CVE-2026-29004
- Source
- https://cve.org/CVERecord?id=CVE-2026-29004
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-29004.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-29004
- Downstream
- Related
- Published
- 2026-05-04T18:05:18.962Z
- Modified
- 2026-05-28T08:04:55.087036Z
- Severity
-
- 7.2 (High) CVSS_V4 - CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- BusyBox DHCPv6 Client Heap Buffer Overflow via DNS_SERVERS
- Details
-
BusyBox before commit 42202bf contains a heap buffer overflow vulnerability in the DHCPv6 client (udhcpc6) DNSSERVERS option handler in networking/udhcp/d6dhcpc.c that allows network-adjacent attackers to trigger memory corruption by sending a crafted DHCPv6 response with a malformed D6OPTDNSSERVERS option. Attackers can exploit incorrect heap buffer allocation calculations in the optionto_env() function to cause denial of service or achieve arbitrary code execution on embedded systems without heap hardening.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/29xxx/CVE-2026-29004.json", "unresolved_ranges": [ { "extracted_events": [ { "fixed": "42202bfb1e6ac51fa995beda8be4d7b654aeee2a" } ], "source": "AFFECTED_FIELD" } ], "cwe_ids": [ "CWE-122" ], "cna_assigner": "VulnCheck" }- References
-
- https://busybox.net/
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/29xxx/CVE-2026-29004.json
- https://nvd.nist.gov/vuln/detail/CVE-2026-29004
- https://www.vulncheck.com/advisories/busybox-dhcpv6-client-heap-buffer-overflow-via-dns-servers
- https://github.com/vda-linux/busybox_mirror/commit/42202bfb1e6ac51fa995beda8be4d7b654aeee2a
- https://github.com/vda-linux/busybox_mirror/commit/d368f3f7836d1c2484c8f839316e5c93e76d4409
- https://y637f9qq2x.com/posts/busybox-dhcpv6-heap-overflow/
Affected packages
Git / github.com/vda-linux/busybox_mirror
Affected versions
Other
0_29alpha2
0_32
0_33
0_34
0_36
0_39
0_40
0_41
0_42
0_43
0_43pre1
0_45
0_46
0_47
0_48
0_49
0_50
0_51
0_52
0_60_0
0_60_1
0_60_2
0_60_3
0_60_4
0_60_5
1_00
1_00_pre1
1_00_pre10
1_00_pre2
1_00_pre3
1_00_pre4
1_00_pre5
1_00_pre6
1_00_pre7
1_00_pre8
1_00_pre9
1_00_rc1
1_00_rc2
1_00_rc3
1_10_0
1_12_0
1_14_0
1_15_0
1_16_0
1_17_0
1_18_0
1_19_0
1_1_0
1_1_1
1_20_0
1_21_0
1_22_0
1_23_0
1_24_0
1_25_0
1_26_0
1_27_0
1_28_0
1_29_0
1_2_0
1_30_0
1_31_0
1_32_0
1_33_0
1_34_0
1_35_0
1_36_0
1_37_0
1_4_0
1_8_0
1_9_0
Database specific
vanir_signatures_modified
"2026-05-28T08:04:55Z"
vanir_signatures
[
{
"target": {
"file": "networking/udhcp/d6_dhcpc.c"
},
"id": "CVE-2026-29004-0abe9a5e",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"104404061497013662324149064247632850690",
"308160726627569603545203631154146952659",
"277438223464040087758205188748608768545",
"793015573884571619813754960096703894",
"329422852195009250767355069284508567523",
"76042511958918376689793361767912376136",
"63389914739850186264261794936578983049",
"263893815115270570080536412219834014606",
"166050399200526730753866396916237338125",
"252981786517708999519373300633408963372",
"112420271584400109273494638818688940115"
]
},
"signature_version": "v1",
"source": "https://github.com/vda-linux/busybox_mirror/commit/42202bfb1e6ac51fa995beda8be4d7b654aeee2a",
"deprecated": false
},
{
"target": {
"file": "networking/udhcp/d6_dhcpc.c",
"function": "option_to_env"
},
"id": "CVE-2026-29004-c5e581e1",
"signature_type": "Function",
"digest": {
"function_hash": "172096019965372411198333436523014313930",
"length": 2486.0
},
"signature_version": "v1",
"source": "https://github.com/vda-linux/busybox_mirror/commit/42202bfb1e6ac51fa995beda8be4d7b654aeee2a",
"deprecated": false
}
]
source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-29004.json"