A NULL pointer dereference in Busybox hush leads to denial of service when processing malformed command line arguments
BusyBox [1.33.0, 1.33.1], fixed in 1.34.0
The BusyBox toolkit implements a large number of Linux tools in a single executable and can even replace the Linux init system. Its small size and flexibility make it popular in embedded devices.
A NULL pointer dereference in hush leads to denial of service when processing a crafted shell command, due to missing validation after a \x03 delimiter character. This may be used for DoS under very rare conditions of filtered command input.
An attacker that controls hush command line arguments can trigger this issue.
No PoC is supplied for this issue
No vulnerability mitigations are supplied for this issue
(JFrog) Unboxing BusyBox - 14 new vulnerabilities uncovered by Claroty and JFrog