diff --git a/main/busybox/0018-awk.c-fix-CVE-2023-42366-bug-15874.patch b/main/busybox/0018-awk.c-fix-CVE-2023-42366-bug-15874.patch
new file mode 100644
index 0000000000000000000000000000000000000000..177e174b4937ae816a9952c9574e173f89895b63
--- /dev/null
+++ b/main/busybox/0018-awk.c-fix-CVE-2023-42366-bug-15874.patch
@@ -0,0 +1,34 @@
+From 5cf8b332429a1dd9afef3337bae92aeddaeff993 Mon Sep 17 00:00:00 2001
+From: Valery Ushakov <uwe@stderr.spb.ru>
+Date: Wed, 24 Jan 2024 22:24:41 +0300
+Subject: [PATCH] awk.c: fix CVE-2023-42366 (bug #15874)
+
+Make sure we don't read past the end of the string in next_token()
+when backslash is the last character in an (invalid) regexp.
+
+https://bugs.busybox.net/show_bug.cgi?id=15874
+---
+ editors/awk.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/editors/awk.c b/editors/awk.c
+index 728ee8685..be48df7c7 100644
+--- a/editors/awk.c
++++ b/editors/awk.c
+@@ -1165,9 +1165,11 @@ static uint32_t next_token(uint32_t expected)
+ s[-1] = bb_process_escape_sequence((const char **)&pp);
+ if (*p == '\\')
+ *s++ = '\\';
+- if (pp == p)
++ if (pp == p) {
++ if (*p == '\0')
++ syntax_error(EMSG_UNEXP_EOS);
+ *s++ = *p++;
+- else
++ } else
+ p = pp;
+ }
+ }
+--
+2.34.1
+
diff --git a/main/busybox/APKBUILD b/main/busybox/APKBUILD
index c91ed6727f6d1286bb653cf01f4446dd77b60b05..b28c3efba1df5a9d12dca7206b11ef1084a673f3 100644
--- a/main/busybox/APKBUILD
+++ b/main/busybox/APKBUILD
@@ -5,7 +5,7 @@
# Maintainer: Sören Tempel <soeren+alpine@soeren-tempel.net>
pkgname=busybox
pkgver=1.35.0
-pkgrel=17
+pkgrel=18
pkgdesc="Size optimized toolbox of many common UNIX utilities"
url="https://busybox.net/"
arch="all"
@@ -44,6 +44,7 @@ source="https://busybox.net/downloads/busybox-$pkgver.tar.bz2
0015-ed-don-t-use-memcpy-with-overlapping-memory-regions.patch
0016-ash-don-t-read-past-end-of-var-in-subvareval-for-bas.patch
0017-ash-Fix-use-after-free-on-idx-variable.patch
+ 0018-awk.c-fix-CVE-2023-42366-bug-15874.patch
0001-ash-add-built-in-BB_ASH_VERSION-variable.patch
@@ -68,6 +69,8 @@ source="https://busybox.net/downloads/busybox-$pkgver.tar.bz2
"
# secfixes:
+# 1.35.0-r18:
+# - CVE-2023-42366
# 1.35.0-r15:
# - CVE-2022-30065
# 1.35.0-r7:
@@ -306,6 +309,7 @@ ecbe5c890d966f09280c7eb534109f785c68e292765f17ed7ff62fcc61d20f61443c4155add0a1eb
0040800382a6e3adcc6a8094b821488c7e297fc80304afba23a4fca43b7b26ac699378dfbd930ebbf9985336b3e431301f7ca93e2d041a071902a48740d263ef 0015-ed-don-t-use-memcpy-with-overlapping-memory-regions.patch
4c95dc4bf6aff9018bfb52b400f6d8375a1d22493b44ea516cb12dba6556f12797a3cba55768d2e59ff57c0f3247ec1ff95edb8f17561f3d37ec18d83ca47eb0 0016-ash-don-t-read-past-end-of-var-in-subvareval-for-bas.patch
ccdf098fb15eaa316708181469a1193d6eec7067131e7b7645e0219bf03cfd07f4f79e8f62c1e560f6146dcc38186a29bdee08aaa39f290e11d020b8f07d2f65 0017-ash-Fix-use-after-free-on-idx-variable.patch
+bff815bf9c8cd0856dde87eb90e2fe56f105dccb426e4f5da9425e30d449d7ee7ccc3b3324aee5136b276678e7be12afbcc368c7ca92d2c1bdcf22ed92ea1f4f 0018-awk.c-fix-CVE-2023-42366-bug-15874.patch
6d100fe44da2b97c2cbdda253d0504b487212d195144d9315cddbe8c51d18fae3745701923b170b40e35f54b592f94f02cadbffd9cb716661c12a7f1da022763 0001-ash-add-built-in-BB_ASH_VERSION-variable.patch
e33dbc27d77c4636f4852d5d5216ef60a9a4343484e4559e391c13c813bf65c782b889914eff2e1f038d74cf02cb0d23824ebbb1044b5f8c86260d5a1bbc4e4d 0001-pgrep-add-support-for-matching-against-UID-and-RUID.patch
b4b8195390da70c96503e66e18420b8aea5754f64300082632fcaccd4ebe86cb771d6d4b912f5162e0538e6f756a9377689ad9a138f683cd729c3f54770304bf 0001-avoid-redefined-warnings-when-building-with-utmps.patch