CVE-2026-26158 in BusyBoxinfo

Summary

by MITRE • 02/11/2026

A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this flaw can lead to privilege escalation, enabling an attacker to gain unauthorized access to critical system files.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 05/06/2026

This vulnerability resides within the BusyBox tar utility implementation, representing a classic path traversal flaw that exploits improper validation of archive entries during extraction operations. The flaw specifically affects how tar handles hardlink and symlink entries within archive files, allowing attackers to manipulate file system permissions and locations through carefully crafted archive contents. When tar processes these malicious entries without proper validation, it fails to restrict file operations to the intended extraction directory, creating a pathway for unauthorized file system modifications. The vulnerability is particularly concerning because it can be exploited during routine system operations where tar is executed with elevated privileges, such as during package installations, system updates, or administrative tasks that require root or administrative permissions. This creates a significant attack surface where legitimate system processes become vectors for privilege escalation attacks.

The technical implementation of this vulnerability stems from insufficient input validation within the tar extraction logic, where symbolic and hard links are processed without adequate sanitization of their target paths. According to CWE-22, this represents a path traversal weakness that allows attackers to access files outside of the intended directory structure. The flaw operates by placing malicious link entries within tar archives that point to system-critical files or directories outside the extraction scope. When these archives are processed by tar with elevated privileges, the link resolution process can result in unintended file modifications or creation of malicious links that persist beyond the extraction operation. The vulnerability is classified under ATT&CK technique T1068 which describes privilege escalation through local exploitation, specifically targeting the ability to manipulate file system permissions and access controls through compromised system utilities.

The operational impact of this vulnerability extends beyond simple file modification capabilities to encompass full privilege escalation scenarios that can compromise system integrity and confidentiality. Attackers can leverage this flaw to gain access to sensitive system files, modify critical configuration data, or establish persistent access mechanisms within the system. When tar is used in automated systems or during package management operations, the vulnerability becomes particularly dangerous as it can be exploited without requiring direct user interaction or elevated privileges from the attacker. The exploitation process typically involves creating a tar archive containing malicious hardlink or symlink entries that point to system files such as /etc/passwd, /etc/shadow, or other critical configuration files. The vulnerability's severity is amplified when considering that BusyBox is widely deployed across embedded systems, network appliances, and Linux distributions where tar operations often occur with elevated privileges. Organizations using systems with BusyBox tar implementations should be particularly vigilant as this vulnerability can be exploited in both local and remote attack scenarios, especially in environments where users can influence archive contents or where tar operations are performed automatically during system maintenance procedures.

Mitigation strategies should focus on implementing proper input validation and restricting tar operations to prevent path traversal attacks. Organizations should consider disabling or restricting tar functionality that allows hardlink and symlink processing, particularly when extracting archives with elevated privileges. The implementation of security controls such as mandatory access controls, file system permissions, and privilege separation can help limit the impact of this vulnerability. Additionally, regular system updates and patches should be applied to address the underlying BusyBox implementation flaws. System administrators should monitor for suspicious tar operations and implement logging mechanisms to detect potential exploitation attempts. The use of containerization and sandboxing techniques can also provide additional protection layers by isolating tar operations and limiting their access to system-critical files and directories. Organizations should also consider implementing automated vulnerability scanning tools that can detect and alert on potentially malicious tar archive contents, particularly those containing entries that point outside of expected extraction directories.

Responsible

Redhat

Reservation

02/11/2026

Disclosure

02/11/2026

Moderation

accepted

CPE

ready

EPSS

0.00160

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!