CVE Catalog

CVE-2026-13165

HighCVSS 8.6
Published: Updated: Translated: NVD NIST

Summary

A vulnerability in SzafirHost allows an attacker to inject a malicious native library into a JAR archive that is signed and verified. The signature verification uses a JarFile parser (reading the Central Directory), while extraction uses a JarInputStream parser (reading sequentially from local file headers). An attacker can insert a library entry between the last legitimate entry and the Central Directory, which is not seen by the signature verifier but is read and written by the extractor, leading to remote code execution.

Risk Assessment

The risk for the organization is critical, as an attacker can remotely execute arbitrary code on the server or workstation where the vulnerable version of SzafirHost is used, potentially leading to system compromise, data theft, or further attack propagation.

Recommendation

Immediately update SzafirHost to version 1.2.2 or later, which contains the fix for this vulnerability. Before updating, temporarily restrict access to the service and avoid downloading archives from untrusted sources.

Original NVD description (English source)

SzafirHost verifies the downloaded native library archive with one JarFile parser (reading the Central Directory) but extracts native libraries with JarInputStream parser (reading sequentially from local file headers). An attacker who controls the served archive can insert a malicious DLL/SO/DYLIB as a local-file-header entry between the last legitimate entry and the Central Directory, without adding it to the Central Directory. The signature verifier never sees the injected entry and accepts the archive as validly signed; the extractor reads it sequentially and writes the attacker library to the native temp directory with no hash check), while the archive-size check still passes. This can lead to remote code execution. This issue was fixed in version 1.2.2.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS