Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2026-26158

7.0 HIGH

CVSS version: 3.1
Attack vector (AV): LOCAL
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 2 months, 1 week ago Activity log

Created suggestion 2 months, 1 week ago

Busybox: busybox: arbitrary file modification and privilege escalation via unvalidated tar archive entries

A flaw was found in BusyBox. This vulnerability allows an attacker to modify files outside of the intended extraction directory by crafting a malicious tar archive containing unvalidated hardlink or symlink entries. If the tar archive is extracted with elevated privileges, this flaw can lead to privilege escalation, enabling an attacker to gain unauthorized access to critical system files.

References

https://access.redhat.com/security/cve/CVE-2026-26158 vdb-entryx_refsource_REDHAT
RHBZ#2439040 issue-trackingx_refsource_REDHAT
https://git.busybox.net/busybox/commit/archival?id=3fb6b31c716669e12f75a2accd31…

Affected products

busybox

Matching in nixpkgs

pkgs.busybox

Tiny versions of common UNIX utilities in a single small executable

nixos-unstable 1.36.1
- nixpkgs-unstable 1.37.0
- nixos-unstable-small 1.37.0
nixos-25.11 1.36.1
- nixpkgs-25.11-darwin 1.36.1

pkgs.gobusybox

Tools for compiling many Go commands into one binary to save space

nixos-unstable 0.2.0-unstable-2024-03-05
- nixpkgs-unstable 0.2.0-unstable-2024-03-05
- nixos-unstable-small 0.2.0-unstable-2024-03-05
nixos-25.11 0.2.0-unstable-2024-03-05
- nixpkgs-25.11-darwin 0.2.0-unstable-2024-03-05

pkgs.busybox-sandbox-shell

Tiny versions of common UNIX utilities in a single small executable

nixos-unstable 1.36.1
- nixpkgs-unstable 1.37.0
- nixos-unstable-small 1.37.0
nixos-25.11 1.36.1
- nixpkgs-25.11-darwin 1.36.1

pkgs.minimal-bootstrap.busybox-static

Tiny versions of common UNIX utilities in a single small executable

nixos-unstable -
- nixpkgs-unstable 1.36.1
- nixos-unstable-small 1.36.1

Package maintainers

@alyssais Alyssa Ross <hi@alyssa.is>
@TethysSvensson Tethys Svensson <freaken@freaken.dk>
@katexochen Paul Meyer <katexochen0@gmail.com>
@emilytrau Emily Trau <emily+nix@downunderctf.com>
@Ericson2314 John Ericson <John.Ericson@Obsidian.Systems>
@alejandrosame Alejandro Sánchez Medina <alejandrosanchzmedina@gmail.com>
@Gskartwii Aleksi Hannula <ahannula4@gmail.com>
@pyrox0 Pyrox <pyrox@pyrox.dev>
@06kellyjac Jack <hello+nixpkgs@j-k.io>
@Artturin Artturi N <artturin@artturin.com>
@siraben Siraphob Phipathananunth <bensiraphob@gmail.com>