[PATCH] CVE-2024-58251 - ANSI terminal escape sequence potential local denial of service

Kyle Steere kyle.steere at chainguard.dev
Thu Aug 21 22:56:20 UTC 2025 

Prevent escape sequence from causing denial of service
Potentially fixes issue #15922

From: Kyle Steere <kyle.steere at chainguard.dev>
Date: Thu, 21 Aug 2025 14:00:00 -0500
Subject: [PATCH] Fix CVE-2024-58251 - sanitize process names when calling
netstat

In BusyBox netstat, local users can launch a network application with an
argv[0] containing ANSI terminal escape sequences, leading to a denial of
service (terminal locked up) when netstat is used by a victim.

This patch sanitizes the process name before storing it in the cache,
replacing any non-printable characters (including escape sequences) with
'?'.

CVE-2024-58251: https://nvd.nist.gov/vuln/detail/CVE-2024-58251

Signed-off-by: Kyle Steere <kyle.steere at chainguard.dev>
---
 networking/netstat.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/networking/netstat.c
+++ b/networking/netstat.c
@@ -316,7 +316,11 @@ static int FAST_FUNC dir_act(struct recursive_state
*state,

  /* go through all files in /proc/PID/fd and check whether they are
sockets */
  strcpy(proc_pid_fname + len - (sizeof("cmdline")-1), "fd");
- pid_slash_progname = concat_path_file(pid, bb_basename(cmdline_buf)); /*
"PID/argv0" */
+
+ /* Sanitize the program name to prevent ANSI escape sequences
(CVE-2024-58251) */
+ /* printable_string() returns a string with non-printable chars replaced
by '?' */
+ const char *sanitized_name = printable_string(bb_basename(cmdline_buf));
+ pid_slash_progname = concat_path_file(pid, sanitized_name); /*
"PID/argv0" */
  n = recursive_action(proc_pid_fname,
  ACTION_RECURSE | ACTION_QUIET,
  add_to_prg_cache_if_socket,


Kyle Steere

Senior Software Engineer

Chainguard

kyle.steere at chainguard.dev  | chainguard.dev <http://www.chainguard.dev>

<https://github.com/chainguard-dev>
<https://www.linkedin.com/company/chainguard-dev/>
<https://x.com/chainguard_dev>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/busybox/attachments/20250821/7fd7ea17/attachment.htm>

More information about the busybox mailing list