NIXPKGS-2026-0247

GitHub issue published on 15 Feb 2026

Permalink CVE-2026-26158

updated 3 weeks ago by @LeSuisse Activity log

Created automatic suggestion 3 weeks, 4 days ago
@LeSuisse removed package gobusybox 3 weeks ago
@LeSuisse accepted 3 weeks ago
@LeSuisse published on GitHub 3 weeks ago

Busybox: busybox: arbitrary file modification and privilege escalation via unvalidated tar archive entries

A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this flaw can lead to privilege escalation, enabling an attacker to gain unauthorized access to critical system files.

References

RHBZ#2439040 issue-tracking x_refsource_REDHAT
https://git.busybox.net/busybox/commit/archival?id=3fb6b31c716669e12f75a2accd31bb7685b1a1cb
https://access.redhat.com/security/cve/CVE-2026-26158 x_refsource_REDHAT vdb-entry
https://access.redhat.com/security/cve/CVE-2026-26158 x_refsource_REDHAT vdb-entry
RHBZ#2439040 issue-tracking x_refsource_REDHAT
https://git.busybox.net/busybox/commit/archival?id=3fb6b31c716669e12f75a2accd31bb7685b1a1cb

Affected products

busybox

Matching in nixpkgs

pkgs.busybox

Tiny versions of common UNIX utilities in a single small executable

nixos-unstable 1.37.0
- nixpkgs-unstable 1.37.0
- nixos-unstable-small 1.37.0
nixos-25.11 1.36.1
- nixos-25.11-small 1.36.1
- nixpkgs-25.11-darwin 1.36.1

pkgs.busybox-sandbox-shell

Tiny versions of common UNIX utilities in a single small executable

nixos-unstable 1.37.0
- nixpkgs-unstable 1.37.0
- nixos-unstable-small 1.37.0
nixos-25.11 1.36.1
- nixos-25.11-small 1.36.1
- nixpkgs-25.11-darwin 1.36.1

pkgs.minimal-bootstrap.busybox-static

Tiny versions of common UNIX utilities in a single small executable

nixos-unstable 1.36.1
- nixpkgs-unstable 1.36.1
- nixos-unstable-small 1.36.1

Package maintainers

@alyssais Alyssa Ross <hi@alyssa.is>
@TethysSvensson Tethys Svensson <freaken@freaken.dk>
@Ericson2314 John Ericson <John.Ericson@Obsidian.Systems>
@06kellyjac Jack <hello+nixpkgs@j-k.io>
@Gskartwii Aleksi Hannula <ahannula4@gmail.com>
@pyrox0 Pyrox <pyrox@pyrox.dev>
@emilytrau Emily Trau <emily+nix@downunderctf.com>
@siraben Siraphob Phipathananunth <bensiraphob@gmail.com>
@alejandrosame Alejandro Sánchez Medina <alejandrosanchzmedina@gmail.com>
@Artturin Artturi N <artturin@artturin.com>

Upstream patch: https://git.busybox.net/busybox/commit/archival?id=3fb6b31c716669e12f75a2accd31bb7685b1a1cb

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0247

References

Affected products

Matching in nixpkgs

pkgs.busybox

pkgs.busybox-sandbox-shell

pkgs.minimal-bootstrap.busybox-static

Package maintainers