ALPINE-CVE-2017-16544

ALPINE-CVE-2017-16544 PUBLISHED CVSS 8.800000190734863 HIGH

In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks.

Risk Scores

CVSS v3.1

8.800000190734863

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products

Vendor	Product	Versions
Alpine:v3.15	busybox	1.12.1-r5, 1.13.0-r0, 1.12.1-r6
Alpine:v3.18	busybox	1.26.1-r3, 1.27.2-r3, 1.12.1-r5
Alpine:v3.8	busybox	1.14.3-r1, 1.14.2-r2, 1.17.0-r2
Alpine:v3.11	busybox	1.25.0-r3, 0, 1.12.1-r1
Alpine:v3.22	busybox	0, 1.12.1-r6, 1.12.1-r5
Alpine:v3.17	busybox	0, 1.12.1-r1, 1.13.0-r0
Alpine:v3.20	busybox	1.21.1-r0, 1.27.2-r3, 1.27.2-r2
Alpine:v3.13	busybox	1.27.2-r2, 1.13.2-r5, 1.13.2-r4
Alpine:v3.16	busybox	1.13.2-r2, 0, 1.12.1-r1
Alpine:v3.5	busybox	1.19.3-r1, 0, 1.12.1-r1
Alpine:v3.23	busybox	1.24.1-r8, 1.27.0-r2, 1.16.0-r6
Alpine:v3.9	busybox	1.26.2-r0, 0, 1.12.1-r1
Alpine:v3.4	busybox	1.19.4-r1, 1.19.4-r2, 1.20.0-r4
Alpine:v3.12	busybox	1.19.4-r3, 1.24.2-r6, 1.14.1-r1
Alpine:v3.21	busybox	0, 1.17.1-r0, 1.18.2-r2
Alpine:v3.19	busybox	1.27.0-r0, 1.27.2-r3, 1.27.2-r2
Alpine:v3.10	busybox	1.12.1-r1, 1.17.0-r2, 1.17.0-r1
Alpine:v3.6	busybox	1.18.2-r1, 1.18.2-r2, 1.18.3-r0
Alpine:v3.7	busybox	1.22.1-r4, 1.27.2-r3, 1.27.2-r2
Alpine:v3.14	busybox	1.13.0-r0, 1.14.4-r0, 1.15.2-r0

…and 1 more

Timeline

Nov 20, 2017 CVE Published
Dec 3, 2025 CVE Updated
Apr 30, 2026 Distribution Patch

References

https://security.alpinelinux.org/vuln/CVE-2017-16544 advisory

Open in Interactive Console →