CVE-2021-42385Use After Free in Busybox

CWE-416Use After Free12 documents8 sources
Severity
7.2HIGHNVD
OSV7.5
EPSS
0.3%
top 47.31%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
BusyboxDebian BusyboxFedoraproject Fedora+2 more
Timeline
PublishedNov 15
Latest updateJun 15

Description

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages7 packages

debiandebian/busybox< busybox 1:1.35.0-1 (bookworm)
CVEListV5busybox/busyboxunspecified1.34.0
Debianbusybox/busybox< 1:1.30.1-6+deb11u1+3
Ubuntubusybox/busybox< 1:1.27.2-2ubuntu3.4+1
NVDbusybox/busybox1.16.01.33.1

Also affects: Fedora 33, 34

🔴Vulnerability Details

3
OSV
busybox vulnerabilities2021-12-07
GHSA
GHSA-px6h-65pj-6gq3: A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate2021-11-17
OSV
CVE-2021-42385: A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate2021-11-15

📋Vendor Advisories

8
CISA ICS
Siemens SIMATIC S7-1500 TM MFP BIOS2023-06-15
CISA ICS
​Siemens SINAMICS Medium Voltage Products2023-06-15
CISA ICS
Siemens SCALANCE Third-Party2023-03-21
CISA ICS
Siemens SCALANCE, RUGGEDCOM Third-Party2023-03-16
Ubuntu
BusyBox vulnerabilities2021-12-07