Cyber Resilience

CVE-2026-29004

HighPublic PoCUpdated

Published: 04 May 2026

Published
04 May 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v4 7.2 CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0037 29.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-29004 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Busybox (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 29.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-29004 is a heap buffer overflow vulnerability in BusyBox versions prior to commit 42202bfb1e6ac51fa995beda8be4d7b654aeee2a. The flaw affects the DHCPv6 client component (udhcpc6), specifically the DNS_SERVERS option handler in networking/udhcp/d6_dhcpc.c. It arises from incorrect heap buffer allocation calculations in the option_to_env() function, classified under CWE-122, and was published on 2026-05-04.

Network-adjacent attackers can exploit the vulnerability by sending a crafted DHCPv6 response with a malformed D6_OPT_DNS_SERVERS option, triggering memory corruption. Exploitation requires low complexity, no privileges, and no user interaction, enabling denial of service or arbitrary code execution on vulnerable embedded systems without heap hardening. The CVSS v3.1 base score of 8.1 (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) reflects high impacts on integrity and availability.

Advisories recommend updating to BusyBox versions including commit 42202bfb1e6ac51fa995beda8be4d7b654aeee2a or later, as provided in the GitHub mirror repository. Further details on the patch and vulnerability analysis are available from the BusyBox website at https://busybox.net/ and the VulnCheck advisory at https://www.vulncheck.com/advisories/busybox-dhcpv6-client-heap-buffer-overflow-via-dns-servers.

EU & UK References

Vulnerability details

BusyBox before commit 42202bf contains a heap buffer overflow vulnerability in the DHCPv6 client (udhcpc6) DNS_SERVERS option handler in networking/udhcp/d6_dhcpc.c that allows network-adjacent attackers to trigger memory corruption by sending a crafted DHCPv6 response with a malformed D6_OPT_DNS_SERVERS option. Attackers…

more

can exploit incorrect heap buffer allocation calculations in the option_to_env() function to cause denial of service or achieve arbitrary code execution on embedded systems without heap hardening.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Heap buffer overflow in DHCPv6 client enables RCE via crafted adjacent-network responses (T1203 Exploitation for Client Execution) and DoS via memory corruption (T1499.004 Application or System Exploitation).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40363Shared CWE-122
CVE-2025-59295Shared CWE-122
CVE-2025-21266Shared CWE-122
CVE-2026-25713Shared CWE-122
CVE-2025-0755Shared CWE-122
CVE-2026-7378Shared CWE-122
CVE-2026-5272Shared CWE-122
CVE-2026-8509Shared CWE-122
CVE-2025-21171Shared CWE-122
CVE-2026-23530Shared CWE-122

Affected Assets

Busybox
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely remediation of the heap buffer overflow flaw in BusyBox udhcpc6 by applying the fixing commit 42202bfb.

prevent

Implements memory protections such as heap hardening to prevent exploitation of the heap buffer overflow for code execution or denial of service.

prevent

Mandates validation of DHCPv6 DNS_SERVERS option inputs to prevent malformed data from triggering incorrect heap buffer allocation in option_to_env().

References