Busybox

This hub aggregates every CVE we track for Busybox, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Busybox.

• CVE-2025-60876BusyBox wget thru 1.3.7 accepted raw CR (0x0D)/LF (0x0A) and other C0 control bytes in the HTTP request-target (path/query), allowing the request line to be split and attacker-controlled headers to...6.5Nov 10, 2025
• CVE-2025-12220Busybox 1.31.1 - Multiple Known Vulnerabilities9.8Oct 25, 2025
• CVE-2025-46394In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.3.2Apr 23, 2025
• CVE-2024-58251In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) ...2.5Apr 23, 2025
• CVE-2023-42363A use-after-free vulnerability was discovered in xasprintf function in xfuncs_printf.c:344 in BusyBox v.1.36.1.5.5Nov 27, 2023
• CVE-2023-42366A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token function at awk.c:1159.5.5Nov 27, 2023
• CVE-2023-42364A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to cause a denial of service via a crafted awk pattern in the awk.c evaluate function.5.5Nov 27, 2023
• CVE-2023-42365A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via a crafted awk pattern in the awk.c copyvar function.5.5Nov 27, 2023
• CVE-2023-39810An issue in the CPIO command of Busybox v1.33.2 allows attackers to execute a directory traversal.7.8Aug 28, 2023
• CVE-2022-48174There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution.9.8Aug 22, 2023
• CVE-2022-30065A use-after-free in Busybox 1.35-x's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the copyvar function.7.8May 18, 2022
• CVE-2022-28391BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose t...8.8Apr 3, 2022
• CVE-2021-42380A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function7.2Nov 15, 2021
• CVE-2021-42374An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format ...5.3Nov 15, 2021
• CVE-2021-42382A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function7.2Nov 15, 2021