CVE-2026-26158
7.0 HIGHA flaw was found in BusyBox
Published: 2026-02-11 · Last updated: 2026-06-02
Severity and scoring
- CVSS
- 7.0 HIGH
- Vector
- CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
- CWE
- CWE-73
Description
A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this flaw can lead to privilege escalation, enabling an attacker to gain unauthorized access to critical system files.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-26158
- [Other]https://access.redhat.com/errata/RHSA-2026:13831
- [Other]https://access.redhat.com/security/cve/CVE-2026-26158
- [Other]https://bugzilla.redhat.com/show_bug.cgi?id=2439040
- [Other]https://git.busybox.net/busybox/commit/archival?id=3fb6b31c716669e12f75a2accd31bb7685b1a1cb
- [Other]https://cert-portal.siemens.com/productcert/html/ssa-253495.html
Related CVEs
Same CWE
- CVE-2026-10303 — In ServerCo getssl version 2.49 and prior, the ACME challenge token returned to the client was not strictly validated against RFC 8555 be... (7.4 HIGH)
- CVE-2026-39006 — An issue in SNMP4J-Agent 3.8.3 allows a remote attacker to execute arbitrary code via the snmp4jCfgStoragePath component (9.8 CRITICAL)
- CVE-2026-34030 — The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, does not sufficiently validate the branch code when a new branch i...
- CVE-2026-11527 — Config::IniFiles versions before 3.001000 for Perl allow OS command injection and file overwrite via a 2-arg open() of the -file argument... (8.6 HIGH)
- CVE-2026-11526 — GD versions before 2.86 for Perl allow OS command injection and file overwrite via a 2-arg open() of filename arguments in _make_filehandle (9.8 CRITICAL)