{"id":"CVE-2017-16544","details":"In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks.","modified":"2026-03-20T11:19:30.257427Z","published":"2017-11-20T15:29:00.387Z","related":["SUSE-SU-2022:0135-1","SUSE-SU-2022:0135-2","SUSE-SU-2022:3959-1","SUSE-SU-2022:4253-1","openSUSE-SU-2022:0135-1","openSUSE-SU-2024:11738-1"],"references":[{"type":"ADVISORY","url":"http://www.vmware.com/security/advisories/VMSA-2019-0013.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2018/07/msg00037.html"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3935-1/"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/02/msg00020.html"},{"type":"ADVISORY","url":"https://us-cert.cisa.gov/ics/advisories/icsa-20-240-01"},{"type":"ADVISORY","url":"https://www.twistlock.com/2017/11/20/cve-2017-16544-busybox-autocompletion-vulnerability/"},{"type":"FIX","url":"https://git.busybox.net/busybox/commit/?id=c3797d40a1c57352192c6106cc0f435e7d9c11e8"},{"type":"EVIDENCE","url":"http://seclists.org/fulldisclosure/2021/Jan/39"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/167552/Nexans-FTTO-GigaSwitch-Outdated-Components-Hardcoded-Backdoor.html"},{"type":"EVIDENCE","url":"http://seclists.org/fulldisclosure/2019/Jun/18"},{"type":"EVIDENCE","url":"https://seclists.org/bugtraq/2019/Jun/14"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/154361/Cisco-Device-Hardcoded-Credentials-GNU-glibc-BusyBox.html"},{"type":"EVIDENCE","url":"http://seclists.org/fulldisclosure/2019/Sep/7"},{"type":"EVIDENCE","url":"http://seclists.org/fulldisclosure/2020/Sep/6"},{"type":"EVIDENCE","url":"https://seclists.org/bugtraq/2019/Sep/7"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/154536/VMware-Security-Advisory-2019-0013.html"},{"type":"EVIDENCE","url":"http://seclists.org/fulldisclosure/2020/Aug/20"},{"type":"EVIDENCE","url":"http://seclists.org/fulldisclosure/2020/Mar/15"},{"type":"EVIDENCE","url":"http://seclists.org/fulldisclosure/2022/Jun/36"},{"type":"EVIDENCE","url":"http://seclists.org/fulldisclosure/2021/Aug/21"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mirror/busybox","events":[{"introduced":"0"},{"last_affected":"81e26c4b8ed2d3f9e65c39d583b9daf3082b2ab7"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.27.2"}]}}],"versions":["0_29alpha2","0_32","0_33","0_34","0_36","0_39","0_40","0_41","0_42","0_43","0_43pre1","0_45","0_46","0_47","0_48","0_49","0_50","0_51","0_52","0_60_0","0_60_1","0_60_2","0_60_3","0_60_4","0_60_5","1_00","1_00_pre1","1_00_pre10","1_00_pre2","1_00_pre3","1_00_pre4","1_00_pre5","1_00_pre6","1_00_pre7","1_00_pre8","1_00_pre9","1_00_rc1","1_00_rc2","1_00_rc3","1_10_0","1_12_0","1_14_0","1_15_0","1_16_0","1_17_0","1_18_0","1_19_0","1_1_0","1_1_1","1_20_0","1_21_0","1_22_0","1_23_0","1_24_0","1_25_0","1_26_0","1_27_0","1_27_1","1_27_2","1_2_0","1_4_0","1_8_0","1_9_0"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-NA"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-1"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-1a"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-1b"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-2"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-3"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-3a"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201504401"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201505401"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201507101"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201507102"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201507401"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201507402"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201507403"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201507404"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201507405"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201507406"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201507407"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201509101"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201509102"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201509201"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201509202"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201509203"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201509204"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201509205"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201509206"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201509207"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201509208"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201509209"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201509210"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201510401"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201511401"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201601101"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201601102"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201601401"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201601402"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201601403"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201601404"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201601405"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201602401"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201603101"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201603102"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201603201"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201603202"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201603203"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201603204"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201603205"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201603206"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201603207"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201603208"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201605401"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201608101"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201608401"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201608402"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201608403"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201608404"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201608405"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201610410"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201611401"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201611402"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201611403"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201702101"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201702102"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201702201"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201702202"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201702203"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201702204"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201702205"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201702206"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201702207"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201702208"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201702209"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201702210"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201702211"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201702212"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201703401"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201706101"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201706102"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201706103"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201706401"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201706402"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201706403"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201710301"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201811001"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201811401"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201903001"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201905001"}]},{"events":[{"introduced":"0"},{"last_affected":"6.0-600\\-201909001"}]},{"events":[{"introduced":"0"},{"last_affected":"6.5-NA"}]},{"events":[{"introduced":"0"},{"last_affected":"6.5-650\\-201701001"}]},{"events":[{"introduced":"0"},{"last_affected":"6.5-650\\-201703001"}]},{"events":[{"introduced":"0"},{"last_affected":"6.5-650\\-201703002"}]},{"events":[{"introduced":"0"},{"last_affected":"6.5-650\\-201704001"}]},{"events":[{"introduced":"0"},{"last_affected":"6.5-650\\-201707101"}]},{"events":[{"introduced":"0"},{"last_affected":"6.5-650\\-201707102"}]},{"events":[{"introduced":"0"},{"last_affected":"6.5-650\\-201707103"}]},{"events":[{"introduced":"0"},{"last_affected":"6.5-650\\-201707201"}]},{"events":[{"introduced":"0"},{"last_affected":"6.5-650\\-201707202"}]},{"events":[{"introduced":"0"},{"last_affected":"6.5-650\\-201707203"}]},{"events":[{"introduced":"0"},{"last_affected":"6.5-650\\-201707204"}]},{"events":[{"introduced":"0"},{"last_affected":"6.5-650\\-201707205"}]},{"events":[{"introduced":"0"},{"last_affected":"6.5-650\\-201707206"}]},{"events":[{"introduced":"0"},{"last_affected":"6.5-650\\-201707207"}]},{"events":[{"introduced":"0"},{"last_affected":"6.5-650\\-201707208"}]},{"events":[{"introduced":"0"},{"last_affected":"6.5-650\\-201707209"}]},{"events":[{"introduced":"0"},{"last_affected":"6.5-650\\-201707210"}]},{"events":[{"introduced":"0"},{"last_affected":"6.5-650\\-201707211"}]},{"events":[{"introduced":"0"},{"last_affected":"6.5-650\\-201707212"}]},{"events":[{"introduced":"0"},{"last_affected":"6.5-650\\-201707213"}]},{"events":[{"introduced":"0"},{"last_affected":"6.5-650\\-201707214"}]},{"events":[{"introduced":"0"},{"last_affected":"6.5-650\\-201707215"}]},{"events":[{"introduced":"0"},{"last_affected":"6.5-650\\-201707216"}]},{"events":[{"introduced":"0"},{"last_affected":"6.5-650\\-201707217"}]},{"events":[{"introduced":"0"},{"last_affected":"6.5-650\\-201707218"}]},{"events":[{"introduced":"0"},{"last_affected":"6.5-650\\-201707219"}]},{"events":[{"introduced":"0"},{"last_affected":"6.5-650\\-201707220"}]},{"events":[{"introduced":"0"},{"last_affected":"6.5-650\\-201707221"}]},{"events":[{"introduced":"0"},{"last_affected":"6.5-650\\-201710001"}]},{"events":[{"introduced":"0"},{"last_affected":"6.5-650\\-201712001"}]},{"events":[{"introduced":"0"},{"last_affected":"6.5-650\\-201803001"}]},{"events":[{"introduced":"0"},{"last_affected":"6.5-650\\-201806001"}]},{"events":[{"introduced":"0"},{"last_affected":"6.5-650\\-201808001"}]},{"events":[{"introduced":"0"},{"last_affected":"6.5-650\\-201810001"}]},{"events":[{"introduced":"0"},{"last_affected":"6.5-650\\-201810002"}]},{"events":[{"introduced":"0"},{"last_affected":"6.5-650\\-201811001"}]},{"events":[{"introduced":"0"},{"last_affected":"6.5-650\\-201811002"}]},{"events":[{"introduced":"0"},{"last_affected":"6.5-650\\-201811301"}]},{"events":[{"introduced":"0"},{"last_affected":"6.5-650\\-201901001"}]},{"events":[{"introduced":"0"},{"last_affected":"6.5-650\\-201903001"}]},{"events":[{"introduced":"0"},{"last_affected":"6.5-650\\-201905001"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-NA"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201806001"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201807001"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201808001"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201810001"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201810101"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201810102"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201810103"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201810201"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201810202"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201810203"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201810204"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201810205"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201810206"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201810207"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201810208"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201810209"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201810210"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201810211"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201810212"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201810213"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201810214"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201810215"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201810216"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201810217"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201810218"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201810219"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201810220"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201810221"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201810222"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201810223"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201810224"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201810225"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201810226"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201810227"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201810228"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201810229"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201810230"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201810231"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201810232"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201810233"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201810234"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201811001"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201901001"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201901401"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201901402"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201901403"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201903001"}]},{"events":[{"introduced":"0"},{"last_affected":"6.7-670\\-201904001"}]},{"events":[{"introduced":"0"},{"last_affected":"14.04"}]},{"events":[{"introduced":"0"},{"last_affected":"16.04"}]}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-16544.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}