CVE-2026-26158

CVSS v3.1

7.0

High

Vector

AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions BusyBox (affected versions not specified)

Description A flaw exists in BusyBox that allows an attacker to modify files outside the intended extraction directory. This is achieved by creating a malicious tar archive with unvalidated hardlink or symlink entries. If the archive is extracted with elevated privileges, it can lead to privilege escalation and unauthorized access to critical system files.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

LPE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-73

Related Identifiers

AZL-77606

AZL-77613

CVE-2026-26158

OESA-2026-1544

OPENSUSE-SU-2026:10231-1

OPENSUSE-SU-2026:20387-1

RHSA-2026:13831

SUSE-SU-2026:0758-1

SUSE-SU-2026:0759-1

SUSE-SU-2026:0872-1

SUSE-SU-2026:0892-1

SUSE-SU-2026:20905-1

Affected Products

Busybox

CVE-2026-26158

Weakness Enumeration

Related Identifiers

Affected Products

References · 46