Vulnerability Description
A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this flaw can lead to privilege escalation, enabling an attacker to gain unauthorized access to critical system files.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://access.redhat.com/errata/RHSA-2026:13831
- https://access.redhat.com/security/cve/CVE-2026-26158
- https://bugzilla.redhat.com/show_bug.cgi?id=2439040
- https://git.busybox.net/busybox/commit/archival?id=3fb6b31c716669e12f75a2accd31b
FAQ
What is CVE-2026-26158?
CVE-2026-26158 is a vulnerability with a CVSS score of 7.0 (HIGH). A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or s...
How severe is CVE-2026-26158?
CVE-2026-26158 has been rated HIGH with a CVSS base score of 7.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-26158?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.