decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data. CREATE(Triage):(User=admin) [CVE-2021-28831|https://nvd.nist.gov/vuln/detail/CVE-2021-28831]