CVE-2021-42374 — Out-of-bounds Read in Busybox

CWE-125 — Out-of-bounds Read12 documents8 sources

Severity

5.3MEDIUMNVD

OSV7.5

EPSS

0.1%

top 80.07%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Busybox Debian Busybox Fedoraproject Fedora +4 more

Timeline

PublishedNov 15

Latest updateJun 15

Description

An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:HExploitability: 1.0 | Impact: 4.2

Affected Packages9 packages

▶debiandebian/busybox< busybox 1:1.35.0-1 (bookworm)

▶CVEListV5busybox/busyboxunspecified — 1.34.0

▶Debianbusybox/busybox< 1:1.30.1-6+deb11u1+3

▶Ubuntubusybox/busybox< 1:1.27.2-2ubuntu3.4+1

▶NVDbusybox/busybox1.27.0 — 1.33.1

Also affects: Fedora 33, 34

🔴Vulnerability Details

GHSA

GHSA-6f92-r9cq-v6cq: An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompress↗2022-05-24

▶

OSV

busybox vulnerabilities↗2021-12-07

▶

OSV

CVE-2021-42374: An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompress↗2021-11-15

▶

📋Vendor Advisories

CISA ICS

Siemens SIMATIC S7-1500 TM MFP BIOS↗2023-06-15

▶

CISA ICS

Siemens SINAMICS Medium Voltage Products↗2023-06-15

▶

CISA ICS

Siemens SCALANCE Third-Party↗2023-03-21

▶

CISA ICS

Siemens SCALANCE, RUGGEDCOM Third-Party↗2023-03-16

▶

Ubuntu

BusyBox vulnerabilities↗2021-12-07

▶