CVE-2026-26158

CVSS v3.1

7.0

High

AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions BusyBox (affected versions not specified)

Description A flaw exists in BusyBox that allows an attacker to modify files outside the intended extraction directory. This is achieved by creating a malicious tar archive with unvalidated hardlink or symlink entries. If the archive is extracted with elevated privileges, it can lead to privilege escalation and unauthorized access to critical system files.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-73

Related Identifiers

CVE-2026-26158

OESA-2026-1544

OPENSUSE-SU-2026:10231-1

OPENSUSE-SU-2026:20387-1

SUSE-SU-2026:0758-1

SUSE-SU-2026:0759-1

SUSE-SU-2026:0872-1

SUSE-SU-2026:0892-1

Affected Products

Busybox

CVE-2026-26158

Weakness Enumeration

Related Identifiers

Affected Products

References · 40