Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
BusyBox Security Update: Malicious Archives Can Overwrite System Files
OESA-2026-1544
Summary
BusyBox, a Linux utility suite, contains a security flaw that allows an attacker to create malicious archives that can overwrite sensitive system files. This can lead to unauthorized code execution or data corruption. To protect your system, update BusyBox to the latest version as soon as possible.
What to do
- Update busybox to version 1.31.1-28.oe2003sp4.
- Update busybox to version 1.34.1-28.oe2203sp4.
- Update busybox to version 1.36.1-14.oe2403sp3.
- Update busybox to version 1.36.1-14.oe2403sp1.
- Update busybox to version 1.36.1-14.oe2403sp2.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | busybox | <= 1.31.1-28.oe2003sp4 | 1.31.1-28.oe2003sp4 |
| – | busybox | <= 1.34.1-28.oe2203sp4 | 1.34.1-28.oe2203sp4 |
| – | busybox | <= 1.36.1-14.oe2403sp3 | 1.36.1-14.oe2403sp3 |
| – | busybox | <= 1.36.1-14.oe2403sp1 | 1.36.1-14.oe2403sp1 |
| – | busybox | <= 1.36.1-14.oe2403sp2 | 1.36.1-14.oe2403sp2 |
| – | busybox | <= 1.36.1-14.oe2403sp3 | 1.36.1-14.oe2403sp3 |
Original title
busybox security update
Original description
The Swiss Army Knife of Embedded Linux
Security Fix(es):
A flaw was found in BusyBox. Incomplete path sanitization in its archive extraction utilities allows an attacker to craft malicious archives that when extracted, and under specific conditions, may write to files outside the intended directory. This can lead to arbitrary file overwrite, potentially enabling code execution through the modification of sensitive system files.(CVE-2026-26157)
A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this flaw can lead to privilege escalation, enabling an attacker to gain unauthorized access to critical system files.(CVE-2026-26158)
Security Fix(es):
A flaw was found in BusyBox. Incomplete path sanitization in its archive extraction utilities allows an attacker to craft malicious archives that when extracted, and under specific conditions, may write to files outside the intended directory. This can lead to arbitrary file overwrite, potentially enabling code execution through the modification of sensitive system files.(CVE-2026-26157)
A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this flaw can lead to privilege escalation, enabling an attacker to gain unauthorized access to critical system files.(CVE-2026-26158)
- https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA... Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-26157 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-26158 Vendor Advisory
Published: 15 Mar 2026 · Updated: 15 Mar 2026 · First seen: 15 Mar 2026