CVE-2026-29004
Published: 04 May 2026
Summary
CVE-2026-29004 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Busybox (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 29.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-29004 is a heap buffer overflow vulnerability in BusyBox versions prior to commit 42202bfb1e6ac51fa995beda8be4d7b654aeee2a. The flaw affects the DHCPv6 client component (udhcpc6), specifically the DNS_SERVERS option handler in networking/udhcp/d6_dhcpc.c. It arises from incorrect heap buffer allocation calculations in the option_to_env() function, classified under CWE-122, and was published on 2026-05-04.
Network-adjacent attackers can exploit the vulnerability by sending a crafted DHCPv6 response with a malformed D6_OPT_DNS_SERVERS option, triggering memory corruption. Exploitation requires low complexity, no privileges, and no user interaction, enabling denial of service or arbitrary code execution on vulnerable embedded systems without heap hardening. The CVSS v3.1 base score of 8.1 (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) reflects high impacts on integrity and availability.
Advisories recommend updating to BusyBox versions including commit 42202bfb1e6ac51fa995beda8be4d7b654aeee2a or later, as provided in the GitHub mirror repository. Further details on the patch and vulnerability analysis are available from the BusyBox website at https://busybox.net/ and the VulnCheck advisory at https://www.vulncheck.com/advisories/busybox-dhcpv6-client-heap-buffer-overflow-via-dns-servers.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-27043
Vulnerability details
BusyBox before commit 42202bf contains a heap buffer overflow vulnerability in the DHCPv6 client (udhcpc6) DNS_SERVERS option handler in networking/udhcp/d6_dhcpc.c that allows network-adjacent attackers to trigger memory corruption by sending a crafted DHCPv6 response with a malformed D6_OPT_DNS_SERVERS option. Attackers…
more
can exploit incorrect heap buffer allocation calculations in the option_to_env() function to cause denial of service or achieve arbitrary code execution on embedded systems without heap hardening.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap buffer overflow in DHCPv6 client enables RCE via crafted adjacent-network responses (T1203 Exploitation for Client Execution) and DoS via memory corruption (T1499.004 Application or System Exploitation).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely remediation of the heap buffer overflow flaw in BusyBox udhcpc6 by applying the fixing commit 42202bfb.
Implements memory protections such as heap hardening to prevent exploitation of the heap buffer overflow for code execution or denial of service.
Mandates validation of DHCPv6 DNS_SERVERS option inputs to prevent malformed data from triggering incorrect heap buffer allocation in option_to_env().