Skip to main content

BusyBox CVE-2026-29004

| EUVDEUVD-2026-27043 HIGH
Heap-based Buffer Overflow (CWE-122)
2026-05-04 disclosure@vulncheck.com
7.2
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
7.2 HIGH
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
8.1 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Red Hat
8.8 HIGH
qualitative

Primary rating from Vendor (vulncheck).

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Patch available
May 04, 2026 - 19:17 EUVD
Source Code Evidence Fetched
May 04, 2026 - 18:30 vuln.today
Analysis Generated
May 04, 2026 - 18:30 vuln.today
Analysis Generated
May 04, 2026 - 18:22 vuln.today
CVE Published
May 04, 2026 - 18:16 nvd
HIGH 7.2

DescriptionCVE.org

BusyBox before commit 42202bf contains a heap buffer overflow vulnerability in the DHCPv6 client (udhcpc6) DNS_SERVERS option handler in networking/udhcp/d6_dhcpc.c that allows network-adjacent attackers to trigger memory corruption by sending a crafted DHCPv6 response with a malformed D6_OPT_DNS_SERVERS option. Attackers can exploit incorrect heap buffer allocation calculations in the option_to_env() function to cause denial of service or achieve arbitrary code execution on embedded systems without heap hardening.

AnalysisAI

Heap buffer overflow in BusyBox udhcpc6 (DHCPv6 client) allows network-adjacent attackers to achieve remote code execution or denial of service on embedded systems. The vulnerability stems from incorrect heap buffer allocation in option_to_env() when parsing D6_OPT_DNS_SERVERS options in DHCPv6 responses. Particularly dangerous on embedded devices lacking heap hardening protections. Fixed in commit 42202bf. No active exploitation confirmed (not in CISA KEV), but publicly available proof-of-concept from VulnCheck disclosure increases real-world risk for IoT and embedded deployments.

Technical ContextAI

BusyBox is a lightweight Unix utility suite widely deployed in embedded Linux systems, routers, and IoT devices. The vulnerability resides in the DHCPv6 client component (udhcpc6), specifically in d6_dhcpc.c's option_to_env() function. When processing DHCPv6 server responses containing DNS_SERVERS options (D6_OPT_DNS_SERVERS), the code incorrectly calculates heap buffer size as '4 + addrs * 40 - 1' instead of '4 + addrs * 40 + 1', creating an off-by-two allocation error. This is a classic CWE-122 heap-based buffer overflow where attacker-controlled DHCPv6 packet data can write beyond allocated memory boundaries. The 40-byte multiplier corresponds to IPv6 address representation size. The commit diff shows the fix adjusts both the allocation size and loop termination conditions to prevent the overflow. Embedded systems often lack modern heap exploitation mitigations like ASLR or heap canaries, making this particularly exploitable for arbitrary code execution.

RemediationAI

Update BusyBox to a version incorporating commit 42202bfb1e6ac51fa995beda8be4d7b654aeee2a or later from the upstream repository at https://github.com/vda-linux/busybox_mirror. For embedded systems unable to upgrade immediately, disable DHCPv6 client functionality (udhcpc6) if IPv6 is not operationally required - this eliminates the attack vector entirely but breaks IPv6 autoconfiguration. If DHCPv6 is necessary, implement network segmentation to restrict adjacent network access to trusted devices only, and deploy DHCPv6 server allowlisting to reject responses from unauthorized DHCPv6 servers. On managed switches, enable DHCPv6 Guard or RA Guard features to block rogue DHCPv6 traffic at layer 2. These mitigations reduce attack surface but do not eliminate the underlying vulnerability; patching remains the primary remediation. For vendors distributing BusyBox-based products, coordinate with customers on firmware update deployment and regression testing, as BusyBox changes can affect system boot and network initialization.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed

Share

CVE-2026-29004 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy