NIXPKGS-2026-0249

GitHub issue published on 15 Feb 2026

Permalink CVE-2026-26157

updated 3 weeks ago by @LeSuisse Activity log

Created automatic suggestion 3 weeks, 4 days ago
@LeSuisse removed package gobusybox 3 weeks ago
@LeSuisse accepted 3 weeks ago
@LeSuisse published on GitHub 3 weeks ago

Busybox: busybox: arbitrary file overwrite and potential code execution via incomplete path sanitization

A flaw was found in BusyBox. Incomplete path sanitization in its archive extraction utilities allows an attacker to craft malicious archives that when extracted, and under specific conditions, may write to files outside the intended directory. This can lead to arbitrary file overwrite, potentially enabling code execution through the modification of sensitive system files.

References

RHBZ#2439039 issue-tracking x_refsource_REDHAT
https://git.busybox.net/busybox/commit/archival?id=3fb6b31c716669e12f75a2accd31bb7685b1a1cb
https://access.redhat.com/security/cve/CVE-2026-26157 x_refsource_REDHAT vdb-entry
RHBZ#2439039 issue-tracking x_refsource_REDHAT
https://git.busybox.net/busybox/commit/archival?id=3fb6b31c716669e12f75a2accd31bb7685b1a1cb
https://access.redhat.com/security/cve/CVE-2026-26157 x_refsource_REDHAT vdb-entry

Affected products

busybox

Matching in nixpkgs

pkgs.busybox

Tiny versions of common UNIX utilities in a single small executable

nixos-unstable 1.37.0
- nixpkgs-unstable 1.37.0
- nixos-unstable-small 1.37.0
nixos-25.11 1.36.1
- nixos-25.11-small 1.36.1
- nixpkgs-25.11-darwin 1.36.1

pkgs.busybox-sandbox-shell

Tiny versions of common UNIX utilities in a single small executable

nixos-unstable 1.37.0
- nixpkgs-unstable 1.37.0
- nixos-unstable-small 1.37.0
nixos-25.11 1.36.1
- nixos-25.11-small 1.36.1
- nixpkgs-25.11-darwin 1.36.1

pkgs.minimal-bootstrap.busybox-static

Tiny versions of common UNIX utilities in a single small executable

nixos-unstable 1.36.1
- nixpkgs-unstable 1.36.1
- nixos-unstable-small 1.36.1

Package maintainers

@alyssais Alyssa Ross <hi@alyssa.is>
@TethysSvensson Tethys Svensson <freaken@freaken.dk>
@Ericson2314 John Ericson <John.Ericson@Obsidian.Systems>
@06kellyjac Jack <hello+nixpkgs@j-k.io>
@Gskartwii Aleksi Hannula <ahannula4@gmail.com>
@pyrox0 Pyrox <pyrox@pyrox.dev>
@emilytrau Emily Trau <emily+nix@downunderctf.com>
@siraben Siraphob Phipathananunth <bensiraphob@gmail.com>
@alejandrosame Alejandro Sánchez Medina <alejandrosanchzmedina@gmail.com>
@Artturin Artturi N <artturin@artturin.com>

Upstream patch: https://git.busybox.net/busybox/commit/archival?id=3fb6b31c716669e12f75a2accd31bb7685b1a1cb

Nixpkgs Security Tracker

Details of issue NIXPKGS-2026-0249

References

Affected products

Matching in nixpkgs

pkgs.busybox

pkgs.busybox-sandbox-shell

pkgs.minimal-bootstrap.busybox-static

Package maintainers