High severity7.0NVD Advisory· Published Feb 11, 2026· Updated May 5, 2026

CVE-2026-26158

Description

A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this flaw can lead to privilege escalation, enabling an attacker to gain unauthorized access to critical system files.

Affected products

Mirror/Busyboxinferred

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

access.redhat.com/errata/RHSA-2026:13831nvd
access.redhat.com/security/cve/CVE-2026-26158nvd
bugzilla.redhat.com/show_bug.cginvd
git.busybox.net/busybox/commit/archivalnvd

News mentions

AI-powered honeypots: Turning the tables on malicious AI agents
Cisco Talos Intelligence · Apr 29, 2026

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000