Nixpkgs Security Tracker

Login with GitHub

Suggestions search

Published
Filter by:
With package: busybox-sandbox-shell

Found 2 matching suggestions

Permalink CVE-2026-26157
updated 3 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 3 weeks, 4 days ago
  • @LeSuisse removed package gobusybox 3 weeks ago
  • @LeSuisse accepted 3 weeks ago
  • @LeSuisse published on GitHub 3 weeks ago
Busybox: busybox: arbitrary file overwrite and potential code execution via incomplete path sanitization

A flaw was found in BusyBox. Incomplete path sanitization in its archive extraction utilities allows an attacker to craft malicious archives that when extracted, and under specific conditions, may write to files outside the intended directory. This can lead to arbitrary file overwrite, potentially enabling code execution through the modification of sensitive system files.

References

Affected products

busybox

Matching in nixpkgs

Upstream patch: https://git.busybox.net/busybox/commit/archival?id=3fb6b31c716669e12f75a2accd31bb7685b1a1cb
Permalink CVE-2026-26158
updated 3 weeks ago by @LeSuisse Activity log
  • Created automatic suggestion 3 weeks, 4 days ago
  • @LeSuisse removed package gobusybox 3 weeks ago
  • @LeSuisse accepted 3 weeks ago
  • @LeSuisse published on GitHub 3 weeks ago
Busybox: busybox: arbitrary file modification and privilege escalation via unvalidated tar archive entries

A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this flaw can lead to privilege escalation, enabling an attacker to gain unauthorized access to critical system files.

References

Affected products

busybox

Matching in nixpkgs

Upstream patch: https://git.busybox.net/busybox/commit/archival?id=3fb6b31c716669e12f75a2accd31bb7685b1a1cb