CVE-2026-26158

NameCVE-2026-26158
DescriptionA flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this flaw can lead to privilege escalation, enabling an attacker to gain unauthorized access to critical system files.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1127782

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
busybox (PTS)bullseye1:1.30.1-6vulnerable
bullseye (security)1:1.30.1-6+deb11u1vulnerable
bookworm1:1.35.0-4vulnerable
trixie1:1.37.0-6vulnerable
forky, sid1:1.37.0-10vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
busyboxsource(unstable)(unfixed)1127782

Notes

https://git.busybox.net/busybox/commit/archival?id=3fb6b31c716669e12f75a2accd31bb7685b1a1cb
Search for package or bug name: Reporting problems