A use-after-free in Busybox awk leads to remote code execution when processing malformed command line arguments
BusyBox [1.33.0, 1.33.1], fixed in 1.34.0
The BusyBox toolkit implements a large number of Linux tools in a single executable and can even replace the Linux init system. Its small size and flexibility make it popular in embedded devices.
A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init
function.
An attacker that controls the awk
pattern (through the command line argument) can trigger this issue.
No PoC is supplied for this issue
No vulnerability mitigations are supplied for this issue
(JFrog) Unboxing BusyBox - 14 new vulnerabilities uncovered by Claroty and JFrog