UBUNTU-CVE-2026-14258

Source
https://ubuntu.com/security/CVE-2026-14258
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-14258.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-14258
Upstream
  • CVE-2026-14258
Published
2026-07-01T11:16:00Z
Modified
2026-07-01T23:38:35.986871324Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

A flaw was found in dhcpcd's IPv6 Neighbor Discovery Router Advertisement processing. A specially crafted IPv6 Router Advertisement containing a zero-length Neighbor Discovery option can bypass validation during packet storage and later be reparsed without adequate validation, causing the parser to enter a non-advancing loop. Successful exploitation may result in excessive CPU consumption, leading to a denial of service.

References

Affected packages

Ubuntu:24.04:LTS / dhcpcd

Package

Name
dhcpcd
Purl
pkg:deb/ubuntu/dhcpcd?arch=source&distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1:10.*
1:10.0.2-3ubuntu3
1:10.0.5-1
1:10.0.5-2
1:10.0.5-3
1:10.0.5-4
1:10.0.5-5
1:10.0.6-1
1:10.0.6-1ubuntu1
1:10.0.6-1ubuntu2
1:10.0.6-1ubuntu3
1:10.0.6-1ubuntu3.1
1:10.0.6-1ubuntu3.2

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1:10.0.6-1ubuntu3.2",
            "binary_name": "dhcpcd"
        },
        {
            "binary_version": "1:10.0.6-1ubuntu3.2",
            "binary_name": "dhcpcd-base"
        },
        {
            "binary_version": "1:10.0.6-1ubuntu3.2",
            "binary_name": "dhcpcd5"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-14258.json"

Ubuntu:25.10 / dhcpcd

Package

Name
dhcpcd
Purl
pkg:deb/ubuntu/dhcpcd?arch=source&distro=questing

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1:10.*
1:10.1.0-8
1:10.1.0-10
1:10.1.0-11
1:10.1.0-12
1:10.2.4-3
1:10.2.4-4

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1:10.2.4-4",
            "binary_name": "dhcpcd"
        },
        {
            "binary_version": "1:10.2.4-4",
            "binary_name": "dhcpcd-base"
        },
        {
            "binary_version": "1:10.2.4-4",
            "binary_name": "dhcpcd5"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-14258.json"

Ubuntu:26.04:LTS / dhcpcd

Package

Name
dhcpcd
Purl
pkg:deb/ubuntu/dhcpcd?arch=source&distro=resolute

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1:10.*
1:10.2.4-4
1:10.3.0-2
1:10.3.0-3
1:10.3.0-7

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "1:10.3.0-7",
            "binary_name": "dhcpcd"
        },
        {
            "binary_version": "1:10.3.0-7",
            "binary_name": "dhcpcd-base"
        },
        {
            "binary_version": "1:10.3.0-7",
            "binary_name": "dhcpcd5"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-14258.json"