Description
A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this flaw can lead to privilege escalation, enabling an attacker to gain unauthorized access to critical system files.
Published: 2026-02-11
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via arbitrary file modification
Action: Immediate Patch
AI Analysis

Impact

A flaw in the BusyBox utility allows an attacker to craft a tar archive containing hardlink or symlink entries that are not validated during extraction. When such an archive is processed with elevated privileges, the archive can modify files outside the intended extraction directory, giving the attacker unauthorized access to critical system files. This behavior corresponds to CWE-73 and can lead to privilege escalation.

Affected Systems

Systems that use BusyBox within Red Hat Enterprise Linux 6 or Red Hat Hardened Images are affected. No specific BusyBox version range is provided in the data, so all installations of BusyBox in these environments should be examined for the presence of the vulnerable extraction logic.

Risk and Exploitability

The vulnerability has a CVSS score of 7, indicating high severity, but the EPSS score is below 1 % and the issue is not listed in the CISA KEV catalog, suggesting a low current exploitation probability. The likely attack vector involves an attacker providing a malicious tar archive that is extracted by a process running with elevated privileges—either locally or via a chain of services that invoke BusyBox tar. If this scenario occurs, the attacker can modify privileged files and elevate privilege, though such conditions are relatively restricted. The risk is therefore high for affected systems that routinely extract untrusted archives with root privileges.

Generated by OpenCVE AI on April 15, 2026 at 21:10 UTC.

Remediation

Vendor Workaround

As a prevention measure, avoid extracting tar archives from untrusted sources using BusyBox, especially when operating with elevated privileges. If processing untrusted archives is unavoidable, ensure that the extraction process is performed within a strictly sandboxed environment with minimal permissions. This operational control reduces the risk of arbitrary file modification and privilege escalation.

OpenCVE Recommended Actions

  • Install the latest BusyBox security update that fixes the unvalidated hardlink/symlink handling in tar extraction.
  • If a patch is unavailable, avoid running BusyBox tar on untrusted archives and instead perform extraction in a sandboxed environment with minimal permissions, or use a dedicated, safe extraction tool.
  • Enforce strict SELinux or AppArmor policies that prevent file creation or modification outside the intended extraction directory, even when BusyBox is executed as root.

Generated by OpenCVE AI on April 15, 2026 at 21:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 21:00:00 +0000

Type Values Removed Values Added
References

Fri, 03 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat hummingbird
CPEs cpe:/a:redhat:hummingbird:1
Vendors & Products Redhat hummingbird

Thu, 12 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Red Hat
Red Hat enterprise Linux
Vendors & Products Red Hat
Red Hat enterprise Linux

Thu, 12 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 11 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this flaw can lead to privilege escalation, enabling an attacker to gain unauthorized access to critical system files.
Title Busybox: busybox: arbitrary file modification and privilege escalation via unvalidated tar archive entries
First Time appeared Redhat
Redhat enterprise Linux
Weaknesses CWE-73
CPEs cpe:/o:redhat:enterprise_linux:6
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics cvssV3_1

{'score': 7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Red Hat Enterprise Linux
Redhat Enterprise Linux Hummingbird
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-05-05T20:32:18.509Z

Reserved: 2026-02-11T17:05:41.991Z

Link: CVE-2026-26158

cve-icon Vulnrichment

Updated: 2026-02-11T20:50:11.404Z

cve-icon NVD

Status : Deferred

Published: 2026-02-11T21:16:21.607

Modified: 2026-05-05T21:16:21.820

Link: CVE-2026-26158

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-11T00:00:00Z

Links: CVE-2026-26158 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T21:15:13Z

Weaknesses