CVE-2023-42364 — Use After Free in Busybox

CWE-416 — Use After Free8 documents7 sources

Severity

5.5MEDIUMNVD

OSV9.8

EPSS

0.0%

top 90.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Busybox Debian Busybox Msrc Azl3 Busybox 1.36.1-12 ON Azure Linux 3.0 +3 more

Timeline

PublishedNov 27

Latest updateAug 14

Description

A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to cause a denial of service via a crafted awk pattern in the awk.c evaluate function.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 1.8 | Impact: 3.6

Affected Packages8 packages

▶debiandebian/busybox< busybox 1:1.30.1-6+deb11u1 (bullseye)

▶Debianbusybox/busybox< 1:1.30.1-6+deb11u1+2

▶Ubuntubusybox/busybox< 1:1.30.1-4ubuntu6.5+2

▶NVDbusybox/busybox1.36.1

▶msrcmsrc/azl3_busybox_1.36.1-7_on_azure_linux_3.0

🔴Vulnerability Details

OSV

busybox vulnerabilities↗2024-08-14

▶

GHSA

GHSA-qqqj-6rp2-5pw4: A use-after-free vulnerability in BusyBox v↗2023-11-28

▶

OSV

CVE-2023-42364: A use-after-free vulnerability in BusyBox v↗2023-11-27

▶

📋Vendor Advisories

Ubuntu

BusyBox vulnerabilities↗2024-08-14

▶

Red Hat

busybox: use-after-free↗2023-11-28

▶

Microsoft

A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to cause a denial of service via a crafted awk pattern in the awk.c evaluate function.↗2023-11-14

▶

Debian

CVE-2023-42364: busybox - A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to cause a d...↗2023

▶