Skip to main content

7-Zip CVE-2026-58052

| EUVDEUVD-2026-39972 MEDIUM
Protection Mechanism Failure (CWE-693)
2026-06-28 VulnCheck GHSA-fx33-p83c-vpr5
4.8
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
4.8 LOW
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.3 LOW

Local vector since extraction occurs on-disk; no privileges needed; user must actively extract the archive (UI:R); impact is integrity-only as the MotW zone data and file content stream are overwritten.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

4
Analysis Generated
Jun 28, 2026 - 02:30 vuln.today
Severity Changed
Jun 28, 2026 - 02:22 NVD
LOW MEDIUM
CVSS changed
Jun 28, 2026 - 02:22 NVD
3.3 (LOW) 4.8 (MEDIUM)
CVE Published
Jun 28, 2026 - 01:32 cve.org
MEDIUM 4.8

DescriptionCVE.org

7-Zip for Windows through 26.02 fails to preserve the Mark-of-the-Web when extracting a crafted RAR5 archive, because its guard that suppresses an archive-supplied Zone.Identifier stream matches the exact name 'Zone.Identifier' while a RAR5 STM record named ':Zone.Identifier:$DATA' is not matched and NTFS canonicalizes it to the same stream, overwriting the propagated Internet-zone marker with ZoneId=0. A second STM record named '::$DATA' overwrites the extracted file's default data stream, letting an attacker defeat SmartScreen/MotW warnings and spoof file content.

AnalysisAI

Mark-of-the-Web protection is bypassed in 7-Zip for Windows 26.02 and earlier when extracting crafted RAR5 archives, allowing an attacker to strip the Internet-zone marker (ZoneId=0) and spoof the extracted file's data stream content - directly defeating SmartScreen and Windows attachment warnings. The bypass exploits a gap between 7-Zip's exact-string guard ('Zone.Identifier') and the NTFS-canonical equivalent (':Zone.Identifier:$DATA') that a RAR5 STM record can supply; a second STM record ('::$DATA') additionally overwrites the default file data stream for content spoofing. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft RAR5 with malicious STM records
Delivery
Deliver archive via phishing or web
Exploit
Victim downloads archive, ZoneId=3 applied
Execution
Victim extracts with vulnerable 7-Zip
Persist
Zone.Identifier overwritten with ZoneId=0
Impact
Victim executes payload without SmartScreen warning

Vulnerability AssessmentAI

Exploitation The victim system must run 7-Zip for Windows version 26.02 or earlier - no other extractor triggers this flaw. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The official CVSS 4.0 score of 4.8 (Medium, AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N) mechanically captures the narrow technical impact but substantially underrepresents real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a RAR5 archive embedding a malicious executable payload, with a STM record named ':Zone.Identifier:$DATA' (to strip the Internet-zone mark) and a STM record named '::$DATA' (to substitute spoofed file content that appears benign, e.g., a decoy document). The archive is delivered as an email attachment or hosted for drive-by download; the victim downloads it, which causes Windows to apply ZoneId=3 to the archive. …
Remediation No vendor-released patched version has been confirmed in available data at the time of analysis - the 7-Zip source repository (https://github.com/ip7z/7zip) is referenced but no tagged release addressing this issue is identified. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-58052 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy