AISLE Discovers CVE-2026-42511: a 21-Year-Old FreeBSD Remote Command Execution Vulnerability Author Joshua Rogers Date Published May 7, 2026 About FreeBSD FreeBSD is often described as one of the most secure operating systems in the world, with its reputation arising from its high-quality networking stack, deliberate engineering, and a philosophy of security through simplicity. FreeBSD's history and usage are remarkable: it powers Netflix's Open Connect infrastructure, Sony's Playstation OS, part of Nintendo's Switch OS, Yahoo's backend services, NetApp's storage systems, Citrix's Netscaler, has long helped form the software base of major networking platforms (Cisco, Juniper, and so on), WhatsApp's backend services (historically), and is now the focus of a substantial Foundation effort to make it work better on modern laptops, and, for full disclosure, remains the author's personal operating system of choice. CVE-2026-42511: Command Injection to Root RCE AISLE discovered a remote command execution vulnerability in FreeBSD's dhclient , that is trivially weaponizable and wormable by any system on the same local network as the FreeBSD system. The vulnerability first entered FreeBSD in the 2005 release of FreeBSD-6.0 when OpenBSD's dhclient was imported, and lay dormant until discovered by AISLE. The vulnerability also affected OpenBSD until 2022, when that operating system deprecated dhclient completely, effectively fixing the vulnerability. The initial flaw was identified by AISLE's AI-based source code analysis pipeline and then investigated by our triage agents. Joshua Rogers of AISLE's Offensive Security Research Team traced the relevant code paths, established the full security impact, and developed a proof of concept demonstrating a complete local-network-to-root exploit chain. Recently budgeting $750,000 for key improvements to laptop support including greater Wi-Fi support, the attack surface here becomes even more relevant to everyday systems. A malicious wireless access point, or in some cases another attacker on the same Wi-Fi network able to spoof DHCP, can target the exact DHCP path that almost every wireless FreeBSD system will rely on. Imagine you're the author of this post, who runs FreeBSD on their laptop: you're at a coffee shop, airport, or hotel, and as soon as you connect your FreeBSD-equipped laptop to the Wi-Fi, your whole system is hijacked in secret. Imagine you have a PlayStation whose OS is locked down from any unofficial access, only to be jailbroken hijacked by connecting to a network. In other words, this vulnerability not only affects servers, but any FreeBSD machine that connects to a network using DHCP. The vulnerability was a logic flaw that allowed attacker-controlled protocol data to be persisted into a trusted configuration-like format without proper sanitization, then later reinterpreted in a privileged execution path. That is exactly the kind of bug AISLE's autonomous security platform is built to find. Like our recent findings in OpenSSL , Firefox , libpng , and Amazon's Crypto Stack , this result came from disciplined engineering and end-to-end analysis, not model mythology . Date Event April 13, 2026 Discovery of the vulnerability in FreeBSD's dhclient . April 14, 2026 AISLE disclosed the vulnerability to the FreeBSD Security Team. April 29, 2026 FreeBSD released a fix in FreeBSD-SA-26:12.dhclient . This advisory was one of several FreeBSD security advisories resulting from vulnerabilities discovered by AISLE. AISLE also discovered the issues addressed in FreeBSD-SA-26:15.dhclient and FreeBSD-SA-26:16.libnv . For a broader overview of AISLE's FreeBSD findings, including the other vulnerabilities disclosed in this coordinated release, see our companion post: AISLE Discovers 3 Critical Vulnerabilities in FreeBSD . While these are just the first of our published discoveries in FreeBSD, we are continuing to report more, working towards a more secure Operating System ecosystem. We continue to report additional vulnerabilities to the FreeBSD project, several of which are still moving through the coordinated disclosure and remediation process. In the sections that follow, we explain how the vulnerability works and how it can be exploited from the local network to gain root on a target system. The Vulnerability DHCP is the protocol most systems use to get an IP address and basic network settings automatically. dhclient is FreeBSD's DHCP client: it talks to the DHCP server, stores the lease it gets back in /var/db/dhclient.leases.<if> , and runs /sbin/dhclient-script to apply that configuration. Because leases are renewed periodically, dhclient runs as root not only at boot, but again during normal network operation. The vulnerability leading to RCE starts in sbin/dhclient/dhclient.c , in the write_client_lease() function. dhclient writes data from the DHCP reply into the on-disk lease file at /var/db/dhclient.leases.<if> , using fairly simple logic, which builds the formatted ...