CVE-2026-38755
Received Received - Intake

Heap Overflow in BusyBox v1.38.0

Vulnerability report for CVE-2026-38755, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-15

Last updated on: 2026-07-15

Assigner: MITRE

Description

A heap overflow in the evalcommand() function (shell/ash.c) of Busybox v1.38.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted input.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-15
Last Modified
2026-07-15
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
busybox busybox 1.38.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a heap overflow in the evalcommand() function within the shell/ash.c file of Busybox version 1.38.0. A heap overflow occurs when a program writes more data to a buffer than it can hold, corrupting adjacent memory. This can lead to crashes or other unexpected behavior.

Impact Analysis

This vulnerability can cause a Denial of Service (DoS) by crashing the Busybox application. If exploited, it may disrupt services relying on Busybox, leading to system instability or unavailability.

Mitigation Strategies

Upgrade Busybox to a version later than v1.38.0 where the heap overflow in evalcommand() has been patched.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-38755. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart