CVE-2026-26158
Symlink/Hardlink Injection in BusyBox Tar Allows Privilege Escalation
Publication date: 2026-02-11
Last updated on: 2026-05-05
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| busybox | busybox | From 1.37.0 (inc) |
| busybox | busybox | to 1.36.1 (exc) |
| busybox | busybox | to 1.37.0 (exc) |
| busybox | busybox | 1.36.1 |
| busybox | busybox | 1.37.0 |
| busybox | busybox | From 1.36.1 (inc) |
| busybox | busybox | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "This vulnerability exists in BusyBox's tar extraction component, where it fails to properly validate hardlink and symlink entries in tar archives."}, {'type': 'paragraph', 'content': 'An attacker can craft a malicious tar archive containing hardlinks or symlinks that point to files outside the intended extraction directory, including critical system files.'}, {'type': 'paragraph', 'content': 'Because BusyBox does not check the target paths of these links, it allows modification of files outside the extraction directory, bypassing normal path traversal protections.'}, {'type': 'paragraph', 'content': 'If the tar archive is extracted with elevated privileges, this flaw can lead to privilege escalation by enabling unauthorized modification of important system files.'}] [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to modify critical system files by extracting a specially crafted tar archive.
If extraction is done with elevated privileges, the attacker can escalate their privileges, gaining unauthorized access to sensitive parts of the system.
Such unauthorized modifications can compromise system integrity, potentially leading to system takeover, data breaches, or disruption of services.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves malicious tar archives containing crafted hardlink or symlink entries that point outside the intended extraction directory. Detection involves inspecting tar archives before extraction to identify suspicious hardlink or symlink entries with absolute or unexpected paths.'}, {'type': 'paragraph', 'content': 'You can use commands to list and examine the contents of tar archives, focusing on hardlink and symlink entries and their targets.'}, {'type': 'list_item', 'content': "Use 'tar -tvf archive.tar' to list all files and links in the archive."}, {'type': 'list_item', 'content': "Look for entries with 'h' (hardlink) or 'l' (symlink) in the listing and check their link targets for absolute paths or paths that traverse outside the intended extraction directory."}, {'type': 'list_item', 'content': 'Example command to extract link information: \'tar -tvf archive.tar | grep "^l"\' to list symlinks.'}, {'type': 'list_item', 'content': 'Manually verify that link targets do not point to critical system files like /etc/passwd or other absolute paths.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, avoid extracting untrusted tar archives with elevated privileges using BusyBox versions affected by this flaw.
Ensure that you update BusyBox to a patched version that validates hardlink and symlink targets during tar extraction.
As a temporary measure, manually inspect tar archives for malicious hardlink or symlink entries before extraction.
Limit extraction operations to non-privileged users or within isolated environments to reduce the risk of privilege escalation.