Vulnerabilities (CVE)

Filtered by vendor Busybox Subscribe
Filtered by product Busybox
Total 32 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-42386 1 Busybox 1 Busybox 2021-11-25 6.5 MEDIUM 7.2 HIGH
A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function
CVE-2021-42373 1 Busybox 1 Busybox 2021-11-25 2.1 LOW 5.5 MEDIUM
A NULL pointer dereference in Busybox's man applet leads to denial of service when a section name is supplied but no page argument is given
CVE-2021-42374 1 Busybox 1 Busybox 2021-11-25 3.3 LOW 5.3 MEDIUM
An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that
CVE-2021-42377 1 Busybox 1 Busybox 2021-11-25 6.8 MEDIUM 9.8 CRITICAL
An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input.
CVE-2021-42375 1 Busybox 1 Busybox 2021-11-25 1.9 LOW 5.5 MEDIUM
An incorrect handling of a special element in Busybox's ash applet leads to denial of service when processing a crafted shell command, due to the shell mistaking specific characters for reserved characters. This may be used for DoS under rare conditions of filtered command input.
CVE-2021-42376 1 Busybox 1 Busybox 2021-11-25 1.9 LOW 5.5 MEDIUM
A NULL pointer dereference in Busybox's hush applet leads to denial of service when processing a crafted shell command, due to missing validation after a \x03 delimiter character. This may be used for DoS under very rare conditions of filtered command input.
CVE-2021-42378 1 Busybox 1 Busybox 2021-11-25 6.5 MEDIUM 7.2 HIGH
A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function
CVE-2021-42379 1 Busybox 1 Busybox 2021-11-25 6.5 MEDIUM 7.2 HIGH
A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function
CVE-2021-42380 1 Busybox 1 Busybox 2021-11-25 6.5 MEDIUM 7.2 HIGH
A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function
CVE-2021-42381 1 Busybox 1 Busybox 2021-11-25 6.5 MEDIUM 7.2 HIGH
A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function
CVE-2021-42382 1 Busybox 1 Busybox 2021-11-25 6.5 MEDIUM 7.2 HIGH
A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function
CVE-2021-42383 1 Busybox 1 Busybox 2021-11-25 6.5 MEDIUM 7.2 HIGH
A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function
CVE-2021-42384 1 Busybox 1 Busybox 2021-11-25 6.5 MEDIUM 7.2 HIGH
A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function
CVE-2021-42385 1 Busybox 1 Busybox 2021-11-25 6.5 MEDIUM 7.2 HIGH
A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function
CVE-2017-16544 5 Busybox, Canonical, Debian and 2 more 8 Busybox, Ubuntu Linux, Debian Linux and 5 more 2021-08-19 6.5 MEDIUM 8.8 HIGH
In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks.
CVE-2021-28831 3 Busybox, Debian, Fedoraproject 3 Busybox, Debian Linux, Fedora 2021-05-26 5.0 MEDIUM 7.5 HIGH
decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.
CVE-2016-2148 3 Busybox, Canonical, Debian 3 Busybox, Ubuntu Linux, Debian Linux 2021-02-22 7.5 HIGH 9.8 CRITICAL
Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to have unspecified impact via vectors involving OPTION_6RD parsing.
CVE-2015-9261 3 Busybox, Canonical, Debian 3 Busybox, Ubuntu Linux, Debian Linux 2021-02-19 4.3 MEDIUM 5.5 MEDIUM
huft_build in archival/libarchive/decompress_gunzip.c in BusyBox before 1.27.2 misuses a pointer, causing segfaults and an application crash during an unzip operation on a specially crafted ZIP file.
CVE-2011-5325 3 Busybox, Canonical, Debian 3 Busybox, Ubuntu Linux, Debian Linux 2021-02-19 5.0 MEDIUM 7.5 HIGH
Directory traversal vulnerability in the BusyBox implementation of tar before 1.22.0 v5 allows remote attackers to point to files outside the current working directory via a symlink.
CVE-2016-2147 3 Busybox, Canonical, Debian 3 Busybox, Ubuntu Linux, Debian Linux 2021-02-18 5.0 MEDIUM 7.5 HIGH
Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to cause a denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds heap write.