CVE-2026-26157
Deferred Deferred - Pending Action
Path Traversal in BusyBox Archive Extraction Enables Arbitrary File Overwrite

Publication date: 2026-02-11

Last updated on: 2026-06-02

Assigner: Red Hat, Inc.

Description
A flaw was found in BusyBox. Incomplete path sanitization in its archive extraction utilities allows an attacker to craft malicious archives that when extracted, and under specific conditions, may write to files outside the intended directory. This can lead to arbitrary file overwrite, potentially enabling code execution through the modification of sensitive system files.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-11
Last Modified
2026-06-02
Generated
2026-06-16
AI Q&A
2026-02-11
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26157
EUVD
EUVD-2026-7022
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
busybox busybox From 1.36.1 (exc)
busybox busybox From 1.36.1 (inc)
busybox busybox From 1.37.0 (inc)
busybox busybox to 1.36.1 (exc)
busybox busybox *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'This vulnerability is a flaw in BusyBox\'s archive extraction utilities caused by incomplete path sanitization. Specifically, the function strip_unsafe_prefix() does not properly handle filenames with trailing ".." components, such as "logs/data/..". This allows an attacker to create malicious archive files that, when extracted under certain conditions, can write files outside the intended extraction directory.'}, {'type': 'paragraph', 'content': 'The issue affects BusyBox versions 1.36.1, 1.37.0, and likely earlier versions, and impacts utilities like tar, unzip, rpm, ar, and dpkg.'}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can lead to arbitrary file overwrite on the affected system. An attacker can exploit it to modify sensitive system files such as shell configuration files or cron jobs.'}, {'type': 'paragraph', 'content': "Such modifications may enable the attacker to execute arbitrary code, potentially compromising the system's security and integrity."}] [1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability affects BusyBox versions 1.36.1, 1.37.0, and likely earlier versions. Detection involves identifying if these vulnerable versions of BusyBox are present on your system.'}, {'type': 'paragraph', 'content': 'You can check the BusyBox version installed by running the command:'}, {'type': 'list_item', 'content': 'busybox --help'}, {'type': 'paragraph', 'content': 'or'}, {'type': 'list_item', 'content': 'busybox | head -n 1'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts, monitor archive extraction activities involving tar, unzip, rpm, ar, or dpkg utilities from BusyBox, especially looking for extraction of archives containing filenames with trailing ".." components (e.g., "logs/data/.."), which may indicate malicious crafted archives.'}, {'type': 'paragraph', 'content': 'Additionally, you can search for unexpected file modifications outside intended extraction directories, particularly in sensitive system files such as shell configuration files or cron jobs.'}] [1]

Mitigation Strategies

Immediate mitigation steps include:

  • Avoid extracting untrusted archive files using BusyBox utilities until a patched version is applied.
  • Restrict user permissions to prevent extraction in sensitive directories or locations where arbitrary file overwrite could cause harm.
  • Monitor and audit extraction activities for suspicious archive files containing path traversal components.
  • Update BusyBox to a version where this vulnerability is fixed once a patch is available.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26157. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart