{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/dhcpv6/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-29004"}],"_cs_exploited":false,"_cs_products":["BusyBox"],"_cs_severities":["critical"],"_cs_tags":["heap-overflow","dhcpv6","busybox","cve-2026-29004","denial-of-service"],"_cs_type":"advisory","_cs_vendors":["BusyBox"],"content_html":"\u003cp\u003eCVE-2026-29004 is a critical heap buffer overflow vulnerability affecting BusyBox before commit 42202bf. The vulnerability resides in the DHCPv6 client (udhcpc6), specifically within the DNS_SERVERS option handler located in networking/udhcp/d6_dhcpc.c. A network-adjacent attacker can exploit this flaw by sending a malicious DHCPv6 response containing a malformed D6_OPT_DNS_SERVERS option. This manipulation leads to incorrect heap buffer allocation calculations in the option_to_env() function, causing memory corruption. Successful exploitation can result in a denial of service or, more severely, arbitrary code execution on vulnerable embedded systems lacking heap hardening. The scope of impact is potentially broad, given BusyBox\u0026rsquo;s widespread use in embedded devices.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a target embedded system running a vulnerable version of BusyBox with the DHCPv6 client enabled.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious DHCPv6 response packet.\u003c/li\u003e\n\u003cli\u003eThe crafted packet includes a D6_OPT_DNS_SERVERS option with a size that exceeds the expected buffer allocation.\u003c/li\u003e\n\u003cli\u003eThe attacker transmits the crafted DHCPv6 response packet to the target system on the local network.\u003c/li\u003e\n\u003cli\u003eThe target system\u0026rsquo;s udhcpc6 client receives the malicious DHCPv6 response.\u003c/li\u003e\n\u003cli\u003eThe udhcpc6 client processes the D6_OPT_DNS_SERVERS option, triggering the vulnerable option_to_env() function.\u003c/li\u003e\n\u003cli\u003eThe option_to_env() function calculates an insufficient buffer size based on the malformed option.\u003c/li\u003e\n\u003cli\u003eA heap buffer overflow occurs when copying the oversized DNS server list, leading to memory corruption, denial-of-service, or arbitrary code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-29004 can have severe consequences. A denial-of-service condition could disrupt the functionality of the affected embedded system. More critically, arbitrary code execution allows attackers to gain complete control over the device, potentially leading to data theft, device compromise, or use in botnet activities. Given BusyBox\u0026rsquo;s prevalence in embedded systems, a large number of devices are potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch addressing CVE-2026-29004 by updating to a version of BusyBox after commit 42202bf.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious DHCPv6 DNS Server Option Size\u0026rdquo; to identify potentially malicious DHCPv6 responses in network traffic.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusually large DHCPv6 DNS_SERVERS options as indicated by the Sigma rule and network connection logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T18:16:26Z","date_published":"2026-05-04T18:16:26Z","id":"/briefs/2026-05-busybox-dhcpv6-overflow/","summary":"A heap buffer overflow vulnerability in BusyBox's DHCPv6 client allows network-adjacent attackers to trigger memory corruption, denial of service, or arbitrary code execution via crafted DHCPv6 responses.","title":"BusyBox DHCPv6 Client Heap Buffer Overflow Vulnerability (CVE-2026-29004)","url":"https://feed.craftedsignal.io/briefs/2026-05-busybox-dhcpv6-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — Dhcpv6","version":"https://jsonfeed.org/version/1.1"}