Debian Busybox vulnerabilities

CVE-2026-26157 [HIGH] CVE-2026-26157: busybox - A flaw was found in BusyBox. Incomplete path sanitization in its archive extract... A flaw was found in BusyBox. Incomplete path sanitization in its archive extraction utilities allows an attacker to craft malicious archives that when extracted, and under specific conditions, may write to files outside the intended directory. This can lead to arbitrary file overwrite, potentially enabling code execution through the modification of sensitive system

CVE-2026-26158 [HIGH] CVE-2026-26158: busybox - A flaw was found in BusyBox. This vulnerability allows an attacker to modify fil... A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this flaw can lead to privilege escalation, enabling an attacker to gain unauthorized access t

CVE-2025-60876 [MEDIUM] CVE-2025-60876: busybox - BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control by... BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients s

CVE-2025-46394 [LOW] CVE-2025-46394: busybox - In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a... In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 1:1.37.0-8) sid: resolved (fixed in 1:1.37.0-8) trixie: open

CVE-2024-58251 [LOW] CVE-2024-58251: busybox - In netstat in BusyBox through 1.37.0, local users can launch of network applicat... In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 1:1.37.0-9) sid: resolved (fixed in 1:1.37.0-9) trixie: open

CVE-2023-39810 [HIGH] CVE-2023-39810: busybox - An issue in the CPIO command of Busybox v1.33.2 allows attackers to execute a di... An issue in the CPIO command of Busybox v1.33.2 allows attackers to execute a directory traversal. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 1:1.37.0-7) sid: resolved (fixed in 1:1.37.0-7) trixie: open

CVE-2023-42365 [MEDIUM] CVE-2023-42365: busybox - A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via a crafted ... A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via a crafted awk pattern in the awk.c copyvar function. Scope: local bookworm: open bullseye: resolved (fixed in 1:1.30.1-6+deb11u1) forky: resolved (fixed in 1:1.37.0-1) sid: resolved (fixed in 1:1.37.0-1) trixie: resolved (fixed in 1:1.37.0-1)

CVE-2023-42366 [MEDIUM] CVE-2023-42366: busybox - A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token func... A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token function at awk.c:1159. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 1:1.37.0-8) sid: resolved (fixed in 1:1.37.0-8) trixie: open

CVE-2023-42363 [MEDIUM] CVE-2023-42363: busybox - A use-after-free vulnerability was discovered in xasprintf function in xfuncs_pr... A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 1:1.37.0-1) sid: resolved (fixed in 1:1.37.0-1) trixie: resolved (fixed in 1:1.37.0-1)

CVE-2023-42364 [MEDIUM] CVE-2023-42364: busybox - A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to cause a d... A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to cause a denial of service via a crafted awk pattern in the awk.c evaluate function. Scope: local bookworm: open bullseye: resolved (fixed in 1:1.30.1-6+deb11u1) forky: resolved (fixed in 1:1.37.0-1) sid: resolved (fixed in 1:1.37.0-1) trixie: resolved (fixed in 1:1.37.0-1)

CVE-2022-48174 [CRITICAL] CVE-2022-48174: busybox - There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In... There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution. Scope: local bookworm: open bullseye: resolved (fixed in 1:1.30.1-6+deb11u1) forky: resolved (fixed in 1:1.37.0-1) sid: resolved (fixed in 1:1.37.0-1) trixie: resolv

CVE-2022-28391 [HIGH] CVE-2022-28391: busybox - BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if nets... BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2022-30065 [HIGH] CVE-2022-30065: busybox - A use-after-free in Busybox 1.35-x's awk applet leads to denial of service and p... A use-after-free in Busybox 1.35-x's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the copyvar function. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 1:1.36.1-1) sid: resolved (fixed in 1:1.36.1-1) trixie: resolved (fixed in 1:1.36.1-1)

CVE-2021-42382 [HIGH] CVE-2021-42382: busybox - A use-after-free in Busybox's awk applet leads to denial of service and possibly... A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function Scope: local bookworm: resolved (fixed in 1:1.35.0-1) bullseye: resolved (fixed in 1:1.30.1-6+deb11u1) forky: resolved (fixed in 1:1.35.0-1) sid: resolved (fixed in 1:1.35.0-1) trixie: resolved (fixed in 1:1.3

CVE-2021-42384 [HIGH] CVE-2021-42384: busybox - A use-after-free in Busybox's awk applet leads to denial of service and possibly... A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function Scope: local bookworm: resolved (fixed in 1:1.35.0-1) bullseye: resolved (fixed in 1:1.30.1-6+deb11u1) forky: resolved (fixed in 1:1.35.0-1) sid: resolved (fixed in 1:1.35.0-1) trixie: resolved (fixed in

CVE-2021-42378 [HIGH] CVE-2021-42378: busybox - A use-after-free in Busybox's awk applet leads to denial of service and possibly... A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function Scope: local bookworm: resolved (fixed in 1:1.35.0-1) bullseye: resolved (fixed in 1:1.30.1-6+deb11u1) forky: resolved (fixed in 1:1.35.0-1) sid: resolved (fixed in 1:1.35.0-1) trixie: resolved (fixed in 1:1.3

CVE-2021-42385 [HIGH] CVE-2021-42385: busybox - A use-after-free in Busybox's awk applet leads to denial of service and possibly... A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function Scope: local bookworm: resolved (fixed in 1:1.35.0-1) bullseye: resolved (fixed in 1:1.30.1-6+deb11u1) forky: resolved (fixed in 1:1.35.0-1) sid: resolved (fixed in 1:1.35.0-1) trixie: resolved (fixed in 1:1.3

CVE-2021-42380 [HIGH] CVE-2021-42380: busybox - A use-after-free in Busybox's awk applet leads to denial of service and possibly... A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function Scope: local bookworm: resolved (fixed in 1:1.35.0-1) bullseye: resolved (fixed in 1:1.30.1-6+deb11u1) forky: resolved (fixed in 1:1.35.0-1) sid: resolved (fixed in 1:1.35.0-1) trixie: resolved (fixed in 1:1.35.

CVE-2021-42386 [HIGH] CVE-2021-42386: busybox - A use-after-free in Busybox's awk applet leads to denial of service and possibly... A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function Scope: local bookworm: resolved (fixed in 1:1.35.0-1) bullseye: resolved (fixed in 1:1.30.1-6+deb11u1) forky: resolved (fixed in 1:1.35.0-1) sid: resolved (fixed in 1:1.35.0-1) trixie: resolved (fixed in 1:1.35

CVE-2021-42379 [HIGH] CVE-2021-42379: busybox - A use-after-free in Busybox's awk applet leads to denial of service and possibly... A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function Scope: local bookworm: resolved (fixed in 1:1.35.0-1) bullseye: resolved (fixed in 1:1.30.1-6+deb11u1) forky: resolved (fixed in 1:1.35.0-1) sid: resolved (fixed in 1:1.35.0-1) trixie: resolved (fixed i