Path Traversal in BusyBox 1.37.0 (CVE‑2026‑26157) Enables Arbitrary File Read
What Happened – A flaw in BusyBox 1.36.1‑1.37.0’s archive extraction utilities allows a crafted TAR/ZIP/RPM archive to create symlinks that traverse out of the intended extraction directory. The vulnerability (CVE‑2026‑26157) results in arbitrary file read and potential credential theft.
Why It Matters for TPRM –
- BusyBox is embedded in countless IoT, networking, and container images; a single compromised third‑party component can expose downstream customers.
- Exploits require only a malicious archive, a low‑skill attack vector that can be delivered via supply‑chain or phishing attachments.
- The CVSS 7.8 rating (High) signals a strong incentive for threat actors to weaponize the bug against any organization that trusts BusyBox‑based tooling.
Who Is Affected – Vendors and customers that ship or run BusyBox 1.36.1‑1.37.0 in routers, firewalls, embedded Linux devices, container base images, and CI/CD pipelines (e.g., telecom, manufacturing, cloud‑native SaaS, and IoT).
Recommended Actions –
- Verify the BusyBox version used in all third‑party products and replace ≤ 1.37.0 with ≥ 1.37.1 (or apply vendor patches).
- Review any automated archive‑extraction processes for unsafe handling of symlinks.
- Conduct a file‑integrity scan on systems that may have extracted untrusted archives since Feb 2026.
Technical Notes – The vulnerable code resides in archival/libarchive/unsafe_prefix.c. The function strip_unsafe_prefix() only matches the four‑character pattern "/../" and fails on trailing "/.." sequences, allowing symlinks such as sensitive_data -> /etc/pam.d/.. to resolve to /etc. Exploited components include tar, unzip, rpm, and ar. CVSS 7.8 (High). Source: Exploit‑DB 52538