CVE-2026-26157
Path Traversal in BusyBox Archive Extraction Enables Arbitrary File Overwrite
Publication date: 2026-02-11
Last updated on: 2026-05-05
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| busybox | busybox | From 1.36.1 (exc) |
| busybox | busybox | From 1.36.1 (inc) |
| busybox | busybox | From 1.37.0 (inc) |
| busybox | busybox | to 1.36.1 (exc) |
| busybox | busybox | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'This vulnerability is a flaw in BusyBox\'s archive extraction utilities caused by incomplete path sanitization. Specifically, the function strip_unsafe_prefix() does not properly handle filenames with trailing ".." components, such as "logs/data/..". This allows an attacker to create malicious archive files that, when extracted under certain conditions, can write files outside the intended extraction directory.'}, {'type': 'paragraph', 'content': 'The issue affects BusyBox versions 1.36.1, 1.37.0, and likely earlier versions, and impacts utilities like tar, unzip, rpm, ar, and dpkg.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can lead to arbitrary file overwrite on the affected system. An attacker can exploit it to modify sensitive system files such as shell configuration files or cron jobs.'}, {'type': 'paragraph', 'content': "Such modifications may enable the attacker to execute arbitrary code, potentially compromising the system's security and integrity."}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability affects BusyBox versions 1.36.1, 1.37.0, and likely earlier versions. Detection involves identifying if these vulnerable versions of BusyBox are present on your system.'}, {'type': 'paragraph', 'content': 'You can check the BusyBox version installed by running the command:'}, {'type': 'list_item', 'content': 'busybox --help'}, {'type': 'paragraph', 'content': 'or'}, {'type': 'list_item', 'content': 'busybox | head -n 1'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts, monitor archive extraction activities involving tar, unzip, rpm, ar, or dpkg utilities from BusyBox, especially looking for extraction of archives containing filenames with trailing ".." components (e.g., "logs/data/.."), which may indicate malicious crafted archives.'}, {'type': 'paragraph', 'content': 'Additionally, you can search for unexpected file modifications outside intended extraction directories, particularly in sensitive system files such as shell configuration files or cron jobs.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Avoid extracting untrusted archive files using BusyBox utilities until a patched version is applied.
- Restrict user permissions to prevent extraction in sensitive directories or locations where arbitrary file overwrite could cause harm.
- Monitor and audit extraction activities for suspicious archive files containing path traversal components.
- Update BusyBox to a version where this vulnerability is fixed once a patch is available.