An attacker-controlled pointer free in hush leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input.
Read more: “Unboxing Busybox: 14 Vulnerabilities Uncovered by Claroty, JFrog”

Risk Information

  • CVE ID
  • CVE-2021-42377
  • Vendor
  • Busybox
  • Product
  • Linux Utilities
  • CVSS v3
  • 6.4