What the vulnerability does

01Description

An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that

Key dates

02Disclosure timeline

November 15, 2021 CVE published
November 3, 2025 Record updated