Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-delivered but requires attacker-controlled archive source and victim action, so AC:H and UI:R; unauthenticated on target (PR:N) with full host RCE giving C/I/A:H.
Primary rating from Vendor (CERT-PL).
CVSS VectorVendor: CERT-PL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
SzafirHost verifies the downloaded native library archive with one JarFile parser (reading the Central Directory) but extracts native libraries with JarInputStream parser (reading sequentially from local file headers). An attacker who controls the served archive can insert a malicious DLL/SO/DYLIB as a local-file-header entry between the last legitimate entry and the Central Directory, without adding it to the Central Directory. The signature verifier never sees the injected entry and accepts the archive as validly signed; the extractor reads it sequentially and writes the attacker library to the native temp directory with no hash check), while the archive-size check still passes. This can lead to remote code execution.
This issue was fixed in version 1.2.2.
AnalysisAI
Remote code execution in SzafirHost (KIR's Szafir electronic-signature host application) arises from a ZIP/JAR parser-confusion flaw: signature verification reads the archive's Central Directory while extraction reads local file headers sequentially, letting an attacker who controls the served native-library archive smuggle an unsigned malicious DLL/SO/DYLIB past the signature check. Versions prior to 1.2.2 are affected; the injected library is written to the native temp directory and loaded, yielding code execution on the victim's machine. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to control the served native-library archive (a compromised KIR distribution server or a man-in-the-middle position on the download channel) and to craft a ZIP/JAR with an extra local-file-header entry that is omitted from the Central Directory so it bypasses JarFile signature verification while remaining visible to the JarInputStream extractor. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 4.0 base score is 8.6 (High) with vector AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H, indicating network-reachable, unauthenticated, low-complexity attack with high confidentiality/integrity/availability impact but requiring active user interaction (UI:A) and an attacker-controlled archive source. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who controls or intercepts the archive distribution channel appends a malicious native library as a local-file-header entry between the last legitimate entry and the Central Directory, leaving the Central Directory (and thus the signature) untouched. When a victim runs SzafirHost and it downloads and extracts the archive, the signature verifier accepts it as validly signed while the sequential extractor writes the attacker's DLL/SO/DYLIB to the native temp directory and loads it, executing attacker code. … |
| Remediation | Vendor-released patch: 1.2.2 - upgrade SzafirHost to version 1.2.2 or later, which corrects the parser inconsistency so signature verification and extraction operate on the same archive view. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all SzafirHost deployments and restrict network access to trusted sources only; assess if isolated operation is feasible until remediation is available. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Szafirhost
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40078
GHSA-r9vj-frg8-hc25