Cyber Resilience

CVE-2026-26157

HighUpdated

Published: 11 February 2026

Published
11 February 2026
Modified
02 June 2026
KEV Added
Patch
CVSS Score v3.1 7.0 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0011 29.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26157 is a high-severity External Control of File Name or Path (CWE-73) vulnerability in Busybox (inferred from references). Its CVSS base score is 7.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 29.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

A flaw was found in BusyBox. Incomplete path sanitization in its archive extraction utilities allows an attacker to craft malicious archives that when extracted, and under specific conditions, may write to files outside the intended directory. This can lead to…

more

arbitrary file overwrite, potentially enabling code execution through the modification of sensitive system files.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Path traversal in BusyBox archive extraction directly enables arbitrary file overwrite of sensitive system files, facilitating local privilege escalation to achieve code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

Affected Assets

Busybox
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-73

Rejects externally supplied file or resource identifiers that fail validity checks.

References