JFrog Security Research
< Back

XRAY-189794 - BusyBox hush NULL Pointer Dereference

CVE-2021-42376 | CVSS 5.5

JFrog Severity:medium

Discovered ByJFrog Collabof the JFrog Security Research Team

Published 9 Nov, 2021 | Last updated 9 Nov, 2021

A NULL pointer dereference in Busybox hush leads to denial of service when processing malformed command line arguments


BusyBox [1.33.0, 1.33.1], fixed in 1.34.0

The BusyBox toolkit implements a large number of Linux tools in a single executable and can even replace the Linux init system. Its small size and flexibility make it popular in embedded devices.

A NULL pointer dereference in hush leads to denial of service when processing a crafted shell command, due to missing validation after a \x03 delimiter character. This may be used for DoS under very rare conditions of filtered command input. An attacker that controls hush command line arguments can trigger this issue.

No PoC is supplied for this issue

No vulnerability mitigations are supplied for this issue

(JFrog) Unboxing BusyBox - 14 new vulnerabilities uncovered by Claroty and JFrog


< Back