CVE-2026-38754
Received Received - Intake

Heap Overflow in BusyBox v1.38.0

Vulnerability report for CVE-2026-38754, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-15

Last updated on: 2026-07-15

Assigner: MITRE

Description

A heap overflow in the ifsbreakup() function (shell/ash.c) of Busybox v1.38.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted input.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-15
Last Modified
2026-07-15
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
busybox busybox 1.38.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a heap overflow in the ifsbreakup() function located in the shell/ash.c file of Busybox version 1.38.0. A heap overflow occurs when a program writes more data to a buffer than it can hold, corrupting adjacent memory. Attackers can exploit this by providing specially crafted input to trigger the overflow.

Impact Analysis

This vulnerability can cause a Denial of Service (DoS) by crashing the affected system or application. If exploited, it may lead to system instability, unresponsiveness, or termination of services relying on Busybox v1.38.0.

Mitigation Strategies

Update Busybox to a version that patches the heap overflow in ifsbreakup(). Avoid using vulnerable versions (e.g., v1.38.0) and monitor for crashes in shell/ash.c functions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-38754. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart