Cyber Resilience

CVE-2021-42377

Critical

Published: 15 November 2021

Published
15 November 2021
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0285 86.6th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-42377 is a critical-severity Free of Memory not on the Heap (CWE-590) vulnerability in Busybox Busybox. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 13.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under…

more

rare conditions of filtered command input.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

busybox
busybox
1.33.0, 1.33.1
fedoraproject
fedora
33, 34
netapp
cloud backup
all versions
netapp
hci management node
all versions
netapp
solidfire
all versions
netapp
h300s firmware
all versions
netapp
h500s firmware
all versions
netapp
h700s firmware
all versions
netapp
h300e firmware
all versions
netapp
h500e firmware
all versions
+2 more product configuration(s) — see NVD for full list

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References