Description
ipmi-oem in FreeIPMI before 1.16.17 has exploitable buffer overflows on response messages. The Intelligent Platform Management Interface (IPMI) specification defines a set of interfaces for platform management. It is implemented by a large number of hardware manufacturers to support system management. It is most commonly used for sensor reading (e.g., CPU temperatures through the ipmi-sensors command within FreeIPMI) and remote power control (the ipmipower command). The ipmi-oem client command implements a set of a IPMI OEM commands for specific hardware vendors. If a user has supported hardware, they may wish to use the ipmi-oem command to send a request to a server to retrieve specific information. Three subcommands were found to have exploitable buffer overflows on response messages. They are: "ipmi-oem dell get-last-post-code - get the last POST code and string describing the error on some Dell servers," "ipmi-oem supermicro extra-firmware-info - get extra firmware info on Supermicro servers," and "ipmi-oem wistron read-proprietary-string - read a proprietary string on Wistron servers."
Published: 2026-03-24
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability involves unbounded buffer copies on response messages in the ipmi-oem client of FreeIPMI. A maliciously crafted response from an IPMI server can overflow internal buffers when the client processes subcommands such as "ipmi-oem dell get-last-post-code", "ipmi-oem supermicro extra-firmware-info" or "ipmi-oem wistron read-proprietary-string". The overflow can corrupt memory, potentially allowing arbitrary code execution or denial‑of‑service on the host running the client. This weakness maps to CWE‑120 and CWE‑121.

Affected Systems

All installations of FreeIPMI version 1.16.16 or earlier that use the ipmi-oem client against supportedhardware are affected. The issue manifests when interacting with Dell, Supermicro or Wistron servers that support the specific OEM subcommands described. The affected products are the FreeIPMI suite on any operating system that can execute the ipmi-oem command.

Risk and Exploitability

The CVSS v3 score of 7.5 indicates significant impact, while the EPSS score is currently unavailable and the vulnerability is not listed in the CISA KEV catalog. Exploitation would require an attacker to have network access to the IPMI interface and the ability to trigger the ipmi-oem commands, or a local user with sufficient privileges to run the client. The likely attack vector is remote, using crafted IPMI packets sent to a server that forwards responses back to the client, which then overflows its buffers.

Generated by OpenCVE AI on March 25, 2026 at 01:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FreeIPMI to version 1.16.17 or newer.
  • If an upgrade cannot be performed immediately, restrict use of the ipmi‑oem command or prevent execution of the vulnerable subcommands on affected systems.
  • Verify that only trusted users have permissions to run ipmi‑oem; consider disabling unnecessary IPMI OEM commands via host or firmware settings if possible.
  • Monitor for signs of memory corruption or unexpected process crashes in systems running the ipmi‑oem utility.

Generated by OpenCVE AI on March 25, 2026 at 01:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Gnu
Gnu freeipmi
Vendors & Products Gnu
Gnu freeipmi

Wed, 25 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Title freeipmi: buffer overflows on response messages via ipmi-oem
Weaknesses CWE-120
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 24 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-121
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
Description ipmi-oem in FreeIPMI before 1.16.17 has exploitable buffer overflows on response messages. The Intelligent Platform Management Interface (IPMI) specification defines a set of interfaces for platform management. It is implemented by a large number of hardware manufacturers to support system management. It is most commonly used for sensor reading (e.g., CPU temperatures through the ipmi-sensors command within FreeIPMI) and remote power control (the ipmipower command). The ipmi-oem client command implements a set of a IPMI OEM commands for specific hardware vendors. If a user has supported hardware, they may wish to use the ipmi-oem command to send a request to a server to retrieve specific information. Three subcommands were found to have exploitable buffer overflows on response messages. They are: "ipmi-oem dell get-last-post-code - get the last POST code and string describing the error on some Dell servers," "ipmi-oem supermicro extra-firmware-info - get extra firmware info on Supermicro servers," and "ipmi-oem wistron read-proprietary-string - read a proprietary string on Wistron servers."
References

Subscriptions

Gnu Freeipmi
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-24T18:50:48.586Z

Reserved: 2026-03-22T00:00:00.000Z

Link: CVE-2026-33554

cve-icon Vulnrichment

Updated: 2026-03-24T18:50:44.689Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-24T15:16:35.743

Modified: 2026-03-24T20:16:30.357

Link: CVE-2026-33554

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-24T00:00:00Z

Links: CVE-2026-33554 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:40:50Z

Weaknesses