CVE-2026-26157
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
A flaw was found in BusyBox. Incomplete path sanitization in its archive extraction utilities allows an attacker to craft malicious archives that when extracted, and under specific conditions, may write to files outside the intended directory. This can lead to arbitrary file overwrite, potentially enabling code execution through the modification of sensitive system files.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Red Hat | Red Hat Hardened Images | 1.37.0-7.2.hum1 < * | unaffected |
Weaknesses
- CWE-73: External Control of File Name or Path
Workarounds
As a prevention measure, avoid extracting archives from untrusted sources using BusyBox utilities. If extraction of untrusted archives is necessary, perform it within a highly isolated and restricted environment, such as a container with a read-only root filesystem and minimal privileges, to limit the potential impact of arbitrary file overwrites.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
Additional References
busybox: BusyBox: Arbitrary file overwrite and potential code execution via incomplete path sanitization
Additional References
- https://access.redhat.com/security/cve/CVE-2026-26157
- https://bugzilla.redhat.com/show_bug.cgi?id=2439039
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-26157.json
- https://access.redhat.com/errata/RHSA-2026:13831
References
- https://access.redhat.com/errata/RHSA-2026:13831
- https://access.redhat.com/security/cve/CVE-2026-26157
- https://bugzilla.redhat.com/show_bug.cgi?id=2439039
- https://git.busybox.net/busybox/commit/archival?id=3fb6b31c716669e12f75a2accd31bb7685b1a1cb
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.