Description
A flaw was found in BusyBox. Incomplete path sanitization in its archive extraction utilities allows an attacker to craft malicious archives that when extracted, and under specific conditions, may write to files outside the intended directory. This can lead to arbitrary file overwrite, potentially enabling code execution through the modification of sensitive system files.
Published: 2026-02-11
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary file overwrite with potential code execution
Action: Apply Workaround
AI Analysis

Impact

The vulnerability resides in BusyBox's archive extraction utilities, which fail to fully sanitize paths. An attacker can embed specially crafted archive entries that, when extracted, write to directories outside the intended extraction location. This results in arbitrary file overwrite and, if critical configuration or binary files are altered, can lead to remote code execution or system compromise. The weakness is a classic path traversal flaw (CWE‑73).

Affected Systems

The flaw affects BusyBox installations in Red Hat Enterprise Linux 6 and Red Hat Hardened Images. Any systems running these distributions with BusyBox's default archive extraction utilities exposed to untrusted archives are at risk.

Risk and Exploitability

The CVSS score is 7, indicating a high‑severity vulnerability. The EPSS score is below 1 %, suggesting that while exploitation is currently unlikely, the risk remains due to the high severity and lack of existing mitigations. The vulnerability is not listed in CISA's KEV catalog. Exploitation requires that an attacker be able to supply a malicious archive; therefore, limiting exposure to untrusted archives and applying isolation mitigations greatly reduces the risk.

Generated by OpenCVE AI on April 15, 2026 at 21:11 UTC.

Remediation

Vendor Workaround

As a prevention measure, avoid extracting archives from untrusted sources using BusyBox utilities. If extraction of untrusted archives is necessary, perform it within a highly isolated and restricted environment, such as a container with a read-only root filesystem and minimal privileges, to limit the potential impact of arbitrary file overwrites.

OpenCVE Recommended Actions

  • Avoid extracting archives from untrusted sources using BusyBox utilities. If extraction is necessary, perform it inside a container with a read‑only root filesystem and minimal privileges.
  • Remove or disable the vulnerable BusyBox archive utilities (e.g., tar, ar, cpio) where possible, or replace them with standalone tools that enforce proper path sanitization.
  • Apply any vendor‑issued updates or patches to BusyBox that resolve the incomplete path sanitization flaw, and verify that Red Hat Enterprise Linux 6 and Red Hat Hardened Images include the fixed version.

Generated by OpenCVE AI on April 15, 2026 at 21:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 21:00:00 +0000

Type Values Removed Values Added
References

Fri, 03 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat hummingbird
CPEs cpe:/a:redhat:hummingbird:1
Vendors & Products Redhat hummingbird

Thu, 12 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Red Hat
Red Hat enterprise Linux
Vendors & Products Red Hat
Red Hat enterprise Linux

Thu, 12 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 11 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in BusyBox. Incomplete path sanitization in its archive extraction utilities allows an attacker to craft malicious archives that when extracted, and under specific conditions, may write to files outside the intended directory. This can lead to arbitrary file overwrite, potentially enabling code execution through the modification of sensitive system files.
Title Busybox: busybox: arbitrary file overwrite and potential code execution via incomplete path sanitization
First Time appeared Redhat
Redhat enterprise Linux
Weaknesses CWE-73
CPEs cpe:/o:redhat:enterprise_linux:6
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics cvssV3_1

{'score': 7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Red Hat Enterprise Linux
Redhat Enterprise Linux Hummingbird
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-05-05T20:32:06.403Z

Reserved: 2026-02-11T17:05:41.991Z

Link: CVE-2026-26157

cve-icon Vulnrichment

Updated: 2026-02-11T20:51:35.261Z

cve-icon NVD

Status : Deferred

Published: 2026-02-11T21:16:21.400

Modified: 2026-05-05T21:16:21.700

Link: CVE-2026-26157

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-11T00:00:00Z

Links: CVE-2026-26157 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T21:15:13Z

Weaknesses