Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local vector since extraction occurs on-disk; no privileges needed; user must actively extract the archive (UI:R); impact is integrity-only as the MotW zone data and file content stream are overwritten.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
7-Zip for Windows through 26.02 fails to preserve the Mark-of-the-Web when extracting a crafted RAR5 archive, because its guard that suppresses an archive-supplied Zone.Identifier stream matches the exact name 'Zone.Identifier' while a RAR5 STM record named ':Zone.Identifier:$DATA' is not matched and NTFS canonicalizes it to the same stream, overwriting the propagated Internet-zone marker with ZoneId=0. A second STM record named '::$DATA' overwrites the extracted file's default data stream, letting an attacker defeat SmartScreen/MotW warnings and spoof file content.
AnalysisAI
Mark-of-the-Web protection is bypassed in 7-Zip for Windows 26.02 and earlier when extracting crafted RAR5 archives, allowing an attacker to strip the Internet-zone marker (ZoneId=0) and spoof the extracted file's data stream content - directly defeating SmartScreen and Windows attachment warnings. The bypass exploits a gap between 7-Zip's exact-string guard ('Zone.Identifier') and the NTFS-canonical equivalent (':Zone.Identifier:$DATA') that a RAR5 STM record can supply; a second STM record ('::$DATA') additionally overwrites the default file data stream for content spoofing. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The victim system must run 7-Zip for Windows version 26.02 or earlier - no other extractor triggers this flaw. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The official CVSS 4.0 score of 4.8 (Medium, AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N) mechanically captures the narrow technical impact but substantially underrepresents real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a RAR5 archive embedding a malicious executable payload, with a STM record named ':Zone.Identifier:$DATA' (to strip the Internet-zone mark) and a STM record named '::$DATA' (to substitute spoofed file content that appears benign, e.g., a decoy document). The archive is delivered as an email attachment or hosted for drive-by download; the victim downloads it, which causes Windows to apply ZoneId=3 to the archive. … |
| Remediation | No vendor-released patched version has been confirmed in available data at the time of analysis - the 7-Zip source repository (https://github.com/ip7z/7zip) is referenced but no tagged release addressing this issue is identified. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Heap buffer overflow in 7-Zip's RAR5 handler writes zeroes beyond allocated heap memory, causing memory corruption and d
7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attacke
Uninitialized heap memory disclosure in 7-Zip's UEFI capsule (.scap) parser exposes potentially sensitive heap contents
7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vul
7-Zip before 25.01 does not always properly handle symbolic links during extraction. Rated low severity (CVSS 3.6), this
7-Zip contains a Mark-of-the-Web bypass vulnerability allowing attackers to circumvent Windows security warnings when ex
Same weakness CWE-693 – Protection Mechanism Failure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39972
GHSA-fx33-p83c-vpr5