CVE-2026-29004
Published: May 7, 2026Last modified: May 13, 2026
Description
BusyBox before commit 42202bf contains a heap buffer overflow vulnerability in the DHCPv6 client (udhcpc6) DNS_SERVERS option handler in networking/udhcp/d6_dhcpc.c that allows network-adjacent attackers to trigger memory corruption by sending a crafted DHCPv6 response with a malformed D6_OPT_DNS_SERVERS option. Attackers can exploit incorrect heap buffer allocation calculations in the option_to_env() function to cause denial of service or achieve arbitrary code execution on embedded systems without heap hardening.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 8.1 |
| Attack Vector | ADJACENT_NETWORK |
| Attack complexity | LOW |
| Privileges required | NONE |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | NONE |
| Integrity impact | HIGH |
| Availability impact | HIGH |
| Vector | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | 23 LTS | busybox | Fixed (1.35.0-r40) |
| 25 LTS | busybox | Fixed (1.37.0-r27) | |
| Stream | busybox | Fixed (1.37.0-r37) | |
| Hardened Containers | 23 LTS | busybox | Fixed (1.35.0-r40) |
| 25 LTS | busybox | Fixed (1.37.0-r27) | |
| Stream | busybox | Fixed (1.37.0-r37) |
References
- https://busybox.net/
- https://github.com/vda-linux/busybox_mirror/commit/42202bfb1e6ac51fa995beda8be4d7b654aeee2a
- https://github.com/vda-linux/busybox_mirror/commit/d368f3f7836d1c2484c8f839316e5c93e76d4409
- https://www.vulncheck.com/advisories/busybox-dhcpv6-client-heap-buffer-overflow-via-dns-servers
- https://y637f9qq2x.com/posts/busybox-dhcpv6-heap-overflow/