Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2026-26157

7.0 HIGH

CVSS version: 3.1
Attack vector (AV): LOCAL
Attack complexity (AC): HIGH
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): HIGH

created 2 months, 1 week ago Activity log

Created suggestion 2 months, 1 week ago

Busybox: busybox: arbitrary file overwrite and potential code execution via incomplete path sanitization

A flaw was found in BusyBox. Incomplete path sanitization in its archive extraction utilities allows an attacker to craft malicious archives that when extracted, and under specific conditions, may write to files outside the intended directory. This can lead to arbitrary file overwrite, potentially enabling code execution through the modification of sensitive system files.

References

https://access.redhat.com/security/cve/CVE-2026-26157 vdb-entryx_refsource_REDHAT
RHBZ#2439039 issue-trackingx_refsource_REDHAT
https://git.busybox.net/busybox/commit/archival?id=3fb6b31c716669e12f75a2accd31…

Affected products

busybox

Matching in nixpkgs

pkgs.busybox

Tiny versions of common UNIX utilities in a single small executable

nixos-unstable 1.36.1
- nixpkgs-unstable 1.37.0
- nixos-unstable-small 1.37.0
nixos-25.11 1.36.1
- nixpkgs-25.11-darwin 1.36.1

pkgs.gobusybox

Tools for compiling many Go commands into one binary to save space

nixos-unstable 0.2.0-unstable-2024-03-05
- nixpkgs-unstable 0.2.0-unstable-2024-03-05
- nixos-unstable-small 0.2.0-unstable-2024-03-05
nixos-25.11 0.2.0-unstable-2024-03-05
- nixpkgs-25.11-darwin 0.2.0-unstable-2024-03-05

pkgs.busybox-sandbox-shell

Tiny versions of common UNIX utilities in a single small executable

nixos-unstable 1.36.1
- nixpkgs-unstable 1.37.0
- nixos-unstable-small 1.37.0
nixos-25.11 1.36.1
- nixpkgs-25.11-darwin 1.36.1

pkgs.minimal-bootstrap.busybox-static

Tiny versions of common UNIX utilities in a single small executable

nixos-unstable -
- nixpkgs-unstable 1.36.1
- nixos-unstable-small 1.36.1

Package maintainers

@alyssais Alyssa Ross <hi@alyssa.is>
@TethysSvensson Tethys Svensson <freaken@freaken.dk>
@katexochen Paul Meyer <katexochen0@gmail.com>
@emilytrau Emily Trau <emily+nix@downunderctf.com>
@Ericson2314 John Ericson <John.Ericson@Obsidian.Systems>
@alejandrosame Alejandro Sánchez Medina <alejandrosanchzmedina@gmail.com>
@Gskartwii Aleksi Hannula <ahannula4@gmail.com>
@pyrox0 Pyrox <pyrox@pyrox.dev>
@06kellyjac Jack <hello+nixpkgs@j-k.io>
@Artturin Artturi N <artturin@artturin.com>
@siraben Siraphob Phipathananunth <bensiraphob@gmail.com>