Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2026-26158

Опубликовано: 11 фев. 2026
Источник: redhat
CVSS3: 7
EPSS Низкий

Описание

A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this flaw can lead to privilege escalation, enabling an attacker to gain unauthorized access to critical system files.

Меры по смягчению последствий

As a prevention measure, avoid extracting tar archives from untrusted sources using BusyBox, especially when operating with elevated privileges. If processing untrusted archives is unavoidable, ensure that the extraction process is performed within a strictly sandboxed environment with minimal permissions. This operational control reduces the risk of arbitrary file modification and privilege escalation.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 6busyboxOut of support scope

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-73
https://bugzilla.redhat.com/show_bug.cgi?id=2439040busybox: BusyBox: Arbitrary file modification and privilege escalation via unvalidated tar archive entries

EPSS

Процентиль: 0%
0.00005
Низкий

7 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2026-26158

CVSS3: 7
ubuntu
около 1 месяца назад

A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this flaw can lead to privilege escalation, enabling an attacker to gain unauthorized access to critical system files.

nvd логотип

CVE-2026-26158

CVSS3: 7
nvd
около 1 месяца назад

A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this flaw can lead to privilege escalation, enabling an attacker to gain unauthorized access to critical system files.

debian логотип

CVE-2026-26158

CVSS3: 7
debian
около 1 месяца назад

A flaw was found in BusyBox. This vulnerability allows an attacker to ...

github логотип

GHSA-r8f8-4pgh-4m8v

CVSS3: 7
github
около 1 месяца назад

A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this flaw can lead to privilege escalation, enabling an attacker to gain unauthorized access to critical system files.

suse-cvrf логотип

SUSE-SU-2026:0759-1

suse-cvrf
25 дней назад

Security update for busybox

EPSS

Процентиль: 0%
0.00005
Низкий

7 High

CVSS3