
CVE-2025-46394
https://notcve.org/view.php?id=CVE-2025-46394
23 Apr 2025 — In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences. • https://bugs.busybox.net/show_bug.cgi?id=16018 • CWE-451: User Interface (UI) Misrepresentation of Critical Information •

CVE-2024-58251
https://notcve.org/view.php?id=CVE-2024-58251
23 Apr 2025 — In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim. • https://bugs.busybox.net/show_bug.cgi?id=15922 • CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences •

CVE-2023-39810
https://notcve.org/view.php?id=CVE-2023-39810
28 Aug 2023 — An issue in the CPIO command of Busybox v1.33.2 allows attackers to execute a directory traversal. • http://busybox.com • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVE-2022-48174 – busybox: stack overflow vulnerability in ash.c leads to arbitrary code execution
https://notcve.org/view.php?id=CVE-2022-48174
22 Aug 2023 — There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution. A vulnerability was found in the BusyBox package. This issue occurs via a stack overflow vulnerability in ash.c in BusyBox, which may allow arbitrary code execution. It was discovered that BusyBox incorrectly handled certain malformed gzip archives. • https://bugs.busybox.net/show_bug.cgi?id=15216 • CWE-787: Out-of-bounds Write •

CVE-2022-28391
https://notcve.org/view.php?id=CVE-2022-28391
03 Apr 2022 — BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors. BusyBox versiones hasta 1.35.0, permite a atacantes remotos ejecutar código arbitrario si es usado netstat para imprimir el valor de un registro PTR de DNS en un terminal compatible con VT. Alternativamente, el atacante podría optar por cambiar los colores de la terminal • https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •

CVE-2021-42378 – Gentoo Linux Security Advisory 202407-17
https://notcve.org/view.php?id=CVE-2021-42378
15 Nov 2021 — A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function Un uso de memoria previamente liberada en el applet awk de Busybox conduce a una denegación de servicio y posiblemente a una ejecución de código cuando es procesado un patrón awk diseñado en la función getvar_i Multiple vulnerabilities have been discovered in BusyBox, the worst of which could lead to arbitrary code execution. Versions greater than or ... • https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog • CWE-416: Use After Free •

CVE-2021-42384 – Gentoo Linux Security Advisory 202407-17
https://notcve.org/view.php?id=CVE-2021-42384
15 Nov 2021 — A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function Un uso de memoria previamente liberada en el applet awk de Busybox conduce a la denegación de servicio y posiblemente a una ejecución de código cuando es procesado un patrón awk diseñado en la función handle_special It was discovered that BusyBox incorrectly handled certain malformed gzip archives. If a user or automated system were tricked into... • https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog • CWE-416: Use After Free •

CVE-2021-42375 – Gentoo Linux Security Advisory 202407-17
https://notcve.org/view.php?id=CVE-2021-42375
15 Nov 2021 — An incorrect handling of a special element in Busybox's ash applet leads to denial of service when processing a crafted shell command, due to the shell mistaking specific characters for reserved characters. This may be used for DoS under rare conditions of filtered command input. Un manejo incorrecto de un elemento especial en el applet ash de Busybox conlleva una denegación de servicio cuando es procesado un comando shell diseñado, debido a que el shell confunde caracteres específicos con caracteres reserv... • https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog • CWE-159: Improper Handling of Invalid Use of Special Elements •

CVE-2021-42383 – Gentoo Linux Security Advisory 202407-17
https://notcve.org/view.php?id=CVE-2021-42383
15 Nov 2021 — A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function Un uso de memoria previamente liberada en el applet awk de Busybox conduce a la denegación de servicio y posiblemente a una ejecución de código cuando es procesado un patrón awk diseñado en la función evaluate Multiple vulnerabilities have been discovered in BusyBox, the worst of which could lead to arbitrary code execution. Versions greater than or e... • https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog • CWE-416: Use After Free •

CVE-2021-42381 – Gentoo Linux Security Advisory 202407-17
https://notcve.org/view.php?id=CVE-2021-42381
15 Nov 2021 — A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function Un uso de memoria previamente liberada en el applet awk de Busybox conduce a una denegación de servicio y posiblemente a una ejecución de código cuando es procesado un patrón awk diseñado en la función hash_init Multiple vulnerabilities have been discovered in BusyBox, the worst of which could lead to arbitrary code execution. Versions greater than o... • https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog • CWE-416: Use After Free •