CVE-2022-48174 – A stack overflow vulnerability in BusyBox's ash... (How to Fix)

Q: What is the severity of CVE-2022-48174?

CVE-2022-48174 has a CVSS score of 9.8 (CRITICAL). A stack overflow vulnerability in BusyBox's ash shell allows remote attackers to execute arbitrary code via crafted commands. This affects all systems running BusyBox versions before 1.35, particularly Internet of Vehicles devices where BusyBox is commonly embedded. Attackers can gain full control of affected systems.

📋 TL;DR

A stack overflow vulnerability in BusyBox's ash shell allows remote attackers to execute arbitrary code via crafted commands. This affects all systems running BusyBox versions before 1.35, particularly Internet of Vehicles devices where BusyBox is commonly embedded. Attackers can gain full control of affected systems.

💻 Affected Systems

Products:

BusyBox

Versions: All versions before 1.35

Operating Systems: Linux, Embedded Linux, IoT/Embedded Systems

Default Config Vulnerable: ⚠️ Yes

Notes: Particularly critical in Internet of Vehicles and embedded devices where BusyBox is commonly used as the default shell. Any system using BusyBox ash shell is vulnerable.

📦 What is this software?

Busybox by Busybox

View all CVEs affecting Busybox →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with root-level arbitrary code execution, leading to data theft, ransomware deployment, or device takeover in IoT/vehicle systems.

🟠

Likely Case

Remote code execution leading to backdoor installation, data exfiltration, or lateral movement within networks containing vulnerable BusyBox instances.

🟢

If Mitigated

Limited impact if systems are isolated, have strict command filtering, or run with minimal privileges, though exploitation risk remains.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires command injection or ability to execute commands on vulnerable system. Public bug reports contain technical details sufficient for exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: BusyBox 1.35 and later

Vendor Advisory: https://bugs.busybox.net/show_bug.cgi?id=15216

Restart Required: No

Instructions:

1. Update BusyBox to version 1.35 or later. 2. For embedded systems: Rebuild firmware with patched BusyBox. 3. For package managers: Use 'apt-get update && apt-get upgrade busybox' or equivalent for your distribution.

🔧 Temporary Workarounds

Replace ash with alternative shell

linux

Replace BusyBox ash with another shell like bash or dash to avoid vulnerable component

apt-get install bash
chsh -s /bin/bash
update-alternatives --config sh

Restrict command execution

all

Implement strict input validation and command filtering for systems that must accept external commands

🧯 If You Can't Patch

Implement network segmentation to isolate vulnerable devices from critical systems
Apply strict least-privilege principles and disable unnecessary shell access

🔍 How to Verify

Check if Vulnerable:

Run 'busybox ash --version' and check if version is below 1.35. Also check if /bin/sh or /bin/ash symlinks point to vulnerable BusyBox.

Check Version:

busybox --version

Verify Fix Applied:

Verify BusyBox version is 1.35 or higher with 'busybox --version' and test command injection attempts are properly handled.

📡 Detection & Monitoring

Log Indicators:

Unusual command execution patterns
Multiple failed command attempts with malformed input
Process spawning from ash shell with suspicious arguments

Network Indicators:

Unexpected outbound connections from embedded/IoT devices
Command injection attempts in web interfaces or APIs

SIEM Query:

process.name:"ash" AND process.cmdline:*overflow* OR process.cmdline:*malformed*

📊 Metadata

CVE ID: CVE-2022-48174

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

Published: August 22, 2023

Last Updated: December 18, 2025

🔗 References

https://bugs.busybox.net/show_bug.cgi?id=15216 Issue Tracking,Vendor Advisory
https://bugs.busybox.net/show_bug.cgi?id=15216 Issue Tracking,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2025/01/msg00012.html Third Party Advisory
https://security.netapp.com/advisory/ntap-20241129-0001/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-48174, you might also want to check these: