CVE-2026-26158 Overview
CVE-2026-26158 is a path traversal vulnerability [CWE-73] in BusyBox affecting the tar archive extraction routine. The flaw allows an attacker to craft a malicious tar archive containing unvalidated hardlink or symlink entries. When the archive is extracted, BusyBox follows the link targets and writes files outside the intended extraction directory. If extraction runs with elevated privileges, the attacker can overwrite critical system files and escalate privileges. BusyBox is widely deployed in embedded Linux systems, container base images, and minimal Linux distributions, which broadens the exposure surface.
Critical Impact
Local attackers can overwrite arbitrary files outside the extraction directory by tricking a privileged user or process into extracting a crafted tar archive, enabling privilege escalation.
Affected Products
- BusyBox tar applet (archival component)
- Red Hat Enterprise Linux distributions referenced in RHSA-2026:13831
- Embedded Linux systems and container images bundling vulnerable BusyBox builds
Discovery Timeline
- 2026-02-11 - CVE-2026-26158 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-26158
Vulnerability Analysis
The vulnerability resides in the BusyBox archival code that handles tar extraction. BusyBox processes hardlink and symlink entries without validating that the link target stays within the destination directory. An archive can declare a symlink that points to an absolute path such as /etc or to a relative path traversing parent directories. When subsequent archive members reference that link name, file writes follow the link and land outside the extraction root. The flaw is classified as External Control of File Name or Path [CWE-73].
Exploitation requires user interaction, specifically extraction of the attacker-controlled archive, and local access to the system. When the extracting process holds elevated privileges, such as root during package installation, firmware unpacking, or initramfs construction, the attacker gains write access to sensitive files including /etc/passwd, /etc/shadow, /etc/sudoers, or systemd unit files.
Root Cause
BusyBox tar did not canonicalize and validate link targets against the extraction directory before creating filesystem entries. The fix is tracked in the upstream commit 3fb6b31c716669e12f75a2accd31bb7685b1a1cb, which adds checks to reject archive entries whose hardlink or symlink targets escape the extraction root.
Attack Vector
The attacker crafts a tar archive containing a symlink entry such as link -> /etc followed by a regular file entry link/shadow with attacker-controlled contents. When a privileged process extracts the archive with BusyBox tar, BusyBox follows the symlink during the second entry's creation and writes the file to /etc/shadow. Hardlink entries enable a similar primitive against existing system files. The full chain leads from arbitrary file write to local privilege escalation.
Refer to the Red Hat CVE record for CVE-2026-26158 and Red Hat Bugzilla #2439040 for vendor analysis.
Detection Methods for CVE-2026-26158
Indicators of Compromise
- Tar archives containing symlink or hardlink entries whose targets begin with / or contain ../ sequences
- Unexpected modifications to sensitive files such as /etc/passwd, /etc/shadow, /etc/sudoers, /root/.ssh/authorized_keys, or systemd unit files following a busybox tar extraction
- New SUID binaries or world-writable files created in system directories after archive extraction
Detection Strategies
- Inspect tar archives prior to extraction using tar -tvf and flag any entries with absolute paths or parent-directory traversal in link targets
- Audit process execution logs for invocations of busybox tar -x or tar -x executed by privileged accounts on untrusted archives
- Compare file integrity baselines for critical system paths against post-extraction state to identify unexpected writes
Monitoring Recommendations
- Enable Linux audit rules on /etc, /usr/bin, /usr/sbin, and /lib/systemd for write and create events correlated to busybox process ancestry
- Forward filesystem and process telemetry to a centralized analytics platform for cross-host correlation of archive-extraction behavior
- Alert on extractions performed as uid=0 against archives sourced from external networks, removable media, or non-trusted repositories
How to Mitigate CVE-2026-26158
Immediate Actions Required
- Apply vendor-supplied BusyBox updates from the Red Hat advisory RHSA-2026:13831 or your distribution's equivalent
- Rebuild container images and firmware artifacts that bundle BusyBox to incorporate the patched binary
- Avoid extracting untrusted tar archives as root; use a dedicated unprivileged service account when possible
Patch Information
The upstream fix is committed to BusyBox in archival commit 3fb6b31. Red Hat ships fixed packages through RHSA-2026:13831. Confirm the deployed BusyBox build includes the commit by checking the package version against the advisory.
Workarounds
- Extract untrusted archives inside a chroot, container, or user namespace with no access to host system paths
- Pre-scan tar archives and reject any containing symlink or hardlink entries with absolute or traversal targets before invoking extraction
- Drop privileges before extraction by switching to a non-root user with setpriv or su when handling externally sourced archives
# Inspect a tar archive for unsafe link entries before extracting
tar -tvf untrusted.tar | awk '$1 ~ /^l/ {print}' | \
grep -E '-> (/|.*\.\./)' && echo "UNSAFE: archive contains traversal links"
# Extract with a non-privileged user inside an isolated directory
install -d -m 700 -o nobody -g nobody /var/tmp/extract
setpriv --reuid=nobody --regid=nobody --clear-groups \
tar -xf untrusted.tar -C /var/tmp/extract
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
