{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-26158","assignerOrgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","state":"PUBLISHED","assignerShortName":"redhat","dateReserved":"2026-02-11T17:05:41.991Z","datePublished":"2026-02-11T20:27:06.979Z","dateUpdated":"2026-06-30T12:08:12.291Z"},"containers":{"cna":{"title":"Busybox: busybox: arbitrary file modification and privilege escalation via unvalidated tar archive entries","metrics":[{"other":{"content":{"value":"Important","namespace":"https://access.redhat.com/security/updates/classification/"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"},"format":"CVSS"}],"descriptions":[{"lang":"en","value":"A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this flaw can lead to privilege escalation, enabling an attacker to gain unauthorized access to critical system files."}],"affected":[{"vendor":"Red Hat","product":"Red Hat Hardened Images","collectionURL":"https://catalog.redhat.com/software/containers/","packageName":"busybox-main","defaultStatus":"affected","versions":[{"version":"1.37.0-7.2.hum1","lessThan":"*","versionType":"rpm","status":"unaffected"}],"cpes":["cpe:/a:redhat:hummingbird:1"]},{"vendor":"Red Hat","product":"Red Hat Enterprise Linux 6","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"busybox","defaultStatus":"unknown","cpes":["cpe:/o:redhat:enterprise_linux:6"]}],"references":[{"url":"https://access.redhat.com/errata/RHSA-2026:13831","name":"RHSA-2026:13831","tags":["vendor-advisory","x_refsource_REDHAT"]},{"url":"https://access.redhat.com/security/cve/CVE-2026-26158","tags":["vdb-entry","x_refsource_REDHAT"]},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2439040","name":"RHBZ#2439040","tags":["issue-tracking","x_refsource_REDHAT"]},{"url":"https://git.busybox.net/busybox/commit/archival?id=3fb6b31c716669e12f75a2accd31bb7685b1a1cb"}],"datePublic":"2026-02-11T00:00:00.000Z","problemTypes":[{"descriptions":[{"cweId":"CWE-73","description":"External Control of File Name or Path","lang":"en","type":"CWE"}]}],"x_redhatCweChain":"CWE-73: External Control of File Name or Path","workarounds":[{"lang":"en","value":"As a prevention measure, avoid extracting tar archives from untrusted sources using BusyBox, especially when operating with elevated privileges. If processing untrusted archives is unavoidable, ensure that the extraction process is performed within a strictly sandboxed environment with minimal permissions. This operational control reduces the risk of arbitrary file modification and privilege escalation."}],"timeline":[{"lang":"en","time":"2026-02-11T18:09:00.001Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-02-11T00:00:00.000Z","value":"Made public."}],"credits":[{"lang":"en","value":"Red Hat would like to thank Calil Khalil (Hakal) for reporting this issue."}],"providerMetadata":{"orgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","shortName":"redhat","dateUpdated":"2026-06-30T04:01:57.299Z"},"x_generator":{"engine":"cvelib 1.8.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2026-26158","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"version":"2.0.3","timestamp":"2026-02-12T04:55:24.841610Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-02-26T14:44:23.355Z"}},{"x_adpType":"supplier","providerMetadata":{"orgId":"0b142b55-0307-4c5a-b3c9-f314f3fb7c5e","shortName":"siemens-SADP","dateUpdated":"2026-06-02T13:01:14.168Z"},"affected":[{"vendor":"Siemens","product":"RUGGEDCOM RST2428P","versions":[{"status":"affected","version":"0","lessThan":"V4.0","versionType":"custom"}],"defaultStatus":"unknown"}],"references":[{"url":"https://cert-portal.siemens.com/productcert/html/ssa-253495.html"}]},{"affected":[{"cpes":["cpe:/a:redhat:hummingbird:1"],"defaultStatus":"affected","product":"Red Hat Hardened Images","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:6"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 6","vendor":"Red Hat"}],"datePublic":"2026-02-11T00:00:00.000Z","descriptions":[{"lang":"en","value":"A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this flaw can lead to privilege escalation, enabling an attacker to gain unauthorized access to critical system files."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-73","description":"External Control of File Name or Path","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-26158"},{"name":"RHBZ#2439040","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2439040"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-26158.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:13831"}],"solutions":[{"lang":"en","value":"RHSA-2026:13831: Red Hat Hardened Images"}],"timeline":[{"lang":"en","time":"2026-02-11T18:09:00.001Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-02-11T00:00:00.000Z","value":"Made public."}],"title":"busybox: BusyBox: Arbitrary file modification and privilege escalation via unvalidated tar archive entries","workarounds":[{"lang":"en","value":"As a prevention measure, avoid extracting tar archives from untrusted sources using BusyBox, especially when operating with elevated privileges. If processing untrusted archives is unavoidable, ensure that the extraction process is performed within a strictly sandboxed environment with minimal permissions. This operational control reduces the risk of arbitrary file modification and privilege escalation."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-06-30T12:08:12.291Z"}}]}}