CVE-2021-42376NULL Pointer Dereference in Busybox

CWE-476NULL Pointer Dereference10 documents8 sources
Severity
5.5MEDIUMNVD
EPSS
0.0%
top 86.41%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
BusyboxDebian BusyboxFedoraproject Fedora+2 more
Timeline
PublishedNov 15
Latest updateNov 27

Description

A NULL pointer dereference in Busybox's hush applet leads to denial of service when processing a crafted shell command, due to missing validation after a \x03 delimiter character. This may be used for DoS under very rare conditions of filtered command input.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages6 packages

debiandebian/busybox< busybox 1:1.35.0-1 (bookworm)
CVEListV5busybox/busyboxunspecified1.34.0
NVDbusybox/busybox1.16.01.34.0
Debianbusybox/busybox< 1:1.35.0-1+2

Also affects: Fedora 33, 34

🔴Vulnerability Details

2
GHSA
GHSA-rxm7-xwcf-84fm: A NULL pointer dereference in Busybox's hush applet leads to denial of service when processing a crafted shell command, due to missing validation afte2022-05-24
OSV
CVE-2021-42376: A NULL pointer dereference in Busybox's hush applet leads to denial of service when processing a crafted shell command, due to missing validation afte2021-11-15

📋Vendor Advisories

6
CISA ICS
Siemens SIMATIC S7-1500 TM MFP BIOS2023-06-15
CISA ICS
Siemens SCALANCE Third-Party2023-03-21
CISA ICS
Siemens SCALANCE, RUGGEDCOM Third-Party2023-03-16
Red Hat
busybox: NULL pointer dereference in hush applet leads to denial of service when processing a crafted shell command2021-11-09
Microsoft
A NULL pointer dereference in Busybox's hush applet leads to denial of service when processing a crafted shell command due to missing validation after a \x03 delimiter character. This may be used for 2021-11-09

📄Research Papers

1
arXiv
UniBOM -- A Unified SBOM Analysis and Visualisation Tool for IoT Systems and Beyond2025-11-27