BusyBox Tar Extraction Hardlink/Symlink Escalation Vulnerability
CVE-2026-26158 Published on February 11, 2026

Busybox: busybox: arbitrary file modification and privilege escalation via unvalidated tar archive entries
A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this flaw can lead to privilege escalation, enabling an attacker to gain unauthorized access to critical system files.

NVD

Vulnerability Analysis

CVE-2026-26158 is exploitable with local system access, requires user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.

Attack Vector:
LOCAL
Attack Complexity:
HIGH
Privileges Required:
NONE
User Interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Timeline

Reported to Red Hat.

Made public.

Weakness Type

External Control of File Name or Path

The software allows user input to control or influence paths or file names that are used in filesystem operations.


Products Associated with CVE-2026-26158

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2026-26158 are published in these products:

Red Hat Enterprise Linux (RHEL)
 
Busybox
 

Affected Versions

Red Hat Enterprise Linux 6:

Exploit Probability

EPSS
0.01%
Percentile
0.20%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.