{"api_version":"1","generated_at":"2026-05-06T09:54:50+00:00","cve":"CVE-2026-26158","urls":{"html":"https://cve.report/CVE-2026-26158","api":"https://cve.report/api/cve/CVE-2026-26158.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-26158","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-26158"},"summary":{"title":"Busybox: busybox: arbitrary file modification and privilege escalation via unvalidated tar archive entries","description":"A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this flaw can lead to privilege escalation, enabling an attacker to gain unauthorized access to critical system files.","state":"PUBLISHED","assigner":"redhat","published_at":"2026-02-11 21:16:21","updated_at":"2026-05-05 21:16:21"},"problem_types":["CWE-73","CWE-73 External Control of File Name or Path"],"metrics":[{"version":"3.1","source":"secalert@redhat.com","type":"Secondary","score":"7","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":7,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"7","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","data":{"attackComplexity":"HIGH","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"}}],"references":[{"url":"https://git.busybox.net/busybox/commit/archival?id=3fb6b31c716669e12f75a2accd31bb7685b1a1cb","name":"https://git.busybox.net/busybox/commit/archival?id=3fb6b31c716669e12f75a2accd31bb7685b1a1cb","refsource":"secalert@redhat.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2439040","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2439040","refsource":"secalert@redhat.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/security/cve/CVE-2026-26158","name":"https://access.redhat.com/security/cve/CVE-2026-26158","refsource":"secalert@redhat.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/errata/RHSA-2026:13831","name":"https://access.redhat.com/errata/RHSA-2026:13831","refsource":"secalert@redhat.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-26158","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26158","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Red Hat","product":"Red Hat Hardened Images","version":"unaffected 1.37.0-7.2.hum1 * rpm","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat Enterprise Linux 6","version":"","platforms":[]}],"timeline":[{"source":"CNA","time":"2026-02-11T18:09:00.001Z","lang":"en","value":"Reported to Red Hat."},{"source":"CNA","time":"2026-02-11T00:00:00.000Z","lang":"en","value":"Made public."}],"solutions":[],"workarounds":[{"source":"CNA","title":"","value":"As a prevention measure, avoid extracting tar archives from untrusted sources using BusyBox, especially when operating with elevated privileges. If processing untrusted archives is unavoidable, ensure that the extraction process is performed within a strictly sandboxed environment with minimal permissions. This operational control reduces the risk of arbitrary file modification and privilege escalation.","time":"","lang":"en"}],"exploits":[],"credits":[{"source":"CNA","value":"Red Hat would like to thank Calil Khalil (Hakal) for reporting this issue.","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"26158","cve":"CVE-2026-26158","epss":"0.000060000","percentile":"0.003210000","score_date":"2026-05-05","updated_at":"2026-05-06 00:08:09"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-26158","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-02-12T04:55:24.841610Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-02-26T14:44:23.355Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"collectionURL":"https://catalog.redhat.com/software/containers/","cpes":["cpe:/a:redhat:hummingbird:1"],"defaultStatus":"affected","packageName":"busybox-main","product":"Red Hat Hardened Images","vendor":"Red Hat","versions":[{"lessThan":"*","status":"unaffected","version":"1.37.0-7.2.hum1","versionType":"rpm"}]},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/o:redhat:enterprise_linux:6"],"defaultStatus":"unknown","packageName":"busybox","product":"Red Hat Enterprise Linux 6","vendor":"Red Hat"}],"credits":[{"lang":"en","value":"Red Hat would like to thank Calil Khalil (Hakal) for reporting this issue."}],"datePublic":"2026-02-11T00:00:00.000Z","descriptions":[{"lang":"en","value":"A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this flaw can lead to privilege escalation, enabling an attacker to gain unauthorized access to critical system files."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-73","description":"External Control of File Name or Path","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-05-05T20:32:18.509Z","orgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","shortName":"redhat"},"references":[{"name":"RHSA-2026:13831","tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:13831"},{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-26158"},{"name":"RHBZ#2439040","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2439040"},{"url":"https://git.busybox.net/busybox/commit/archival?id=3fb6b31c716669e12f75a2accd31bb7685b1a1cb"}],"timeline":[{"lang":"en","time":"2026-02-11T18:09:00.001Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-02-11T00:00:00.000Z","value":"Made public."}],"title":"Busybox: busybox: arbitrary file modification and privilege escalation via unvalidated tar archive entries","workarounds":[{"lang":"en","value":"As a prevention measure, avoid extracting tar archives from untrusted sources using BusyBox, especially when operating with elevated privileges. If processing untrusted archives is unavoidable, ensure that the extraction process is performed within a strictly sandboxed environment with minimal permissions. This operational control reduces the risk of arbitrary file modification and privilege escalation."}],"x_generator":{"engine":"cvelib 1.8.0"},"x_redhatCweChain":"CWE-73: External Control of File Name or Path"}},"cveMetadata":{"assignerOrgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","assignerShortName":"redhat","cveId":"CVE-2026-26158","datePublished":"2026-02-11T20:27:06.979Z","dateReserved":"2026-02-11T17:05:41.991Z","dateUpdated":"2026-05-05T20:32:18.509Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-02-11 21:16:21","lastModifiedDate":"2026-05-05 21:16:21","problem_types":["CWE-73","CWE-73 External Control of File Name or Path"],"metrics":{"cvssMetricV31":[{"source":"secalert@redhat.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":7,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1,"impactScore":5.9}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"26158","Ordinal":"1","Title":"Busybox: busybox: arbitrary file modification and privilege esca","CVE":"CVE-2026-26158","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"26158","Ordinal":"1","NoteData":"A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this flaw can lead to privilege escalation, enabling an attacker to gain unauthorized access to critical system files.","Type":"Description","Title":"Busybox: busybox: arbitrary file modification and privilege esca"}]}}}