Vulnerability Report
- Name:
- busybox:stable@sha256:6b219909078e3fc93b81f83cb438bd7a5457984a01a478c76fe9777a8c67c39e
- Type:
- image
- Checksum:
- sha256:f0fd628b15e8cf167f7d467e031c1a15193d7db6e75c61b4fe9965d88e461a4a
- Date:
- 2026-01-07T04:59:04.278481495Z
Critical
1
High
0
Medium
5
Low
2
Unknown
0
| Name | Version | Type | Vulnerability | Severity | Risk | State | Fixed In | Description | Related URLs | PURL |
|---|---|---|---|---|---|---|---|---|---|---|
| busybox | 1.36.1 | binary | CVE-2022-48174 | Critical | 0.64% | N/A | There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution. | ["https://bugs.busybox.net/show_bug.cgi?id=15216","https://lists.debian.org/debian-lts-announce/2025/01/msg00012.html","https://security.netapp.com/advisory/ntap-20241129-0001/"] | pkg:generic/busybox@1.36.1 | |
| busybox | 1.36.1 | binary | CVE-2025-60876 | Medium | 0.03% | N/A | BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to be injected. To preserve the HTTP/1.1 request-line shape METHOD SP request-target SP HTTP/1.1, a raw space (0x20) in the request-target must also be rejected (clients should use %20). | ["https://gist.github.com/subyumatest/41554af6a72aedaacaec026adc311092","https://lists.busybox.net/pipermail/busybox/attachments/20250823/ccdc96ef/attachment-0001.htm","https://lists.busybox.net/pipermail/busybox/attachments/20250828/e7f90492/attachment.htm"] | pkg:generic/busybox@1.36.1 | |
| busybox | 1.36.1 | binary | CVE-2023-42364 | Medium | 0.02% | N/A | A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to cause a denial of service via a crafted awk pattern in the awk.c evaluate function. | ["https://bugs.busybox.net/show_bug.cgi?id=15868","https://lists.debian.org/debian-lts-announce/2025/01/msg00012.html"] | pkg:generic/busybox@1.36.1 | |
| busybox | 1.36.1 | binary | CVE-2023-42365 | Medium | 0.02% | N/A | A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via a crafted awk pattern in the awk.c copyvar function. | ["https://bugs.busybox.net/show_bug.cgi?id=15871","https://lists.debian.org/debian-lts-announce/2025/01/msg00012.html"] | pkg:generic/busybox@1.36.1 | |
| busybox | 1.36.1 | binary | CVE-2023-42363 | Medium | 0.01% | N/A | A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1. | ["https://bugs.busybox.net/show_bug.cgi?id=15865"] | pkg:generic/busybox@1.36.1 | |
| busybox | 1.36.1 | binary | CVE-2023-42366 | Medium | 0.01% | N/A | A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token function at awk.c:1159. | ["https://bugs.busybox.net/show_bug.cgi?id=15874","https://security.netapp.com/advisory/ntap-20241206-0007/"] | pkg:generic/busybox@1.36.1 | |
| busybox | 1.36.1 | binary | CVE-2024-58251 | Low | 0.01% | N/A | In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim. | ["https://bugs.busybox.net/show_bug.cgi?id=15922","https://www.busybox.net","https://www.busybox.net/downloads/","http://www.openwall.com/lists/oss-security/2025/04/23/6"] | pkg:generic/busybox@1.36.1 | |
| busybox | 1.36.1 | binary | CVE-2025-46394 | Low | 0.01% | N/A | In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences. | ["https://bugs.busybox.net/show_bug.cgi?id=16018","https://www.busybox.net","https://www.busybox.net/downloads/","http://www.openwall.com/lists/oss-security/2025/04/23/5","http://www.openwall.com/lists/oss-security/2025/04/24/3"] | pkg:generic/busybox@1.36.1 |