CVE-2026-26158 HIGH

CVE-2026-26158: Busybox: busybox: arbitrary file modification and privilege escalation via unvalidated tar archive entries

Vendor Red Hat
Product Red Hat Enterprise Linux 6
Weakness CWE-73
Published February 11, 2026
Last update June 30, 2026

CVSS base score

7.0/10
Attack vector Local
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this flaw can lead to privilege escalation, enabling an attacker to gain unauthorized access to critical system files.

Key dates

02Disclosure timeline

February 11, 2026 CVE published
June 30, 2026 Record updated