CVE-2016-2148 — Improper Restriction of Operations within the Bounds of a Memory Buffer in Busybox

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-122 — Heap-based Buffer Overflow9 documents7 sources

Severity

9.8CRITICALNVD

OSV7.5

EPSS

15.8%

top 5.24%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Busybox Debian Busybox Canonical Ubuntu Linux +1 more

Timeline

PublishedFeb 9

Latest updateMay 13

Description

Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to have unspecified impact via vectors involving OPTION_6RD parsing.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶debiandebian/busybox< busybox 1:1.27.2-1 (bookworm)

▶Debianbusybox/busybox< 1:1.27.2-1+3

▶Ubuntubusybox/busybox< 1:1.21.0-1ubuntu1.4+2

▶NVDbusybox/busybox1.24.2

Also affects: Debian Linux 8.0, 9.0, Ubuntu Linux 14.04, 16.04, 18.04, 18.10

Patches

Patch: www.openwall.com ↗Patch: git.busybox.net ↗Patch: www.openwall.com ↗

🔴Vulnerability Details

GHSA

GHSA-xch5-p4j5-66mj: Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1↗2022-05-13

▶

OSV

busybox vulnerabilities↗2019-04-03

▶

OSV

CVE-2016-2148: Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1↗2017-02-09

▶

📋Vendor Advisories

Ubuntu

BusyBox vulnerabilities↗2019-04-03

▶

Red Hat

busybox: heap-based buffer overflow in OPTION_6RD parsing↗2016-03-10

▶

Debian

CVE-2016-2148: busybox - Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 ...↗2016

▶

💬Community

Bugzilla

CVE-2016-2147 CVE-2016-2148 busybox: various flaws [fedora-all]↗2016-03-10

▶

Bugzilla

CVE-2016-2148 busybox: heap-based buffer overflow in OPTION_6RD parsing↗2016-03-10

▶