CVE Catalog

CVE-2026-45380

LowCVSS 3.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.01%

2th percentile — higher than 2% of all known CVEs

Summary

In the bit7z library prior to version 4.0.12, there was a one-byte off-by-one error in the SafeOutPathBuilder::restoreSymlink() function that allowed an attacker to craft a .7z archive. When extracted on non-Windows platforms, this created a symlink that could escape the intended output directory.

Risk Assessment

An attacker could exploit this vulnerability to write arbitrary files outside the extraction directory, posing a risk of unauthorized access to the file system.

Recommendation

It is recommended to update the bit7z library to version 4.0.12 or later to mitigate this vulnerability.

Original NVD description (English source)

bit7z is a cross-platform C++ static library that allows the compression/extraction of archive files. Prior to version 4.0.12, a one-byte off-by-one error in SafeOutPathBuilder::restoreSymlink() allows an attacker to craft a .7z archive that, when extracted with bit7z on any non-Windows platform, creates a symlink escaping the intended output directory. Subsequent archive entries extracted through this symlink write arbitrary files outside the extraction directory with the permissions of the extracting process. This issue has been patched in version 4.0.12.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS