UBUNTU-CVE-2026-26158
- Source
- https://ubuntu.com/security/CVE-2026-26158
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-26158.json
- JSON Data
- https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-26158
- Upstream
- Published
- 2026-02-11T21:16:00Z
- Modified
- 2026-02-18T17:32:15Z
- Severity
-
- 7.0 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Ubuntu - medium
- Summary
- [none]
- Details
-
A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this flaw can lead to privilege escalation, enabling an attacker to gain unauthorized access to critical system files.
- References
Affected packages
Ubuntu:20.04:LTS
busybox
Package
- Name
- busybox
- Purl
- pkg:deb/ubuntu/busybox@1:1.30.1-4ubuntu6.5?arch=source&distro=focal
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
1:1.*
1:1.30.1-4ubuntu4
1:1.30.1-4ubuntu5
1:1.30.1-4ubuntu6
1:1.30.1-4ubuntu6.1
1:1.30.1-4ubuntu6.2
1:1.30.1-4ubuntu6.3
1:1.30.1-4ubuntu6.4
1:1.30.1-4ubuntu6.5
Ecosystem specific
{
"binaries": [
{
"binary_name": "busybox",
"binary_version": "1:1.30.1-4ubuntu6.5"
},
{
"binary_name": "busybox-initramfs",
"binary_version": "1:1.30.1-4ubuntu6.5"
},
{
"binary_name": "busybox-static",
"binary_version": "1:1.30.1-4ubuntu6.5"
},
{
"binary_name": "busybox-syslogd",
"binary_version": "1:1.30.1-4ubuntu6.5"
},
{
"binary_name": "udhcpc",
"binary_version": "1:1.30.1-4ubuntu6.5"
},
{
"binary_name": "udhcpd",
"binary_version": "1:1.30.1-4ubuntu6.5"
}
]
}Ubuntu:22.04:LTS
busybox
Package
- Name
- busybox
- Purl
- pkg:deb/ubuntu/busybox@1:1.30.1-7ubuntu3.1?arch=source&distro=jammy
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
1:1.*
1:1.30.1-6ubuntu3
1:1.30.1-7ubuntu1
1:1.30.1-7ubuntu2
1:1.30.1-7ubuntu3
1:1.30.1-7ubuntu3.1
Ecosystem specific
{
"binaries": [
{
"binary_name": "busybox",
"binary_version": "1:1.30.1-7ubuntu3.1"
},
{
"binary_name": "busybox-initramfs",
"binary_version": "1:1.30.1-7ubuntu3.1"
},
{
"binary_name": "busybox-static",
"binary_version": "1:1.30.1-7ubuntu3.1"
},
{
"binary_name": "busybox-syslogd",
"binary_version": "1:1.30.1-7ubuntu3.1"
},
{
"binary_name": "udhcpc",
"binary_version": "1:1.30.1-7ubuntu3.1"
},
{
"binary_name": "udhcpd",
"binary_version": "1:1.30.1-7ubuntu3.1"
}
]
}Ubuntu:24.04:LTS
busybox
Package
- Name
- busybox
- Purl
- pkg:deb/ubuntu/busybox@1:1.36.1-6ubuntu3.1?arch=source&distro=noble
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ecosystem specific
{
"binaries": [
{
"binary_name": "busybox",
"binary_version": "1:1.36.1-6ubuntu3.1"
},
{
"binary_name": "busybox-initramfs",
"binary_version": "1:1.36.1-6ubuntu3.1"
},
{
"binary_name": "busybox-static",
"binary_version": "1:1.36.1-6ubuntu3.1"
},
{
"binary_name": "busybox-syslogd",
"binary_version": "1:1.36.1-6ubuntu3.1"
},
{
"binary_name": "udhcpc",
"binary_version": "1:1.36.1-6ubuntu3.1"
},
{
"binary_name": "udhcpd",
"binary_version": "1:1.36.1-6ubuntu3.1"
}
]
}Ubuntu:25.10
busybox
Package
- Name
- busybox
- Purl
- pkg:deb/ubuntu/busybox@1:1.37.0-4ubuntu1?arch=source&distro=questing
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ecosystem specific
{
"binaries": [
{
"binary_name": "busybox",
"binary_version": "1:1.37.0-4ubuntu1"
},
{
"binary_name": "busybox-initramfs",
"binary_version": "1:1.37.0-4ubuntu1"
},
{
"binary_name": "busybox-static",
"binary_version": "1:1.37.0-4ubuntu1"
},
{
"binary_name": "busybox-syslogd",
"binary_version": "1:1.37.0-4ubuntu1"
},
{
"binary_name": "udhcpc",
"binary_version": "1:1.37.0-4ubuntu1"
},
{
"binary_name": "udhcpd",
"binary_version": "1:1.37.0-4ubuntu1"
}
]
}Ubuntu:Pro:14.04:LTS
busybox
Package
- Name
- busybox
- Purl
- pkg:deb/ubuntu/busybox@1:1.21.0-1ubuntu1.4+esm1?arch=source&distro=esm-infra-legacy/trusty
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
1:1.*
1:1.20.0-8.1ubuntu1
1:1.20.0-9ubuntu1
1:1.20.0-9ubuntu2
1:1.21.0-1ubuntu1
1:1.21.0-1ubuntu1.4
1:1.21.0-1ubuntu1.4+esm1
Ecosystem specific
{
"binaries": [
{
"binary_name": "busybox",
"binary_version": "1:1.21.0-1ubuntu1.4+esm1"
},
{
"binary_name": "busybox-initramfs",
"binary_version": "1:1.21.0-1ubuntu1.4+esm1"
},
{
"binary_name": "busybox-static",
"binary_version": "1:1.21.0-1ubuntu1.4+esm1"
},
{
"binary_name": "busybox-syslogd",
"binary_version": "1:1.21.0-1ubuntu1.4+esm1"
},
{
"binary_name": "udhcpc",
"binary_version": "1:1.21.0-1ubuntu1.4+esm1"
},
{
"binary_name": "udhcpd",
"binary_version": "1:1.21.0-1ubuntu1.4+esm1"
}
]
}Ubuntu:Pro:16.04:LTS
busybox
Package
- Name
- busybox
- Purl
- pkg:deb/ubuntu/busybox@1:1.22.0-15ubuntu1.4+esm2?arch=source&distro=esm-infra/xenial
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
1:1.*
1:1.22.0-15ubuntu1
1:1.22.0-15ubuntu1.4
1:1.22.0-15ubuntu1.4+esm1
1:1.22.0-15ubuntu1.4+esm2
Ecosystem specific
{
"binaries": [
{
"binary_name": "busybox",
"binary_version": "1:1.22.0-15ubuntu1.4+esm2"
},
{
"binary_name": "busybox-initramfs",
"binary_version": "1:1.22.0-15ubuntu1.4+esm2"
},
{
"binary_name": "busybox-static",
"binary_version": "1:1.22.0-15ubuntu1.4+esm2"
},
{
"binary_name": "busybox-syslogd",
"binary_version": "1:1.22.0-15ubuntu1.4+esm2"
},
{
"binary_name": "udhcpc",
"binary_version": "1:1.22.0-15ubuntu1.4+esm2"
},
{
"binary_name": "udhcpd",
"binary_version": "1:1.22.0-15ubuntu1.4+esm2"
}
]
}Ubuntu:Pro:18.04:LTS
busybox
Package
- Name
- busybox
- Purl
- pkg:deb/ubuntu/busybox@1:1.27.2-2ubuntu3.4+esm1?arch=source&distro=esm-infra/bionic
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
1:1.*
1:1.22.0-19ubuntu2
1:1.27.2-1ubuntu3
1:1.27.2-1ubuntu4
1:1.27.2-2ubuntu2
1:1.27.2-2ubuntu3
1:1.27.2-2ubuntu3.1
1:1.27.2-2ubuntu3.2
1:1.27.2-2ubuntu3.3
1:1.27.2-2ubuntu3.4
1:1.27.2-2ubuntu3.4+esm1
Ecosystem specific
{
"binaries": [
{
"binary_name": "busybox",
"binary_version": "1:1.27.2-2ubuntu3.4+esm1"
},
{
"binary_name": "busybox-initramfs",
"binary_version": "1:1.27.2-2ubuntu3.4+esm1"
},
{
"binary_name": "busybox-static",
"binary_version": "1:1.27.2-2ubuntu3.4+esm1"
},
{
"binary_name": "busybox-syslogd",
"binary_version": "1:1.27.2-2ubuntu3.4+esm1"
},
{
"binary_name": "udhcpc",
"binary_version": "1:1.27.2-2ubuntu3.4+esm1"
},
{
"binary_name": "udhcpd",
"binary_version": "1:1.27.2-2ubuntu3.4+esm1"
}
]
}