Home / Vulnerability Intelligence / CVE-2026-29004

CVE-2026-29004 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: May 4, 2026

BusyBox - Buffer Overflow

Published: May 4, 2026Updated: May 4, 2026

Overview

BusyBox before commit 42202bf contains a heap buffer overflow caused by incorrect heap buffer allocation in DHCPv6 client DNS_SERVERS option handler, letting network-adjacent attackers cause denial of service or remote code execution, exploit requires crafted DHCPv6 response.

Severity & Score

Severity: High

CVSS Score: 8.1

Impact

Network-adjacent attackers can cause denial of service or execute arbitrary code, potentially compromising embedded systems.

Mitigation

Update BusyBox to the version including commit 42202bf or later.

References

https://busybox.net/
https://github.com/vda-linux/busybox_mirror/commit/42202bfb1e6ac51fa995beda8be4d7b654aeee2a
https://github.com/vda-linux/busybox_mirror/commit/d368f3f7836d1c2484c8f839316e5c93e76d4409
https://www.vulncheck.com/advisories/busybox-dhcpv6-client-heap-buffer-overflow-via-dns-servers

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-29004
Severity: High
CVSS Score: 8.1
Type: buffer_overflow
Status: new

CWE

CWE-122

CVSS Metrics

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H