CVE-2026-29004
Published: 04 May 2026
Description
BusyBox before commit 42202bf contains a heap buffer overflow vulnerability in the DHCPv6 client (udhcpc6) DNS_SERVERS option handler in networking/udhcp/d6_dhcpc.c that allows network-adjacent attackers to trigger memory corruption by sending a crafted DHCPv6 response with a malformed D6_OPT_DNS_SERVERS option. Attackers…
more
can exploit incorrect heap buffer allocation calculations in the option_to_env() function to cause denial of service or achieve arbitrary code execution on embedded systems without heap hardening.
Security SummaryAI
CVE-2026-29004 is a heap buffer overflow vulnerability in BusyBox versions prior to commit 42202bfb1e6ac51fa995beda8be4d7b654aeee2a. The flaw affects the DHCPv6 client component (udhcpc6), specifically the DNS_SERVERS option handler in networking/udhcp/d6_dhcpc.c. It arises from incorrect heap buffer allocation calculations in the option_to_env() function, classified under CWE-122, and was published on 2026-05-04.
Network-adjacent attackers can exploit the vulnerability by sending a crafted DHCPv6 response with a malformed D6_OPT_DNS_SERVERS option, triggering memory corruption. Exploitation requires low complexity, no privileges, and no user interaction, enabling denial of service or arbitrary code execution on vulnerable embedded systems without heap hardening. The CVSS v3.1 base score of 8.1 (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) reflects high impacts on integrity and availability.
Advisories recommend updating to BusyBox versions including commit 42202bfb1e6ac51fa995beda8be4d7b654aeee2a or later, as provided in the GitHub mirror repository. Further details on the patch and vulnerability analysis are available from the BusyBox website at https://busybox.net/ and the VulnCheck advisory at https://www.vulncheck.com/advisories/busybox-dhcpv6-client-heap-buffer-overflow-via-dns-servers.
Details
- CWE(s)