CVE-2026-26157

Vulnerability

CVE-2026-26157

busybox: BusyBox: Arbitrary file overwrite and potential code execution via incomplete path sanitization

ecosystem: redhat:6

A flaw was found in BusyBox. Incomplete path sanitization in its archive extraction utilities allows an attacker to craft malicious archives that when extracted, and under specific conditions, may write to files outside the intended directory. This can lead to arbitrary file overwrite, potentially enabling code execution through the modification of sensitive system files.

References

secalert@redhat.com: https://access.redhat.com/security/cve/CVE-2026-26157
secalert@redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2439039
secalert@redhat.com: https://git.busybox.net/busybox/commit/archival?id=3fb6b31c716669e12f75a2accd31bb7685b1a1cb
secalert@redhat.com: https://nvd.nist.gov/vuln/detail/CVE-2026-26157
secalert@redhat.com: https://www.cve.org/CVERecord?id=CVE-2026-26157

severityI

Important

type: vendor

source: secalert@redhat.com

CVSS3.1

7HIGH

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

AV	Local
AC	High
PR	None
UI	Required
S	Not Changed
C	High
I	High
A	High

source: secalert@redhat.com

　CWE

CWE-73

External Control of File Name or Path

source: secalert@redhat.com

published: 2026-02-11 00:00:00

modified: 2026-02-12 15:39:45

Detection

redhat:6

CVE-2026-26157

redhat-vex

OR

unfixedOut of support scope

busybox

package type: binary

type: version

unfixedOut of support scope

busybox-petitboot

package type: binary

type: version

unfixedOut of support scope

busybox

package type: source

type: version

tag: rhel-6-els:23ad430c-409a-10af-658c-0679430b4aea

OR

unfixedOut of support scope

busybox

package type: binary

type: version

unfixedOut of support scope

busybox-petitboot

package type: binary

type: version

unfixedOut of support scope

busybox

package type: source

type: version

tag: rhel-6-extras-including-unpatched:23ad430c-409a-10af-658c-0679430b4aea

OR

unfixedOut of support scope

busybox

package type: binary

type: version

unfixedOut of support scope

busybox-petitboot

package type: binary

type: version

unfixedOut of support scope

busybox

package type: source

type: version

tag: rhel-6-including-unpatched:23ad430c-409a-10af-658c-0679430b4aea

OR

unfixedOut of support scope

busybox

package type: binary

type: version

unfixedOut of support scope

busybox-petitboot

package type: binary

type: version

unfixedOut of support scope

busybox

package type: source

type: version

tag: rhel-6-supplementary:23ad430c-409a-10af-658c-0679430b4aea

Data Sources

RedHat Enterprise Linux CSAF VEX
redhat-vex