apk package
wolfi/busybox
pkg:apk/wolfi/busybox
Vulnerabilities (12)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-26158 | Hig | 7.0 | < 1.37.0-r58 | 1.37.0-r58 | Feb 11, 2026 | A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this f | |
| CVE-2026-26157 | Hig | 7.0 | < 1.37.0-r58 | 1.37.0-r58 | Feb 11, 2026 | A flaw was found in BusyBox. Incomplete path sanitization in its archive extraction utilities allows an attacker to craft malicious archives that when extracted, and under specific conditions, may write to files outside the intended directory. This can lead to arbitrary file over | |
| CVE-2025-60876 | Med | 6.5 | < 1.37.0-r52 | 1.37.0-r52 | Nov 10, 2025 | BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target | |
| CVE-2024-58251 | Low | 2.5 | < 1.37.0-r49 | 1.37.0-r49 | Apr 23, 2025 | In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim. | |
| CVE-2025-46394 | Low | 3.2 | < 1.37.0-r50 | 1.37.0-r50 | Apr 23, 2025 | In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences. | |
| CVE-2023-42366 | — | < 0 | 0 | Nov 27, 2023 | A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token function at awk.c:1159. | ||
| CVE-2023-42365 | — | < 0 | 0 | Nov 27, 2023 | A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via a crafted awk pattern in the awk.c copyvar function. | ||
| CVE-2023-42364 | — | < 0 | 0 | Nov 27, 2023 | A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to cause a denial of service via a crafted awk pattern in the awk.c evaluate function. | ||
| CVE-2023-42363 | — | < 0 | 0 | Nov 27, 2023 | A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1. | ||
| CVE-2023-39810 | — | < 1.37.0-r58 | 1.37.0-r58 | Aug 28, 2023 | An issue in the CPIO command of Busybox v1.33.2 allows attackers to execute a directory traversal. | ||
| CVE-2022-30065 | — | < 1.35.0-r3 | 1.35.0-r3 | May 18, 2022 | A use-after-free in Busybox 1.35-x's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the copyvar function. | ||
| CVE-2022-28391 | — | < 1.35.0-r3 | 1.35.0-r3 | Apr 3, 2022 | BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors. |
- affected < 1.37.0-r58fixed 1.37.0-r58
A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this f
- affected < 1.37.0-r58fixed 1.37.0-r58
A flaw was found in BusyBox. Incomplete path sanitization in its archive extraction utilities allows an attacker to craft malicious archives that when extracted, and under specific conditions, may write to files outside the intended directory. This can lead to arbitrary file over
- affected < 1.37.0-r52fixed 1.37.0-r52
BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target
- affected < 1.37.0-r49fixed 1.37.0-r49
In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.
- affected < 1.37.0-r50fixed 1.37.0-r50
In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.
- CVE-2023-42366Nov 27, 2023affected < 0fixed 0
A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token function at awk.c:1159.
- CVE-2023-42365Nov 27, 2023affected < 0fixed 0
A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via a crafted awk pattern in the awk.c copyvar function.
- CVE-2023-42364Nov 27, 2023affected < 0fixed 0
A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to cause a denial of service via a crafted awk pattern in the awk.c evaluate function.
- CVE-2023-42363Nov 27, 2023affected < 0fixed 0
A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.
- CVE-2023-39810Aug 28, 2023affected < 1.37.0-r58fixed 1.37.0-r58
An issue in the CPIO command of Busybox v1.33.2 allows attackers to execute a directory traversal.
- CVE-2022-30065May 18, 2022affected < 1.35.0-r3fixed 1.35.0-r3
A use-after-free in Busybox 1.35-x's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the copyvar function.
- CVE-2022-28391Apr 3, 2022affected < 1.35.0-r3fixed 1.35.0-r3
BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors.