Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2021-42386

Published: 15 November 2021

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function

Notes

AuthorNote
ccdm94
fix (importing awk.c from busybox version >= 1.34.0 due to large
amount of changes made to the awk.c code) introduces a regression
to busybox awk in xenial and earlier. Applying changes from the
commit which prevents this regression from happening (237bedd499c)
could result in further regressions being introduced to other
applets in busybox. This happens because interfaces for applets
are altered in this commit, and the calls to get them executed
through busybox are modified. External applications which use
busybox could end up with regressions as well because of this.

Priority

Low

Cvss 3 Severity Score

7.2

Score breakdown

Status

Package Release Status
busybox
Launchpad, Ubuntu, Debian
jammy
Released (1:1.30.1-7ubuntu2)
xenial Ignored
(see notes)
trusty Ignored
(see notes)
upstream
Released (1.34.0)
bionic
Released (1:1.27.2-2ubuntu3.4)
focal
Released (1:1.30.1-4ubuntu6.4)
hirsute
Released (1:1.30.1-6ubuntu2.1)
impish
Released (1:1.30.1-6ubuntu3.1)

Severity score breakdown

Parameter Value
Base score 7.2
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H