HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-50031Published Modified CNA mitre

CVE-2026-50031: ipmi-oem in FreeIPMI before 1

ipmi-oem in FreeIPMI before 1.6.18 has exploitable buffer overflows on response messages. The Intelligent Platform Management Interface (IPMI) specification defines a set of interfaces for platform management. It is implemented by a large number of hardware manufacturers to support system management. It is most commonly used for sensor reading (e.g., CPU temperatures through the ipmi-sensors command within FreeIPMI) and remote power control (the ipmipower command). The ipmi-oem client command implements a set of a IPMI OEM commands for specific hardware vendors. If a user has supported hardware, they may wish to use the ipmi-oem command to send a request to a server to retrieve specific information. Two subcommands "ipmi-oem dell get-active-directory-config" and "ipmi-oem fujitsu get-sel-entry-long-text" were found to have exploitable buffer overflows on response messages.

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
1.6.18
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Stack-based buffer overflow in the ipmi-oem client command of FreeIPMI before version 1.6.18. The vulnerability is reachable over the network without authentication, triggered when ipmi-oem processes a crafted IPMI response message from a malicious or compromised server. Successful exploitation causes a denial of service by crashing the affected client process. A patched-image rebuild at version 1.6.18 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle FreeIPMI. Any image containing FreeIPMI versions 0.7.12 through 1.6.17 is flagged automatically.

Available
Triage

HarborGuard scores this CVE at 7.5 HIGH using the CVSS v3.1 vector and weights it against each environment's compliance policy to determine urgency and routing. Findings are delivered to the inbox or ticketing integration configured for the relevant team within each customer organization.

Available
Patch

A patched-image rebuild at FreeIPMI 1.6.18 becomes available on HarborGuard for every image found to contain an affected version. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression suite against the updated image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The ipmi-oem client must connect to a reachable IPMI server over the network; a malicious or compromised server endpoint delivers the crafted response that triggers the overflow.

  • AuthenticationNot required

    No authentication is required on the attacker's side; the vulnerability is triggered by a server response, so any server the client contacts can serve the malicious payload.

  • Victim interactionNot required

    No victim interaction beyond normal use is required; the overflow fires when ipmi-oem processes the server's response during a routine OEM command call.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other environmental factors beyond the client connecting to a controlled server.

Blast Radius

  • Crashes the ipmi-oem client process, interrupting any in-progress OEM management operation such as Active Directory config retrieval or SEL log access.
  • Repeated exploitation causes persistent denial of service for administrators relying on ipmi-oem for hardware management tasks on Dell or Fujitsu systems.
  • No confidentiality or integrity impact is indicated; the attacker cannot read data or modify system state through this vulnerability alone.

How HarborGuard Handles This

Available on HarborGuard: images containing FreeIPMI versions 0.7.12 through 1.6.17 are matched against this CVE within minutes of publication and surfaced in the findings dashboard with a HIGH severity rating. A rebuilt image at FreeIPMI 1.6.18 is available for any affected image detected in customer registries or pipelines. For customers with auto-remediation enabled, HarborGuard rebuilds the image, executes a regression run, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes. Where compliance policy or environment constraints prevent auto-remediation, the finding is routed to the configured team inbox with remediation guidance pointing to the 1.6.18 upgrade.

See how HarborGuard automates this

Fix available

1.6.18
Affected packages
  • FreeIPMI / FreeIPMI
    < 1.6.18 (from 0.7.12)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References