{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-33554", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-24T18:50:48.586Z", "dateReserved": "2026-03-22T00:00:00.000Z", "datePublished": "2026-03-24T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-24T14:05:40.956Z"}, "descriptions": [{"lang": "en", "value": "ipmi-oem in FreeIPMI before 1.16.17 has exploitable buffer overflows on response messages. The Intelligent Platform Management Interface (IPMI) specification defines a set of interfaces for platform management. It is implemented by a large number of hardware manufacturers to support system management. It is most commonly used for sensor reading (e.g., CPU temperatures through the ipmi-sensors command within FreeIPMI) and remote power control (the ipmipower command). The ipmi-oem client command implements a set of a IPMI OEM commands for specific hardware vendors. If a user has supported hardware, they may wish to use the ipmi-oem command to send a request to a server to retrieve specific information. Three subcommands were found to have exploitable buffer overflows on response messages. They are: \"ipmi-oem dell get-last-post-code - get the last POST code and string describing the error on some Dell servers,\" \"ipmi-oem supermicro extra-firmware-info - get extra firmware info on Supermicro servers,\" and \"ipmi-oem wistron read-proprietary-string - read a proprietary string on Wistron servers.\""}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://savannah.gnu.org/bugs/?68140"}, {"url": "https://savannah.gnu.org/bugs/?68141"}, {"url": "https://savannah.gnu.org/bugs/?68142"}, {"url": "https://ftp.gnu.org/gnu/freeipmi/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-121", "lang": "en", "description": "CWE-121 Stack-based Buffer Overflow"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-24T18:50:27.676350Z", "id": "CVE-2026-33554", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T18:50:48.586Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-33554", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-24T18:50:27.676350Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-121", "description": "CWE-121 Stack-based Buffer Overflow"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-24T18:50:44.689Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://savannah.gnu.org/bugs/?68140"}, {"url": "https://savannah.gnu.org/bugs/?68141"}, {"url": "https://savannah.gnu.org/bugs/?68142"}, {"url": "https://ftp.gnu.org/gnu/freeipmi/"}], "descriptions": [{"lang": "en", "value": "ipmi-oem in FreeIPMI before 1.16.17 has exploitable buffer overflows on response messages. The Intelligent Platform Management Interface (IPMI) specification defines a set of interfaces for platform management. It is implemented by a large number of hardware manufacturers to support system management. It is most commonly used for sensor reading (e.g., CPU temperatures through the ipmi-sensors command within FreeIPMI) and remote power control (the ipmipower command). The ipmi-oem client command implements a set of a IPMI OEM commands for specific hardware vendors. If a user has supported hardware, they may wish to use the ipmi-oem command to send a request to a server to retrieve specific information. Three subcommands were found to have exploitable buffer overflows on response messages. They are: \"ipmi-oem dell get-last-post-code - get the last POST code and string describing the error on some Dell servers,\" \"ipmi-oem supermicro extra-firmware-info - get extra firmware info on Supermicro servers,\" and \"ipmi-oem wistron read-proprietary-string - read a proprietary string on Wistron servers.\""}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-24T14:05:40.956Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33554", "state": "PUBLISHED", "dateUpdated": "2026-03-24T18:50:48.586Z", "dateReserved": "2026-03-22T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-03-24T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "ipmi-oem in FreeIPMI before 1.16.17 has exploitable buffer overflows on response messages. The Intelligent Platform Management Interface (IPMI) specification defines a set of interfaces for platform management. It is implemented by a large number of hardware manufacturers to support system management. It is most commonly used for sensor reading (e.g., CPU temperatures through the ipmi-sensors command within FreeIPMI) and remote power control (the ipmipower command). The ipmi-oem client command implements a set of a IPMI OEM commands for specific hardware vendors. If a user has supported hardware, they may wish to use the ipmi-oem command to send a request to a server to retrieve specific information. Three subcommands were found to have exploitable buffer overflows on response messages. They are: \"ipmi-oem dell get-last-post-code - get the last POST code and string describing the error on some Dell servers,\" \"ipmi-oem supermicro extra-firmware-info - get extra firmware info on Supermicro servers,\" and \"ipmi-oem wistron read-proprietary-string - read a proprietary string on Wistron servers.\""}, {"lang": "es", "value": "ipmi-oem en FreeIPMI anterior a 1.16.17 tiene desbordamientos de b\u00fafer explotables en mensajes de respuesta. La especificaci\u00f3n de la Interfaz de Gesti\u00f3n de Plataforma Inteligente (IPMI) define un conjunto de interfaces para la gesti\u00f3n de plataformas. Es implementada por un gran n\u00famero de fabricantes de hardware para soportar la gesti\u00f3n del sistema. Se utiliza m\u00e1s com\u00fanmente para la lectura de sensores (por ejemplo, temperaturas de CPU a trav\u00e9s del comando ipmi-sensors dentro de FreeIPMI) y el control remoto de energ\u00eda (el comando ipmipower). El comando cliente ipmi-oem implementa un conjunto de comandos IPMI OEM para proveedores de hardware espec\u00edficos. Si un usuario tiene hardware compatible, puede desear usar el comando ipmi-oem para enviar una solicitud a un servidor para recuperar informaci\u00f3n espec\u00edfica. Se encontr\u00f3 que tres subcomandos ten\u00edan desbordamientos de b\u00fafer explotables en mensajes de respuesta. Son: 'ipmi-oem dell get-last-post-code - obtener el \u00faltimo c\u00f3digo POST y la cadena que describe el error en algunos servidores Dell,' 'ipmi-oem supermicro extra-firmware-info - obtener informaci\u00f3n extra de firmware en servidores Supermicro,' y 'ipmi-oem wistron read-proprietary-string - leer una cadena propietaria en servidores Wistron.'"}], "id": "CVE-2026-33554", "lastModified": "2026-04-27T19:18:46.690", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-24T15:16:35.743", "references": [{"source": "cve@mitre.org", "url": "https://ftp.gnu.org/gnu/freeipmi/"}, {"source": "cve@mitre.org", "url": "https://savannah.gnu.org/bugs/?68140"}, {"source": "cve@mitre.org", "url": "https://savannah.gnu.org/bugs/?68141"}, {"source": "cve@mitre.org", "url": "https://savannah.gnu.org/bugs/?68142"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-121"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "freeipmi: buffer overflows on response messages via ipmi-oem", "id": "2450778", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450778"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-120", "details": ["A flaw was found in FreeIPMI. The `ipmi-oem` program is used to send Intelligent Platform Management Interface (IPMI) OEM commands for specific hardware vendors to retrieve specific information from the hardware. A malicious server can reply with crafted response messages and cause buffer overflows when processed, potentially resulting in a denial of service and memory corruption."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, ensure all BMCs and the servers running FreeIPMI are isolated on a dedicated and restricted network environment."}, "name": "CVE-2026-33554", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "freeipmi", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Affected", "package_name": "freeipmi", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "freeipmi", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "freeipmi", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "freeipmi", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33554\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33554\nhttps://ftp.gnu.org/gnu/freeipmi/\nhttps://savannah.gnu.org/bugs/?68140\nhttps://savannah.gnu.org/bugs/?68141\nhttps://savannah.gnu.org/bugs/?68142"], "statement": "To exploit this vulnerability, a user needs to execute the `ipmi-oem` program to retrieve information from a compromised or malicious Baseboard Management Controller (BMC) server, limiting the exposure of this flaw.\nSpecifically, the following `ipmi-oem` commands are vulnerable to this issue:\n- ipmi-oem dell get-last-post-code\n- ipmi-oem supermicro extra-firmware-info\n- ipmi-oem wistron read-proprietary-string\nDefault Red Hat Enterprise Linux security features, including SELinux enforcement, Address Space Layout Randomization (ASLR) and NX (No-Execute) stack protection, significantly increase the difficulty of achieving arbitrary code execution, limiting the impact of this vulnerability.\nDue to these reasons, this flaw has been rated with a moderate severity.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,1.16.17)"}}], "enrichment": {"confidence": 85.0, "confidence_source": "inferred", "scores": [{"score": 85.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "freeipmi", "vendor": "gnu"}], "analysis": {"en": {"generated_at": "2026-03-25T01:21:21.278426+00:00", "value": {"mitigation_remediation": ["Upgrade FreeIPMI to version 1.16.17 or newer.", "If an upgrade cannot be performed immediately, restrict use of the ipmi\u2011oem command or prevent execution of the vulnerable subcommands on affected systems.", "Verify that only trusted users have permissions to run ipmi\u2011oem; consider disabling unnecessary IPMI OEM commands via host or firmware settings if possible.", "Monitor for signs of memory corruption or unexpected process crashes in systems running the ipmi\u2011oem utility."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All installations of FreeIPMI version 1.16.16 or earlier that use the ipmi-oem client against supportedhardware are affected. The issue manifests when interacting with Dell, Supermicro or Wistron servers that support the specific OEM subcommands described. The affected products are the FreeIPMI suite on any operating system that can execute the ipmi-oem command.", "description_and_impact": "The vulnerability involves unbounded buffer copies on response messages in the ipmi-oem client of FreeIPMI. A maliciously crafted response from an IPMI server can overflow internal buffers when the client processes subcommands such as \"ipmi-oem dell get-last-post-code\", \"ipmi-oem supermicro extra-firmware-info\" or \"ipmi-oem wistron read-proprietary-string\". The overflow can corrupt memory, potentially allowing arbitrary code execution or denial\u2011of\u2011service on the host running the client. This weakness maps to CWE\u2011120 and CWE\u2011121.", "risk_and_exploitability": "The CVSS v3 score of 7.5 indicates significant impact, while the EPSS score is currently unavailable and the vulnerability is not listed in the CISA KEV catalog. Exploitation would require an attacker to have network access to the IPMI interface and the ability to trigger the ipmi-oem commands, or a local user with sufficient privileges to run the client. The likely attack vector is remote, using crafted IPMI packets sent to a server that forwards responses back to the client, which then overflows its buffers."}}}}, "created": "2026-03-25T11:48:59.831955+00:00", "updated": "2026-03-25T20:40:50.536436+00:00", "vendors": ["gnu", "gnu$PRODUCT$freeipmi"]}