CVE-2022-48174
published 2023-08-22CVE-2022-48174: There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.98%
85.6th percentile
There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| busybox | busybox | <= 1.36.1 | — |
| busybox | busybox | >= 0 < 1:1.30.1-6+deb11u1 | 1:1.30.1-6+deb11u1 |
| busybox | busybox | >= 0 < 1:1.37.0-1 | 1:1.37.0-1 |
| busybox | busybox | >= 0 < 1:1.37.0-1 | 1:1.37.0-1 |
| busybox | busybox | >= 0 < 1:1.30.1-4ubuntu6.5 | 1:1.30.1-4ubuntu6.5 |
| busybox | busybox | >= 0 < 1:1.30.1-7ubuntu3.1 | 1:1.30.1-7ubuntu3.1 |
| busybox | busybox | >= 0 < 1:1.36.1-6ubuntu3.1 | 1:1.36.1-6ubuntu3.1 |
| busybox | busybox | >= 0 < 1:1.21.0-1ubuntu1.4+esm1 | 1:1.21.0-1ubuntu1.4+esm1 |
| busybox | busybox | >= 0 < 1:1.22.0-15ubuntu1.4+esm2 | 1:1.22.0-15ubuntu1.4+esm2 |
| busybox | busybox | >= 0 < 1:1.27.2-2ubuntu3.4+esm1 | 1:1.27.2-2ubuntu3.4+esm1 |
| debian | busybox | < busybox 1:1.30.1-6+deb11u1 (bullseye) | busybox 1:1.30.1-6+deb11u1 (bullseye) |
| debian | debian_linux | — | — |
| msrc | azl3_busybox_1.36.1-13_on_azure_linux_3.0 | — | — |
| msrc | cbl2_busybox_1.35.0-13_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_busybox_1.35.0-14_on_cbl_mariner_2.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability is located specifically at ash.c:6030 in BusyBox before 1.35; monitor for stack overflow conditions triggered via crafted input to the ash shell component ↗
- →Attack vector is triggered by processing a specially crafted file through BusyBox arithmetic operations; inspect file-processing pipelines involving BusyBox ash for anomalous input ↗
- →Exploitation can lead to arbitrary code execution from command context; monitor BusyBox ash shell processes for unexpected child process spawning or privilege escalation ↗
- →Remotely exploitable over HTTP (CVSS 9.8); monitor network-facing BusyBox deployments (e.g., IoT/IoV devices) for unexpected inbound HTTP requests triggering shell execution ↗
- ·Only BusyBox versions before 1.35 are vulnerable; verify installed BusyBox version on all IoT/IoV and embedded Linux devices ↗
- ·No mitigation is currently available from Red Hat that meets their deployment/stability criteria; patching to a fixed version is the primary remediation path ↗
- ·Microsoft Azure Linux (CBL-Mariner) is confirmed affected; other Microsoft products may also be impacted but have not yet been identified ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_msrc9.8CRITICAL
vendor_oracle9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
BusyBox vulnerabilities
vendor_ubuntu·2024-08-14·CVSS 9.8
CVE-2023-42363 [CRITICAL] BusyBox vulnerabilities
Title: BusyBox vulnerabilities
Summary: Several security issues were fixed in BusyBox.
It was discovered that BusyBox did not properly validate user input when
performing certain arithmetic operations. If a user or automated system
were tricked into processing a specially crafted file, an attacker could
possibly use this issue to cause a denial of service, or execute arbitrary
code. (CVE-2022-48174)
It was discovered that BusyBox incorrectly managed memory when evaluating
certain awk expressions. An attacker could possibly use this issue to cause
a denial of service, or execute arbitrary code. This issue only affected
Ubuntu 24.04 LTS. (CVE-2023-42363, CVE-2023-42364, CVE-2023-42365)
Instructions: In general, a standard system update will make all the necessary changes.
Oracle
Oracle Oracle Communications Risk Matrix: OSO (BusyBox) — CVE-2022-48174
vendor_oracle·2024-07-15·CVSS 9.8
CVE-2022-48174 [CRITICAL] Oracle Oracle Communications Risk Matrix: OSO (BusyBox) — CVE-2022-48174
Oracle Oracle Communications Risk Matrix: OSO (BusyBox) vulnerability
CVE: CVE-2022-48174
CVSS: 9.8
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujul2024 (JUL 2024)
Oracle
Oracle Oracle Communications Risk Matrix: OSO (BusyBox) — CVE-2022-48174
vendor_oracle·2024-01-15·CVSS 9.8
CVE-2022-48174 [CRITICAL] Oracle Oracle Communications Risk Matrix: OSO (BusyBox) — CVE-2022-48174
Oracle Oracle Communications Risk Matrix: OSO (BusyBox) vulnerability
CVE: CVE-2022-48174
CVSS: 9.8
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujan2024 (JAN 2024)
Ubuntu
BusyBox vulnerabilities
vendor_ubuntu·2023-09-04·CVSS 7.5
CVE-2022-48174 [HIGH] BusyBox vulnerabilities
Title: BusyBox vulnerabilities
Summary: Several security issues were fixed in BusyBox.
It was discovered that BusyBox incorrectly handled certain malformed gzip
archives. If a user or automated system were tricked into processing a
specially crafted gzip archive, a remote attacker could use this issue to
cause BusyBox to crash, resulting in a denial of service, or execute
arbitrary code. This issue only affected Ubuntu 14.04 LTS.
(CVE-2021-28831)
It was discovered that BusyBox did not properly validate user input when
performing certain arithmetic operations. If a user or automated system
were tricked into processing a specially crafted file, an attacker could
possibly use this issue to cause BusyBox to crash, resulting in a denial
of service, or execute arbitrary code. (CVE-2022-48174)
Red Hat
busybox: stack overflow vulnerability in ash.c leads to arbitrary code execution
vendor_redhat·2023-08-22·CVSS 9.8
CVE-2022-48174 [CRITICAL] CWE-787 busybox: stack overflow vulnerability in ash.c leads to arbitrary code execution
busybox: stack overflow vulnerability in ash.c leads to arbitrary code execution
There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution.
A vulnerability was found in the BusyBox package. This issue occurs via a stack overflow vulnerability in ash.c in BusyBox, which may allow arbitrary code execution.
Mitigation: Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Microsoft
There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution.
vendor_msrc·2023-08-08·CVSS 9.8
CVE-2022-48174 [CRITICAL] CWE-787 There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution.
There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the C
Debian
CVE-2022-48174: busybox - There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In...
vendor_debian·2022·CVSS 9.8
CVE-2022-48174 [CRITICAL] CVE-2022-48174: busybox - There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In...
There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution.
Scope: local
bookworm: open
bullseye: resolved (fixed in 1:1.30.1-6+deb11u1)
forky: resolved (fixed in 1:1.37.0-1)
sid: resolved (fixed in 1:1.37.0-1)
trixie: resolved (fixed in 1:1.37.0-1)
OSV
busybox vulnerabilities
osv·2024-08-14·CVSS 9.8
CVE-2022-48174 [CRITICAL] busybox vulnerabilities
busybox vulnerabilities
It was discovered that BusyBox did not properly validate user input when
performing certain arithmetic operations. If a user or automated system
were tricked into processing a specially crafted file, an attacker could
possibly use this issue to cause a denial of service, or execute arbitrary
code. (CVE-2022-48174)
It was discovered that BusyBox incorrectly managed memory when evaluating
certain awk expressions. An attacker could possibly use this issue to cause
a denial of service, or execute arbitrary code. This issue only affected
Ubuntu 24.04 LTS. (CVE-2023-42363, CVE-2023-42364, CVE-2023-42365)
OSV
busybox vulnerabilities
osv·2023-09-04·CVSS 7.5
CVE-2021-28831 [HIGH] busybox vulnerabilities
busybox vulnerabilities
It was discovered that BusyBox incorrectly handled certain malformed gzip
archives. If a user or automated system were tricked into processing a
specially crafted gzip archive, a remote attacker could use this issue to
cause BusyBox to crash, resulting in a denial of service, or execute
arbitrary code. This issue only affected Ubuntu 14.04 LTS.
(CVE-2021-28831)
It was discovered that BusyBox did not properly validate user input when
performing certain arithmetic operations. If a user or automated system
were tricked into processing a specially crafted file, an attacker could
possibly use this issue to cause BusyBox to crash, resulting in a denial
of service, or execute arbitrary code. (CVE-2022-48174)
GHSA
GHSA-w9cc-xrp8-ffx4: There is a stack overflow vulnerability in ash
ghsa_unreviewed·2023-08-22
CVE-2022-48174 [CRITICAL] CWE-787 GHSA-w9cc-xrp8-ffx4: There is a stack overflow vulnerability in ash
There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution.
OSV
CVE-2022-48174: There is a stack overflow vulnerability in ash
osv·2023-08-22·CVSS 9.8
CVE-2022-48174 [CRITICAL] CVE-2022-48174: There is a stack overflow vulnerability in ash
There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution.
No detection rules found.
No public exploits indexed.
Qualys
Oracle Critical Patch Update, July 2024 Security Update Review
blogs_qualys·2024-07-17
Oracle Critical Patch Update, July 2024 Security Update Review
## Table of Contents
Qualys QID Coverage
Notable Oracle Vulnerabilities Patched
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Rapid Response with Patch Management (PM)
Oracle released its third quarterly edition of Critical Patch Update, which contains patches for 386 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in various product families, including third-party components in Oracle products.
In the third quarterly Oracle Critical Patch Update, Oracle Communications received the highest number of patches, 95, constituting about 24% of the total patches released. Oracle Financial Services Applications and Oracle Fusion Middleware foll
Qualys
Oracle Critical Patch Security Update: July 2024 Review | Qualys
blogs_qualys·2024-07-17
Oracle Critical Patch Security Update: July 2024 Review | Qualys
#### Table of Contents
- Qualys QID Coverage
- Notable Oracle Vulnerabilities Patched
- Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
- Rapid Response with Patch Management (PM)
Oracle released its third quarterly edition of Critical Patch Update, which contains patches for 386 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in various product families, including third-party components in Oracle products.
In the third quarterly Oracle Critical Patch Update, Oracle Communications received the highest number of patches, 95, constituting about 24% of the total patches released. Oracle Financial Services Applications and Oracle Fusion Middlewa
Qualys
Oracle Patch Update, January 2024 Security Update Review
blogs_qualys·2024-01-17
Oracle Patch Update, January 2024 Security Update Review
## Table of Contents
Qualys QID Coverage
Notable Oracle Vulnerabilities Patched
Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Oracle has released its first quarterly edition of Critical Patch Update, which contains patches for 389 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in a wide range of product families, including Oracle code and third-party components included in Oracle products.
In the first quarterly Oracle Critical Patch Update, Oracle Financial Services Applications received the highest number of patches, 71, constituting 18% of the total patches released. Oracle Communications and Oracle Communications Applications follow
Qualys
Oracle Patch Update, January 2024 Security Update Review | Qualys
blogs_qualys·2024-01-17
Oracle Patch Update, January 2024 Security Update Review | Qualys
#### Table of Contents
- Qualys QID Coverage
- Notable Oracle Vulnerabilities Patched
- Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)
Oracle has released its first quarterly edition of Critical Patch Update, which contains patches for 389 security vulnerabilities. Some of the vulnerabilities addressed in this update impact more than one product. These patches address vulnerabilities in a wide range of product families, including Oracle code and third-party components included in Oracle products.
In the first quarterly Oracle Critical Patch Update, Oracle Financial Services Applications received the highest number of patches, 71, constituting 18% of the total patches released. Oracle Communications and Oracle Communications Applications
Bugzilla
CVE-2022-48174 busybox: stack overflow vulnerability in ash.c leads to arbitrary code execution
bugzilla·2023-09-04·CVSS 9.8
CVE-2022-48174 [CRITICAL] CVE-2022-48174 busybox: stack overflow vulnerability in ash.c leads to arbitrary code execution
CVE-2022-48174 busybox: stack overflow vulnerability in ash.c leads to arbitrary code execution
There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution.
https://bugs.busybox.net/show_bug.cgi?id=15216
Discussion:
Created busybox tracking bugs for this issue:
Affects: fedora-all [bug 2237154]
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 6 Extended Lifecycle Support
Via RHSA-2023:5178 https://access.redhat.com/errata/RHSA-2023:5178
2023-08-22
Published