Title: CVE-2026-26157: busybox: BusyBox: Arbitrary file overwrite and potential code execution via incomplete path sanitization Status: NEW Product: Security Response Component: vulnerability OS: Linux Priority: high Severity: high Reported: 2026-02-11 18:09 UTC Modified: 2026-02-11 20:17 UTC Affected: BusyBox v1.36.1 and v1.37.0 (likely affects earlier versions too) CVSS Score: 8.6 (HIGH) Description: - Component: strip_unsafe_prefix() function in archive extraction utilities (tar, unzip, rpm, ar, dpkg) - Issue: Incomplete path sanitization fails to detect trailing ".." components in filenames (e.g., "logs/data/../"), allowing files to be written outside the intended extraction directory if the current working directory matches the target location. - Impact: Arbitrary file overwrite, potential code execution through modification of shell configuration files, cron jobs, or other sensitive files.