CVE-2026-33554
Published: 24 March 2026
Summary
CVE-2026-33554 is a high-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Gnu (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 20.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-33554 is a stack-based buffer overflow vulnerability (CWE-121) in the ipmi-oem client command of FreeIPMI versions prior to 1.16.17. FreeIPMI implements IPMI interfaces for platform management, commonly used for tasks like sensor reading and remote power control. The issue affects three specific subcommands: "ipmi-oem dell get-last-post-code" for retrieving the last POST code on Dell servers, "ipmi-oem supermicro extra-firmware-info" for extra firmware info on Supermicro servers, and "ipmi-oem wistron read-proprietary-string" for reading proprietary strings on Wistron servers. These subcommands trigger exploitable buffer overflows when processing response messages from IPMI servers.
The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating it is exploitable over the network with low complexity, no privileges or user interaction required. Remote unauthenticated attackers who control or compromise an IPMI service (such as a Baseboard Management Controller) can craft malicious response messages. When a victim runs one of the affected ipmi-oem subcommands against the attacker's server, the client processes the response and suffers a buffer overflow, resulting in denial of service through application crash or potential code execution, though impact is limited to availability.
Mitigation is addressed in FreeIPMI 1.16.17, available via the project's GNU FTP mirror. The upstream bug trackers on Savannah.gnu.org document the fixes in reports #68140, #68141, and #68142, each corresponding to one of the affected subcommands. Security practitioners should update FreeIPMI to version 1.16.17 or later and audit usage of these OEM subcommands against untrusted IPMI endpoints.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-14899
Vulnerability details
ipmi-oem in FreeIPMI before 1.6.17 has exploitable buffer overflows on response messages. The Intelligent Platform Management Interface (IPMI) specification defines a set of interfaces for platform management. It is implemented by a large number of hardware manufacturers to support system…
more
management. It is most commonly used for sensor reading (e.g., CPU temperatures through the ipmi-sensors command within FreeIPMI) and remote power control (the ipmipower command). The ipmi-oem client command implements a set of a IPMI OEM commands for specific hardware vendors. If a user has supported hardware, they may wish to use the ipmi-oem command to send a request to a server to retrieve specific information. Three subcommands were found to have exploitable buffer overflows on response messages. They are: "ipmi-oem dell get-last-post-code - get the last POST code and string describing the error on some Dell servers," "ipmi-oem supermicro extra-firmware-info - get extra firmware info on Supermicro servers," and "ipmi-oem wistron read-proprietary-string - read a proprietary string on Wistron servers."
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack-based buffer overflow in FreeIPMI client (ipmi-oem) triggered by malicious IPMI server responses enables adversaries to exploit client software for code execution or DoS when a victim connects to an attacker-controlled endpoint.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the buffer overflow flaw in FreeIPMI by requiring timely identification, reporting, and patching to version 1.16.17 or later.
Requires validation of response messages from IPMI servers to prevent stack-based buffer overflows when processing untrusted inputs in affected ipmi-oem subcommands.
Implements memory protections like ASLR and DEP to mitigate exploitation of the buffer overflow for denial of service or potential code execution.