An out-of-bounds heap read in unlzma leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that internally supports LZMA compression.
Read more: "Unboxing Busybox: 14 Vulnerabilities Uncovered by Claroty, JFrog"

Risk Information

  • CVE ID
  • CVE-2021-42374
  • Vendor
  • Busybox
  • Product
  • Linux Utilities
  • CVSS v3
  • 6.5