DHCP Lease File Injection Enables Root Code Execution

CVE-2026-42511 is a critical vulnerability in dhclient where unsanitized BOOTP fields written to lease files allow attackers to inject arbitrary dhclient.conf directives. When dhclient re-parses the lease file after system restart, the injected directives are passed to dhclient-script, which evaluates them with root privileges. A rogue DHCP server can exploit this to achieve unauthenticated remote code execution on any system running the vulnerable dhclient, making this particularly dangerous in environments where attackers can position themselves on the network path or control DHCP infrastructure. The vulnerability affects systems relying on DHCP for network configuration, from personal devices to enterprise infrastructure.

While MITRE ATT&CK mapping is pending for this CVE, Casky's Claude-powered analysis would correlate this attack pattern across multiple kill chain phases: initial network reconnaissance to identify DHCP clients, potential use of Man-in-the-Middle or rogue DHCP server techniques for delivery, and post-exploitation persistence through root-level code execution. Practitioners using Casky would see detection guidance around monitoring DHCP transaction anomalies, lease file integrity changes, suspicious dhclient-script invocations, and unexpected process execution from DHCP-related processes. The platform's extended reasoning would help security teams understand that exploitation requires network access but bypasses traditional authentication boundaries, qualifying this as a high-priority threat requiring immediate patch deployment and network segmentation validation.