7
CVE-2026-26158
- EPSS 0.16%
- Veröffentlicht 11.02.2026 20:27:06
- Zuletzt bearbeitet 30.06.2026 03:17:48
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
Busybox: busybox: arbitrary file modification and privilege escalation via unvalidated tar archive entries
A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this flaw can lead to privilege escalation, enabling an attacker to gain unauthorized access to critical system files.
Daten sind bereitgestellt durch das CVE Programm von Authorized Data Publishers (ADP) (Unstrukturiert)
HerstellerSiemens
≫
Produkt
RUGGEDCOM RST2428P
Default Statusunknown
Version
0
Version <
V4.0
Status
affected
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.16% | 0.055 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| secalert@redhat.com | 7 | 1 | 5.9 |
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 7 | 1 | 5.9 |
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
|
CWE-73 External Control of File Name or Path
The product allows user input to control or influence paths or file names that are used in filesystem operations.
https://git.busybox.net/busybox/commit/archival?id=3fb6b31c716669e12f75a2accd31bb7685b1a1cb
https://access.redhat.com/security/cve/CVE-2026-26158
https://bugzilla.redhat.com/show_bug.cgi?id=2439040
https://access.redhat.com/errata/RHSA-2026:13831
https://cert-portal.siemens.com/productcert/html/ssa-253495.html
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-26158.json