CVE-2026-26158
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this flaw can lead to privilege escalation, enabling an attacker to gain unauthorized access to critical system files.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Red Hat | Red Hat Hardened Images | 1.37.0-7.2.hum1 < * | unaffected |
Weaknesses
- CWE-73: External Control of File Name or Path
Workarounds
As a prevention measure, avoid extracting tar archives from untrusted sources using BusyBox, especially when operating with elevated privileges. If processing untrusted archives is unavoidable, ensure that the extraction process is performed within a strictly sandboxed environment with minimal permissions. This operational control reduces the risk of arbitrary file modification and privilege escalation.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
Additional References
busybox: BusyBox: Arbitrary file modification and privilege escalation via unvalidated tar archive entries
Additional References
- https://access.redhat.com/security/cve/CVE-2026-26158
- https://bugzilla.redhat.com/show_bug.cgi?id=2439040
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-26158.json
- https://access.redhat.com/errata/RHSA-2026:13831
References
- https://access.redhat.com/errata/RHSA-2026:13831
- https://access.redhat.com/security/cve/CVE-2026-26158
- https://bugzilla.redhat.com/show_bug.cgi?id=2439040
- https://git.busybox.net/busybox/commit/archival?id=3fb6b31c716669e12f75a2accd31bb7685b1a1cb
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.