Source: busybox X-Debbugs-CC: [email protected] Severity: important Tags: security
Hi, The following vulnerability was published for busybox. CVE-2026-29004[0]: | BusyBox before commit 42202bf contains a heap buffer overflow | vulnerability in the DHCPv6 client (udhcpc6) DNS_SERVERS option | handler in networking/udhcp/d6_dhcpc.c that allows network-adjacent | attackers to trigger memory corruption by sending a crafted DHCPv6 | response with a malformed D6_OPT_DNS_SERVERS option. Attackers can | exploit incorrect heap buffer allocation calculations in the | option_to_env() function to cause denial of service or achieve | arbitrary code execution on embedded systems without heap hardening. https://git.busybox.net/busybox/commit/archival?id=42202bfb1e6ac51fa995beda8be4d7b654aeee2a https://git.busybox.net/busybox/commit/archival?id=d368f3f7836d1c2484c8f839316e5c93e76d4409 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-29004 https://www.cve.org/CVERecord?id=CVE-2026-29004 Please adjust the affected versions in the BTS as needed.
