Description
ipmi-oem in FreeIPMI before 1.6.18 has exploitable buffer overflows on response messages. The Intelligent Platform Management Interface (IPMI) specification defines a set of interfaces for platform management. It is implemented by a large number of hardware manufacturers to support system management. It is most commonly used for sensor reading (e.g., CPU temperatures through the ipmi-sensors command within FreeIPMI) and remote power control (the ipmipower command). The ipmi-oem client command implements a set of a IPMI OEM commands for specific hardware vendors. If a user has supported hardware, they may wish to use the ipmi-oem command to send a request to a server to retrieve specific information. Two subcommands "ipmi-oem dell get-active-directory-config" and "ipmi-oem fujitsu get-sel-entry-long-text" were found to have exploitable buffer overflows on response messages.
Published: 2026-06-03
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The ipmi-oem client in FreeIPMI before version 1.6.18 contains exploitable buffer overflows on response messages. The flaw occurs when processing response messages, enabling an attacker to corrupt memory and cause a crash, resulting in denial of service. The two subcommands "ipmi-oem dell get-active-directory-config" and "ipmi-oem fujitsu get-sel-entry-long-text" were found to have exploitable buffer overflows on response messages. This compromises the availability of the system running the client.

Affected Systems

All installations of FreeIPMI version 1.6.17 or earlier that use the ipmi-oem command, particularly the Dell "get-active-directory-config" and Fujitsu "get-sel-entry-long-text" subcommands, are affected. The vulnerability applies to any hardware supporting the IPMI specification and configured to answer these OEM requests.

Risk and Exploitability

The CVSS score of 7.5 classifies the flaw as high severity, and the attack requires the attacker to supply a crafted IPMI response, typically by controlling the target's IPMI interface. The EPSS score is not available and KEV does not list this vulnerability, but the nature of the buffer overflow and high CVSS still suggest a substantial exploitation risk in environments where IPMI access is not tightly controlled, primarily resulting in denial of service.

Generated by OpenCVE AI on June 3, 2026 at 13:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FreeIPMI to version 1.6.18 or later, which addresses the buffer overflow flaw.
  • If an upgrade is not immediately possible, disable or restrict the vulnerable ipmi-oem subcommands by configuring IPMI access controls or using firewall rules to block unwanted OEM traffic.
  • Ensure that all management controllers and firmware are kept current and audit IPMI access permissions to limit the potential attacker’s ability to send crafted responses.

Generated by OpenCVE AI on June 3, 2026 at 13:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Freeipmi
Freeipmi freeipmi
Vendors & Products Freeipmi
Freeipmi freeipmi

Wed, 03 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title Buffer Overflow in FreeIPMI ipmi‑oem Commands Allowing Remote Code Execution freeipmi: FreeIPMI: Denial of service via buffer overflow in ipmi-oem client
Weaknesses CWE-120
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 03 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description ipmi-oem in FreeIPMI before 1.16.18 has exploitable buffer overflows on response messages. The Intelligent Platform Management Interface (IPMI) specification defines a set of interfaces for platform management. It is implemented by a large number of hardware manufacturers to support system management. It is most commonly used for sensor reading (e.g., CPU temperatures through the ipmi-sensors command within FreeIPMI) and remote power control (the ipmipower command). The ipmi-oem client command implements a set of a IPMI OEM commands for specific hardware vendors. If a user has supported hardware, they may wish to use the ipmi-oem command to send a request to a server to retrieve specific information. Two subcommands "ipmi-oem dell get-active-directory-config" and "ipmi-oem fujitsu get-sel-entry-long-text" were found to have exploitable buffer overflows on response messages. ipmi-oem in FreeIPMI before 1.6.18 has exploitable buffer overflows on response messages. The Intelligent Platform Management Interface (IPMI) specification defines a set of interfaces for platform management. It is implemented by a large number of hardware manufacturers to support system management. It is most commonly used for sensor reading (e.g., CPU temperatures through the ipmi-sensors command within FreeIPMI) and remote power control (the ipmipower command). The ipmi-oem client command implements a set of a IPMI OEM commands for specific hardware vendors. If a user has supported hardware, they may wish to use the ipmi-oem command to send a request to a server to retrieve specific information. Two subcommands "ipmi-oem dell get-active-directory-config" and "ipmi-oem fujitsu get-sel-entry-long-text" were found to have exploitable buffer overflows on response messages.
Title Buffer Overflow in FreeIPMI ipmi‑oem Commands Allowing Remote Code Execution

Wed, 03 Jun 2026 04:00:00 +0000

Type Values Removed Values Added
Description ipmi-oem in FreeIPMI before 1.16.18 has exploitable buffer overflows on response messages. The Intelligent Platform Management Interface (IPMI) specification defines a set of interfaces for platform management. It is implemented by a large number of hardware manufacturers to support system management. It is most commonly used for sensor reading (e.g., CPU temperatures through the ipmi-sensors command within FreeIPMI) and remote power control (the ipmipower command). The ipmi-oem client command implements a set of a IPMI OEM commands for specific hardware vendors. If a user has supported hardware, they may wish to use the ipmi-oem command to send a request to a server to retrieve specific information. Two subcommands "ipmi-oem dell get-active-directory-config" and "ipmi-oem fujitsu get-sel-entry-long-text" were found to have exploitable buffer overflows on response messages.
Weaknesses CWE-121
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Freeipmi Freeipmi
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-03T13:40:53.788Z

Reserved: 2026-06-03T03:07:24.985Z

Link: CVE-2026-50031

cve-icon Vulnrichment

Updated: 2026-06-03T13:40:47.780Z

cve-icon NVD

Status : Received

Published: 2026-06-03T04:17:07.330

Modified: 2026-06-03T06:16:34.957

Link: CVE-2026-50031

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-03T03:07:25Z

Links: CVE-2026-50031 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T14:00:21Z

Weaknesses