Insecure Archive Extraction in BusyBox Affects Multiple Versions
CVE-2026-26157

7HIGH

Key Information:

Vendor

Red Hat
Status
Red Hat Enterprise Linux 6
Red Hat Hardened Images
Vendor
CVE Published:
11 February 2026

What is CVE-2026-26157?

A vulnerability exists in the archive extraction utilities of BusyBox due to inadequate path sanitization. This weakness allows attackers to create malicious archives that, when extracted, can write files outside the designated directory. Under specific conditions, such actions may lead to the overwriting of critical system files, potentially enabling unauthorized code execution by compromising the integrity of the system.

References

https://access.redhat.com/security/cve/CVE-2026-26157
vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2439039
issue-trackingx_refsource_REDHAT
https://git.busybox.net/busybox/commit/archival?id=3fb6b3...

CVSS V3.1

Score:
7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.