CVE-2026-45380
LowCVSS 3.6Exploitation Probability (EPSS)
Low risk2th percentile — higher than 2% of all known CVEs
Summary
In the bit7z library prior to version 4.0.12, there was a one-byte off-by-one error in the SafeOutPathBuilder::restoreSymlink() function that allowed an attacker to craft a .7z archive. When extracted on non-Windows platforms, this created a symlink that could escape the intended output directory.
Risk Assessment
An attacker could exploit this vulnerability to write arbitrary files outside the extraction directory, posing a risk of unauthorized access to the file system.
Recommendation
It is recommended to update the bit7z library to version 4.0.12 or later to mitigate this vulnerability.
Original NVD description (English source)
bit7z is a cross-platform C++ static library that allows the compression/extraction of archive files. Prior to version 4.0.12, a one-byte off-by-one error in SafeOutPathBuilder::restoreSymlink() allows an attacker to craft a .7z archive that, when extracted with bit7z on any non-Windows platform, creates a symlink escaping the intended output directory. Subsequent archive entries extracted through this symlink write arbitrary files outside the extraction directory with the permissions of the extracting process. This issue has been patched in version 4.0.12.

