SUSE-SU-2026:22542-1: moderate: Security update for dhcpcd

SLE-UPDATES null at suse.de
Mon Jul 13 16:32:20 UTC 2026


# Security update for dhcpcd

Announcement ID: SUSE-SU-2026:22542-1  
Release Date: 2026-07-06T20:10:31Z  
Rating: moderate  
References:

  * bsc#1268761

  
Cross-References:

  * CVE-2025-70102

  
CVSS scores:

  * CVE-2025-70102 ( SUSE ):  6.8
    CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
  * CVE-2025-70102 ( SUSE ):  5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  * CVE-2025-70102 ( NVD ):  6.3 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

  
Affected Products:

  * SUSE Linux Micro 6.2

  
  
An update that solves one vulnerability can now be installed.

## Description:

This update for dhcpcd fixes the following issue

Update to 10.3.2:

  * CVE-2025-70102: NULL pointer dereference in `parse_option()` when processing
    a specially crafted configuration input (bsc#1268761).

Changes for dhcpcd:

  * options: Ensure ldop is not NULL dereferenced
  * DHCP: Don't run double EXPIRE hooks on carrier loss
  * DHCP: free the state when dropping on state NONE
  * BSD: don't send uninitialised memory using ps_root_indirectioctl
  * Fix fallback_time option
  * IPv4: Ignore DHCP state when building routes
  * route: Routes may not have an interface assinged
  * options: Ensure that an overly long bitflag string does not crash
  * options: Don't assume vsio options have an argument
  * common: Cast via uintptr_t rather than unsigned long in UNCONST
  * privsep: Ensure we recv for real after a successful recv MSG_PEEK
  * DHCP: Add parentheses to macro definitions
  * ipv6nd: empty IPV6RA_EXPIRE eloop queue when dropping
  * privsep: enforce message boundaries with MSG_EOR on our messages
  * Protocols will notify when dhcpcd can exit
  * DHCP: Don't request T1 and T2
  * DHCP: Don't request a lease time
  * DHCP6: Don't exit if using DHCP4 INFORM in non manager mode
  * ND: Route Information Option prefix is optional
  * ipv6: respect slaac hwaddr to really use the hwaddr
  * When stopping all interfaces at exit and releasing, remove persistance
  * NetBSD: Delete RTF_CONNECTED route when changing it
  * privsep: Drain the log when the root process is exiting
  * eloop: vastly reworked, kqueue and epoll support on by default

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * SUSE Linux Micro 6.2  
    zypper in -t patch SUSE-SL-Micro-6.2-1147=1

## Package List:

  * SUSE Linux Micro 6.2 (aarch64 ppc64le s390x x86_64)
    * dhcpcd-debugsource-10.3.2-160000.1.2
    * dhcpcd-10.3.2-160000.1.2
    * dhcpcd-debuginfo-10.3.2-160000.1.2

## References:

  * https://www.suse.com/security/cve/CVE-2025-70102.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1268761

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20260713/ae527549/attachment.htm>


More information about the sle-updates mailing list