CVE-2026-29004

Name of the Vulnerable Software and Affected Versions BusyBox versions prior to commit 42202bf

Description A heap buffer overflow exists in the DHCPv6 client (udhcpc6) DNS SERVERS option handler within the networking/udhcp/d6 dhcpc.c file. Network-adjacent attackers can trigger memory corruption by sending a crafted DHCPv6 response containing a malformed D6 OPT DNS SERVERS option. This is possible due to incorrect heap buffer allocation calculations in the option to env() function, which may lead to denial of service or arbitrary code execution on embedded systems that lack heap hardening.

Recommendations Update to the version containing commit 42202bf.