CVE-2021-42383: 
NixOS vulnerability analysis and mitigation

CVE-2021-42383 is a use-after-free vulnerability discovered in BusyBox's awk applet that was disclosed in November 2021. The vulnerability affects BusyBox versions up to 1.33.1 and leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function (JFrog Blog, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 7.2 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The issue occurs in the evaluate function of the awk applet when processing specially crafted awk patterns. This use-after-free condition can be triggered if an attacker can supply an arbitrary pattern to awk as the first positional argument (NetApp Advisory).

Successful exploitation of this vulnerability could lead to denial of service conditions and potentially remote code execution. The vulnerability affects multiple embedded systems, with research showing that approximately 40% of examined embedded firmware images contained a BusyBox executable linked with affected applets (JFrog Blog).

The vulnerability has been fixed in BusyBox version 1.34.0. For systems unable to upgrade, a workaround is available by disabling the awk applet functionality by commenting out CONFIG_AWK=y in the BusyBox configuration file before compilation (JFrog Blog).