rpm package
suse/busybox&distro=SUSE Linux Enterprise Server for SAP applications 16.0
pkg:rpm/suse/busybox&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-29004 | Hig | 8.1 | < 1.37.0-160000.6.1 | 1.37.0-160000.6.1 | May 4, 2026 | BusyBox before commit 42202bf contains a heap buffer overflow vulnerability in the DHCPv6 client (udhcpc6) DNS_SERVERS option handler in networking/udhcp/d6_dhcpc.c that allows network-adjacent attackers to trigger memory corruption by sending a crafted DHCPv6 response with a mal | |
| CVE-2026-26158 | Hig | 7.0 | < 1.37.0-160000.5.1 | 1.37.0-160000.5.1 | Feb 11, 2026 | A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this f | |
| CVE-2026-26157 | Hig | 7.0 | < 1.37.0-160000.5.1 | 1.37.0-160000.5.1 | Feb 11, 2026 | A flaw was found in BusyBox. Incomplete path sanitization in its archive extraction utilities allows an attacker to craft malicious archives that when extracted, and under specific conditions, may write to files outside the intended directory. This can lead to arbitrary file over | |
| CVE-2025-60876 | Med | 6.5 | < 1.37.0-160000.4.1 | 1.37.0-160000.4.1 | Nov 10, 2025 | BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target | |
| CVE-2025-46394 | Low | 3.2 | < 1.37.0-160000.4.1 | 1.37.0-160000.4.1 | Apr 23, 2025 | In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences. |
- affected < 1.37.0-160000.6.1fixed 1.37.0-160000.6.1
BusyBox before commit 42202bf contains a heap buffer overflow vulnerability in the DHCPv6 client (udhcpc6) DNS_SERVERS option handler in networking/udhcp/d6_dhcpc.c that allows network-adjacent attackers to trigger memory corruption by sending a crafted DHCPv6 response with a mal
- affected < 1.37.0-160000.5.1fixed 1.37.0-160000.5.1
A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this f
- affected < 1.37.0-160000.5.1fixed 1.37.0-160000.5.1
A flaw was found in BusyBox. Incomplete path sanitization in its archive extraction utilities allows an attacker to craft malicious archives that when extracted, and under specific conditions, may write to files outside the intended directory. This can lead to arbitrary file over
- affected < 1.37.0-160000.4.1fixed 1.37.0-160000.4.1
BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target
- affected < 1.37.0-160000.4.1fixed 1.37.0-160000.4.1
In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.