Bug 2439039 (CVE-2026-26157)
| Summary: | CVE-2026-26157 busybox: BusyBox: Arbitrary file overwrite and potential code execution via incomplete path sanitization | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | adudiak, aprice, caswilli, dfreiber, drow, jburrell, jsamir, kaycoth, kshier, oezr, stcannon, teagle, vkumar, yguenane |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in BusyBox. Incomplete path sanitization in its archive extraction utilities allows an attacker to craft malicious archives that when extracted, and under specific conditions, may write to files outside the intended directory. This can lead to arbitrary file overwrite, potentially enabling code execution through the modification of sensitive system files.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2439044, 2439045, 2439046 | ||
| Bug Blocks: | |||
Affects: BusyBox v1.36.1 and v1.37.0 (likely affects earlier versions too) CVSS: 8.6 (HIGH) Component: strip_unsafe_prefix() function in archive extraction utilities (tar, unzip, rpm, ar, dpkg) Description: Incomplete path sanitization fails to detect trailing ".." components in filenames (e.g., "logs/data/.."), allowing files to be written outside the intended extraction directory when the current working directory matches the target location. An attacker can craft malicious archives that overwrite arbitrary files within the extraction directory scope. Impact: Arbitrary file overwrite, potential code execution through modification of shell configuration files, cron jobs, or other sensitive files.