CVE-2026-26158 is a vulnerability identified in BusyBox, a widely used software suite providing Unix utilities, including tar functionality, within Red Hat Enterprise Linux 6. The flaw arises from insufficient validation of hardlink and symlink entries in tar archives during extraction. An attacker can craft a malicious tar archive that includes these entries pointing outside the intended extraction directory. When such an archive is extracted, especially with elevated privileges (e.g., root), the extraction process can overwrite or create files in arbitrary locations on the filesystem. This external control of file name or path can lead to privilege escalation by allowing attackers to modify critical system files, potentially gaining unauthorized access or control over the system. The vulnerability has a CVSS 3.1 base score of 7.0, reflecting high severity, with an attack vector requiring local access (AV:L), high attack complexity (AC:H), no privileges required (PR:N), and requiring user interaction (UI:R). The impact affects confidentiality, integrity, and availability, as attackers can alter system files and potentially disrupt system operations. No known exploits are reported in the wild, but the risk remains significant due to the potential for privilege escalation and system compromise. The vulnerability affects Red Hat Enterprise Linux 6, which still sees use in some legacy and specialized environments.

The vulnerability allows attackers with local access to escalate privileges by exploiting the tar extraction process to overwrite or create files outside the intended directory. This can lead to unauthorized modification of critical system files, compromising system integrity and confidentiality. In worst cases, attackers can gain root-level access, enabling full control over affected systems. This can disrupt availability if system files are corrupted or replaced with malicious versions. Organizations running Red Hat Enterprise Linux 6 in production, especially those extracting untrusted tar archives with elevated privileges, face significant risk. The impact extends to critical infrastructure, enterprise servers, and legacy systems that rely on BusyBox tar functionality. Exploitation complexity is high, but the consequences of successful exploitation are severe, including potential data breaches, system downtime, and lateral movement within networks.

1. Apply official patches from Red Hat as soon as they become available to address this vulnerability in BusyBox. 2. Avoid extracting tar archives from untrusted or unauthenticated sources, especially with elevated privileges. 3. Use sandboxed or isolated environments for extracting untrusted archives to limit potential damage. 4. Employ file system permissions and access controls to restrict write access to critical directories during extraction. 5. Consider using alternative extraction tools that properly validate hardlink and symlink entries if patching is not immediately possible. 6. Implement monitoring and alerting for unusual file modifications in sensitive directories to detect potential exploitation attempts. 7. Educate system administrators and users about the risks of extracting untrusted archives with root privileges. 8. Regularly audit systems for unauthorized changes to critical files to identify potential compromise early.