CVE-2026-29004
CWE-122Published: May 4, 2026· Updated: May 6, 2026
Official Description
BusyBox before commit 42202bf contains a heap buffer overflow vulnerability in the DHCPv6 client (udhcpc6) DNS_SERVERS option handler in networking/udhcp/d6_dhcpc.c that allows network-adjacent attackers to trigger memory corruption by sending a crafted DHCPv6 response with a malformed D6_OPT_DNS_SERVERS option. Attackers can exploit incorrect heap buffer allocation calculations in the option_to_env() function to cause denial of service or achieve arbitrary code execution on embedded systems without heap hardening.
Technical Analysis
CVE-2026-29004 requires adjacent network access, limiting remote exploitation but still posing risk in shared or local network environments.
The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.
A successful exploit results in full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 8.1.
CVSS v3.1 Vector Breakdown
Exploit & PoC Resources
All References (5)
Quick Facts
Related CVEs (CWE-122)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-29004 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts