Busybox Security Vulnerabilities and Issues — Busybox CVE List

Lucene search

BusyboxBusybox

13 matches found

CVE•added 2018/07/26 7:29 p.m.•277 views

CVE-2015-9261

huft_build in archival/libarchive/decompress_gunzip.c in BusyBox before 1.27.2 misuses a pointer, causing segfaults and an application crash during an unzip operation on a specially crafted ZIP file.

5.5CVSS6.9AI score0.00257EPSS

CVE•added 2017/03/12 6:59 a.m.•232 views

CVE-2014-9645

The add_probe function in modutils/modprobe.c in BusyBox before 1.23.0 allows local users to bypass intended restrictions on loading kernel modules via a / (slash) character in a module name, as demonstrated by an "ifconfig /usbserial up" command or a "mount -t /snd_pcm none /" command.

5.5CVSS6.2AI score0.00309EPSS

CVE•added 2021/11/15 9:15 p.m.•202 views

CVE-2021-42376

A NULL pointer dereference in Busybox's hush applet leads to denial of service when processing a crafted shell command, due to missing validation after a \x03 delimiter character. This may be used for DoS under very rare conditions of filtered command input.

5.5CVSS6.9AI score0.00028EPSS

CVE•added 2017/10/24 8:29 p.m.•164 views

CVE-2017-15873

The get_next_block function in archival/libarchive/decompress_bunzip2.c in BusyBox 1.27.2 has an Integer Overflow that may lead to a write access violation.

5.5CVSS7AI score0.00112EPSS

CVE•added 2021/11/15 9:15 p.m.•153 views

CVE-2021-42374

An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that

5.3CVSS5.9AI score0.00071EPSS

CVE•added 2021/11/15 9:15 p.m.•130 views

CVE-2021-42373

A NULL pointer dereference in Busybox's man applet leads to denial of service when a section name is supplied but no page argument is given

5.5CVSS6.8AI score0.00052EPSS

CVE•added 2021/11/15 9:15 p.m.•129 views

CVE-2021-42375

An incorrect handling of a special element in Busybox's ash applet leads to denial of service when processing a crafted shell command, due to the shell mistaking specific characters for reserved characters. This may be used for DoS under rare conditions of filtered command input.

5.5CVSS7AI score0.00051EPSS

CVE•added 2017/10/24 8:29 p.m.•120 views

CVE-2017-15874

archival/libarchive/decompress_unlzma.c in BusyBox 1.27.2 has an Integer Underflow that leads to a read access violation.

5.5CVSS6.3AI score0.00178EPSS

CVE•added 2023/11/27 11:15 p.m.•119 views

CVE-2023-42366

A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token function at awk.c:1159.

5.5CVSS5.3AI score0.00027EPSS

CVE•added 2023/11/27 10:15 p.m.•76 views

CVE-2023-42363

A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.

5.5CVSS5.4AI score0.00026EPSS

CVE•added 2023/11/27 11:15 p.m.•57 views

CVE-2023-42365

A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via a crafted awk pattern in the awk.c copyvar function.

5.5CVSS5.3AI score0.00032EPSS

CVE•added 2006/04/04 10:4 a.m.•56 views

CVE-2006-1058

BusyBox 1.1.1 does not use a salt when generating passwords, which makes it easier for local users to guess passwords from a stolen password file using techniques such as rainbow tables.

5.5CVSS5.3AI score0.00045EPSS

CVE•added 2023/11/27 11:15 p.m.•55 views

CVE-2023-42364

A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to cause a denial of service via a crafted awk pattern in the awk.c evaluate function.

5.5CVSS5.2AI score0.00032EPSS