CVE-2026-26158 — External Control of File Name or Path in Busybox

CWE-73 — External Control of File Name or Path6 documents6 sources

Severity

7.0HIGHNVD

EPSS

0.0%

top 99.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Busybox Debian Busybox

Timeline

PublishedFeb 11

Description

A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this flaw can lead to privilege escalation, enabling an attacker to gain unauthorized access to critical system files.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.0 | Impact: 5.9

Affected Packages2 packages

▶debiandebian/busybox< busybox 1:1.37.0-10.1 (forky)

▶Debianbusybox/busybox< 1:1.37.0-10.1

🔴Vulnerability Details

GHSA

GHSA-r8f8-4pgh-4m8v: A flaw was found in BusyBox↗2026-02-11

▶

OSV

CVE-2026-26158: A flaw was found in BusyBox↗2026-02-11

▶

📋Vendor Advisories

Red Hat

busybox: BusyBox: Arbitrary file modification and privilege escalation via unvalidated tar archive entries↗2026-02-11

▶

Debian

CVE-2026-26158: busybox - A flaw was found in BusyBox. This vulnerability allows an attacker to modify fil...↗2026

▶

🕵️Threat Intelligence

Wiz

CVE-2026-26158 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶