Busybox — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/busybox/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 04 May 2026 18:16:26 +0000BusyBox DHCPv6 Client Heap Buffer Overflow Vulnerability (CVE-2026-29004)https://feed.craftedsignal.io/briefs/2026-05-busybox-dhcpv6-overflow/Mon, 04 May 2026 18:16:26 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-busybox-dhcpv6-overflow/A heap buffer overflow vulnerability in BusyBox's DHCPv6 client allows network-adjacent attackers to trigger memory corruption, denial of service, or arbitrary code execution via crafted DHCPv6 responses.CVE-2026-29004 is a critical heap buffer overflow vulnerability affecting BusyBox before commit 42202bf. The vulnerability resides in the DHCPv6 client (udhcpc6), specifically within the DNS_SERVERS option handler located in networking/udhcp/d6_dhcpc.c. A network-adjacent attacker can exploit this flaw by sending a malicious DHCPv6 response containing a malformed D6_OPT_DNS_SERVERS option. This manipulation leads to incorrect heap buffer allocation calculations in the option_to_env() function, causing memory corruption. Successful exploitation can result in a denial of service or, more severely, arbitrary code execution on vulnerable embedded systems lacking heap hardening. The scope of impact is potentially broad, given BusyBox’s widespread use in embedded devices.

Attack Chain

  1. Attacker identifies a target embedded system running a vulnerable version of BusyBox with the DHCPv6 client enabled.
  2. The attacker crafts a malicious DHCPv6 response packet.
  3. The crafted packet includes a D6_OPT_DNS_SERVERS option with a size that exceeds the expected buffer allocation.
  4. The attacker transmits the crafted DHCPv6 response packet to the target system on the local network.
  5. The target system’s udhcpc6 client receives the malicious DHCPv6 response.
  6. The udhcpc6 client processes the D6_OPT_DNS_SERVERS option, triggering the vulnerable option_to_env() function.
  7. The option_to_env() function calculates an insufficient buffer size based on the malformed option.
  8. A heap buffer overflow occurs when copying the oversized DNS server list, leading to memory corruption, denial-of-service, or arbitrary code execution.

Impact

Successful exploitation of CVE-2026-29004 can have severe consequences. A denial-of-service condition could disrupt the functionality of the affected embedded system. More critically, arbitrary code execution allows attackers to gain complete control over the device, potentially leading to data theft, device compromise, or use in botnet activities. Given BusyBox’s prevalence in embedded systems, a large number of devices are potentially vulnerable.

Recommendation

  • Apply the patch addressing CVE-2026-29004 by updating to a version of BusyBox after commit 42202bf.
  • Deploy the Sigma rule “Detect Suspicious DHCPv6 DNS Server Option Size” to identify potentially malicious DHCPv6 responses in network traffic.
  • Monitor network traffic for unusually large DHCPv6 DNS_SERVERS options as indicated by the Sigma rule and network connection logs.
]]>criticaladvisoryheap-overflowdhcpv6busyboxcve-2026-29004denial-of-service