CVE-2026-29004

HIGH SEVERITY

CVSS Score & Metrics

Base Score

8.1 / 10

Vector String

                                        CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H                                    

Vulnerability Description

BusyBox before commit 42202bf contains a heap buffer overflow vulnerability in the DHCPv6 client (udhcpc6) DNS_SERVERS option handler in networking/udhcp/d6_dhcpc.c that allows network-adjacent attackers to trigger memory corruption by sending a crafted DHCPv6 response with a malformed D6_OPT_DNS_SERVERS option. Attackers can exploit incorrect heap buffer allocation calculations in the option_to_env() function to cause denial of service or achieve arbitrary code execution on embedded systems without heap hardening.

Vulnerability Details

Published Date

May 04, 2026

Last Modified

May 06, 2026

CWE ID

CWE-122

Source

NVD

Vendor

vda-linux

Product

busybox_mirror

External References

https://busybox.net/
https://github.com/vda-linux/busybox_mirror/commit/42202bfb1e6ac51fa995beda8be4d7b654aeee2a
https://github.com/vda-linux/busybox_mirror/commit/d368f3f7836d1c2484c8f839316e5c93e76d4409
https://www.vulncheck.com/advisories/busybox-dhcpv6-client-heap-buffer-overflow-via-dns-servers

CVE-2026-29004

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment