PT-2026-7665 · Busybox · Busybox

Denys Vlasenko

Published

2026-02-11

Updated

2026-05-05

CVE-2026-26157

CVSS v3.1

7.0

High

Vector

AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions BusyBox (affected versions not specified)

Description A flaw exists in BusyBox’s archive extraction utilities due to incomplete path sanitization. An attacker can create malicious archives that, when extracted under specific conditions, may allow writing to files outside the intended directory. This could lead to arbitrary file overwrite, potentially enabling code execution through the modification of sensitive system files.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

LPE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-73

Related Identifiers

AZL-77603

AZL-77610

CVE-2026-26157

ECHO-8F94-ADFC-30E7

OESA-2026-1544

OPENSUSE-SU-2026:10258-1

OPENSUSE-SU-2026:20387-1

RHSA-2026:13831

SUSE-SU-2026:0758-1

SUSE-SU-2026:0759-1

SUSE-SU-2026:0872-1

SUSE-SU-2026:0892-1

SUSE-SU-2026:20905-1

Affected Products

Busybox

PT-2026-7665 · Busybox · Busybox

CVE-2026-26157

Weakness Enumeration

Related Identifiers

Affected Products

References · 49