Skip to main content

bit7z CVE-2026-45380

| EUVDEUVD-2026-36116 LOW
Path Traversal (CWE-22)
2026-06-10 GitHub_M
3.6
CVSS 3.1 · Vendor: GitHub_M

Severity by source

Vendor (GitHub_M) PRIMARY
3.6 LOW
AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L
vuln.today AI
3.6 LOW

AV:L because extraction runs locally; AC:H for precise off-by-one crafting required; PR:N since archive delivery needs no system access; UI:R for mandatory user-triggered extraction; I:L and A:L reflect bounded one-level write; C:N as no data is read.

3.1 AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Patch available
Jun 10, 2026 - 22:01 EUVD
Source Code Evidence Fetched
Jun 10, 2026 - 21:20 vuln.today
Analysis Generated
Jun 10, 2026 - 21:20 vuln.today
CVE Published
Jun 10, 2026 - 20:00 cve.org
LOW 3.6

DescriptionCVE.org

bit7z is a cross-platform C++ static library that allows the compression/extraction of archive files. Prior to version 4.0.12, a one-byte off-by-one error in SafeOutPathBuilder::restoreSymlink() allows an attacker to craft a .7z archive that, when extracted with bit7z on any non-Windows platform, creates a symlink escaping the intended output directory. Subsequent archive entries extracted through this symlink write arbitrary files outside the extraction directory with the permissions of the extracting process. This issue has been patched in version 4.0.12.

AnalysisAI

Path traversal via crafted .7z archive in bit7z before v4.0.12 on POSIX platforms allows an attacker-controlled symlink to escape the extraction directory by exactly one level - up to the parent directory. Any archive entries extracted after the malicious symlink is placed will write attacker-controlled files to the parent of the intended output path, carrying the permissions of the extracting process. No public exploit has been identified at time of analysis and this CVE is not listed in CISA KEV; the vendor-confirmed fix ships in version 4.0.12.

Technical ContextAI

bit7z is a cross-platform C++ static library (CPE: cpe:2.3:a:rikyoz:bit7z:*:*:*:*:*:*:*:*) that wraps 7-Zip functionality and is embedded by developers into applications requiring archive compression and extraction. The root cause is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). Specifically, a one-byte off-by-one error in the SafeOutPathBuilder::restoreSymlink() function allows path validation to be bypassed during symlink restoration from within an archive. On POSIX systems where symlink restoration is implemented, a maliciously crafted symlink entry can resolve to a target one directory level above the configured extraction root. Symlink-based traversal during archive extraction is a well-documented attack class; this variant is architecturally bounded to a single level of escape, which is a meaningful but real constraint. Windows is architecturally excluded because bit7z does not implement symlink restoration on that platform.

RemediationAI

The vendor-released patch is bit7z version 4.0.12, confirmed at https://github.com/rikyoz/bit7z/releases/tag/v4.0.12. Because bit7z is a static library, developers must upgrade their dependency to v4.0.12 and rebuild any binaries that statically link against it - distributing the patched library alone is insufficient without a rebuild. For applications unable to upgrade immediately, the most actionable compensating control is to disable or skip symlink restoration during extraction if the bit7z API exposes that option, preventing the malicious symlink from being created at all. Alternatively, restricting extraction to trusted archive sources and running the extracting process under a least-privilege account limits the impact of any files written outside the extraction directory. The full security advisory including technical details is at https://github.com/rikyoz/bit7z/security/advisories/GHSA-8wj8-9jwv-j24v.

Share

CVE-2026-45380 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy