CVE-2021-42375

MEDIUM

Busybox - Denial of Service via Incorrect Handling of Special Elements in ash Applet

Title source: llm

Description

An incorrect handling of a special element in Busybox's ash applet leads to denial of service when processing a crafted shell command, due to the shell mistaking specific characters for reserved characters. This may be used for DoS under rare conditions of filtered command input.

References (5)

Core 5

Core References

Mailing List, Third Party Advisory vendor-advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/

Mailing List, Third Party Advisory vendor-advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/

Third Party Advisory

https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/

Third Party Advisory

https://security.netapp.com/advisory/ntap-20211223-0002/

Various Sources

https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog

Scores

CVSS v3 5.5

EPSS 0.0006

EPSS Percentile 19.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-159

Status published

Products (13)

busybox/busybox 1.33.1

fedoraproject/fedora 33

fedoraproject/fedora 34

netapp/cloud_backup

netapp/h300e_firmware

netapp/h300s_firmware

netapp/h410s_firmware

netapp/h500e_firmware

netapp/h500s_firmware

netapp/h700e_firmware

... and 3 more

Published Nov 15, 2021

Tracked Since Feb 18, 2026