CVE-2023-42365: 
NixOS vulnerability analysis and mitigation

A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via a crafted awk pattern in the awk.c copyvar function. The vulnerability was identified and reported on November 23, 2023, affecting the awk applet component of BusyBox (BusyBox Bug).

The vulnerability exists in the copyvar function at line 1064 of awk.c. The issue occurs when processing certain awk patterns that can trigger a use-after-free condition. The vulnerability has been assigned a CVSS 3.1 Base Score of 5.5 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, indicating local attack vector, low attack complexity, no privileges required, and high impact on availability (NVD).

The vulnerability primarily affects system availability, with no direct impact on confidentiality or integrity. When successfully exploited, it can cause the awk component to crash due to memory corruption, potentially leading to denial of service (NVD).

The vulnerability has been fixed in BusyBox version 1.37.0 through commit 0256e00a9d077588bd3a39f5a1ef7e2eaa2911e4. However, this fix introduced a regression that was subsequently addressed by commit 38335df9e9f45378c3407defd38b5b610578bdda. Users are advised to upgrade to the fixed version (Debian Tracker).