Submit finding

All findings

CVE-2026-42511, CVE-2026-42512, CVE-2026-39457 high

AISLE finds FreeBSD dhclient root RCE and two companion core CVEs

FreeBSD's April 29, 2026 advisories credit Joshua Rogers of AISLE Research Team for CVE-2026-42511, a local-network-to-root dhclient RCE, plus a second dhclient heap overflow and a libnv stack overflow.

Bug class
DHCP client command injection, heap overflow, and libnv stack overflow
Affected codebase
FreeBSD dhclient / libnv
Credited system
AISLE
Disclosed
April 29, 2026
Attribution
Direct source attribution
Severity
high
Source status: FreeBSD security advisories directly credit Joshua Rogers of AISLE Research Team for all three CVEs. AISLE's May 7, 2026 write-up provides the autonomous analyzer attribution and a detailed CVE-2026-42511 exploit path. NVD/CISA ADP currently score CVE-2026-42511 and CVE-2026-42512 as 8.1 HIGH, and CVE-2026-39457 as 7.8 HIGH.

Summary

On April 29, 2026, FreeBSD published three core security advisories credited to Joshua Rogers of AISLE Research Team. The headline issue is CVE-2026-42511, a FreeBSD dhclient bug where attacker-controlled BOOTP data can be written into the lease database and later reinterpreted by a privileged shell path.

The practical impact is local-network-to-root code execution: a rogue DHCP server, or an attacker able to spoof DHCP responses on the same broadcast domain, can target a FreeBSD host running dhclient. FreeBSD’s advisory says all supported FreeBSD versions were affected and no workaround was available besides not running dhclient or relying on network controls such as DHCP snooping.

AISLE’s companion FreeBSD post and the same April 29 advisory batch also cover CVE-2026-42512, a remotely triggerable dhclient heap buffer overrun, and CVE-2026-39457, a libnv stack overflow that can become local privilege escalation when reachable through a privileged consumer.

Why this is grouped

The three CVEs landed in the same coordinated FreeBSD advisory release, were credited to the same AISLE researcher, and are presented by AISLE as one FreeBSD campaign. The RCE has the strongest public technical write-up, so it is the lead case, but the CVE count belongs with the full advisory batch.

Attribution

FreeBSD confirms the vulnerability records and directly credits AISLE Research Team. AISLE supplies the AI-system attribution, saying the initial flaw was identified by its AI-based source-code analysis pipeline and then investigated by triage agents and researchers.

That matches Bugflation’s direct attribution category: the vendor advisory confirms the accepted security reports and the primary research team identifies the AI-driven discovery workflow.

Age caveat

AISLE describes CVE-2026-42511 as a 21-year-old FreeBSD vulnerability. The public FreeBSD 6.0 release record supports the key history: FreeBSD 6.0 was announced on November 4, 2005, and its release notes say OpenBSD dhclient was imported to replace the prior ISC DHCP client. Measured to the April 29, 2026 advisory date, that is a two-decade-old bug, not yet a full 21 calendar years.

References

Catalogued in the Bugflation public ledger. Disagree with the attribution or severity label? Email the desk.