High severity7.5NVD Advisory· Published Jun 3, 2026· Updated Jun 3, 2026

CVE-2026-50031

Description

ipmi-oem in FreeIPMI before 1.6.18 has exploitable buffer overflows on response messages. The Intelligent Platform Management Interface (IPMI) specification defines a set of interfaces for platform management. It is implemented by a large number of hardware manufacturers to support system management. It is most commonly used for sensor reading (e.g., CPU temperatures through the ipmi-sensors command within FreeIPMI) and remote power control (the ipmipower command). The ipmi-oem client command implements a set of a IPMI OEM commands for specific hardware vendors. If a user has supported hardware, they may wish to use the ipmi-oem command to send a request to a server to retrieve specific information. Two subcommands "ipmi-oem dell get-active-directory-config" and "ipmi-oem fujitsu get-sel-entry-long-text" were found to have exploitable buffer overflows on response messages.

Affected products

Pypi/Freeipmiinferred
Range: <1.16.18
Package: https://pypi.org/project/freeipmi
FreeIPMI/FreeIPMIllm-fuzzy
Range: <1.6.18

Patches

No patches discovered yet.

Vulnerability mechanics

Root cause

"The ipmi-oem client command has exploitable stack buffer overflows when processing response messages from specific IPMI OEM subcommands."

Attack vector

An attacker with network access to the IPMI interface can send a crafted response message to the `ipmi-oem` client. This response can contain a larger data length than expected, causing a buffer overflow when the client copies the data into a fixed-size buffer. This vulnerability affects the `ipmi-oem dell get-active-directory-config` and `ipmi-oem fujitsu get-sel-entry-long-text` subcommands [ref_id=1, ref_id=2].

Affected code

The vulnerabilities are located in the `ipmi-oem` component of FreeIPMI. Specifically, the `ipmi_oem_fujitsu_get_sel_entry_long_text` function in `ipmi-oem/ipmi-oem-fujitsu.c` and the `ipmi_oem_dell_get_active_directory_config` function in `ipmi-oem/ipmi-oem-dell.c` are affected [ref_id=1, ref_id=2].

What the fix does

The patch for the Fujitsu subcommand adds a check to ensure that the `data_length` does not exceed `IPMI_OEM_FUJITSU_SEL_ENTRY_LONG_TEXT_MAX_DATA_LENGTH` before copying data, effectively truncating oversized responses [ref_id=1]. The patch for the Dell subcommand changes the size of the `token_data` buffer to `IPMI_OEM_DELL_TOKEN_DATA_MAX`, which is intended to match the maximum expected data read, preventing overflows from oversized responses [ref_id=2].

Preconditions

networkNetwork access to the IPMI interface.
inputA crafted IPMI OEM response message.

Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

lists.gnu.org/archive/html/info-gnu/2026-06/msg00000.htmlnvd

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000