of yesterday/today.
[26.03-RELEASE][root@fw]/root: pkg upgrade Updating pfSense-core repository catalogue... pfSense-core repository is up to date. Updating pfSense repository catalogue... pfSense repository is up to date. All repositories are up to date. Checking for upgrades (110 candidates): 100% Processing candidates (110 candidates): 100% The following 2 package(s) will be affected (of 0 checked): Installed packages to be UPGRADED: pfSense-repoc: 20260519.042442 -> 20260521.044308 [pfSense] unbound: 1.24.2_1 -> 1.25.1 [pfSense] Number of packages to be upgraded: 2 13 MiB to be downloaded. Proceed with this action? [y/N]: y [1/2] Fetching unbound-1.25.1: 100% 4 MiB 1.9 M/s 00:02 [2/2] Fetching pfSense-repoc-20260521.044308: 100% 9 MiB 9.9 M/s 00:01 Checking integrity... done (0 conflicting) [1/2] Upgrading pfSense-repoc from 20260519.042442 to 20260521.044308... [1/2] Extracting pfSense-repoc-20260521.044308: 100% [2/2] Upgrading unbound from 1.24.2_1 to 1.25.1... ===> Creating groups Using existing group 'unbound' ===> Creating users Using existing user 'unbound' [2/2] Extracting unbound-1.25.1: 100% [26.03-RELEASE][root@fw]/root: -
@dennypage said in FreeBSD DHCP Client Vulnerability CVE-2026-42511:
I can't speak to CE, but FWIW the Plus repo contains Unbound 1.25.1 as of yesterday/today.
Did you get strongswan-6.0.6 update?
[26.03-RELEASE][root@pfSense.home.arpa]/root: pkg info strongswan-6.0.6
strongswan-6.0.6
Name : strongswan
Version : 6.0.6 -
@mcury said in FreeBSD DHCP Client Vulnerability CVE-2026-42511:
Did you get strongswan-6.0.6 update?
Yes, a couple days ago.
