CVE-2026-26157
7.0 HIGHA flaw was found in BusyBox
Published: 2026-02-11 · Last updated: 2026-06-02
Severity and scoring
- CVSS
- 7.0 HIGH
- Vector
- CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
- CWE
- CWE-73
Description
A flaw was found in BusyBox. Incomplete path sanitization in its archive extraction utilities allows an attacker to craft malicious archives that when extracted, and under specific conditions, may write to files outside the intended directory. This can lead to arbitrary file overwrite, potentially enabling code execution through the modification of sensitive system files.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-26157
- [Other]https://access.redhat.com/errata/RHSA-2026:13831
- [Other]https://access.redhat.com/security/cve/CVE-2026-26157
- [Other]https://bugzilla.redhat.com/show_bug.cgi?id=2439039
- [Other]https://git.busybox.net/busybox/commit/archival?id=3fb6b31c716669e12f75a2accd31bb7685b1a1cb
- [Other]https://cert-portal.siemens.com/productcert/html/ssa-253495.html
Related CVEs
Same CWE
- CVE-2026-10303 — In ServerCo getssl version 2.49 and prior, the ACME challenge token returned to the client was not strictly validated against RFC 8555 be... (7.4 HIGH)
- CVE-2026-39006 — An issue in SNMP4J-Agent 3.8.3 allows a remote attacker to execute arbitrary code via the snmp4jCfgStoragePath component (9.8 CRITICAL)
- CVE-2026-34030 — The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, does not sufficiently validate the branch code when a new branch i...
- CVE-2026-11527 — Config::IniFiles versions before 3.001000 for Perl allow OS command injection and file overwrite via a 2-arg open() of the -file argument... (8.6 HIGH)
- CVE-2026-11526 — GD versions before 2.86 for Perl allow OS command injection and file overwrite via a 2-arg open() of filename arguments in _make_filehandle (9.8 CRITICAL)