CVE-2026-13165
Received Received - Intake

SzafirHost Native Library Archive Signature Bypass Leading to RCE

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: CERT.PL

Description
SzafirHost verifies the downloaded native library archive with one JarFile parser (reading the Central Directory) but extracts native libraries with JarInputStream parser (reading sequentially from local file headers).Β An attacker who controls the served archive can insert a malicious DLL/SO/DYLIB as a local-file-header entry between the last legitimate entry and the Central Directory, without adding it to the Central Directory. The signature verifier never sees the injected entry and accepts the archive as validly signed; the extractor reads it sequentially and writes the attacker library to the native temp directory with no hash check), while the archive-size check still passes. ThisΒ can lead to remote code execution. This issue was fixed in version 1.2.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-29
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-13165
EUVD
EUVD-2026-40078

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
szafirhost jarfile 1.2.2
elektronicznypodpis szafir 1.2.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in SzafirHost's handling of downloaded native library archives. The system verifies the archive's signature using one method (JarFile parser reading the Central Directory), but extracts the native libraries using a different method (JarInputStream parser reading sequentially from local file headers). An attacker controlling the archive can insert a malicious library file as a local-file-header entry that is not listed in the Central Directory. Because the signature verification only checks the Central Directory, it does not detect this malicious entry. However, the extractor reads and extracts this malicious file, writing it to the native temp directory without any hash check. This discrepancy allows the attacker to bypass signature verification and potentially execute remote code.

Impact Analysis

The main impact of this vulnerability is the potential for remote code execution. An attacker who can serve a specially crafted archive can inject malicious native libraries that will be extracted and executed on the victim's system without detection. This can lead to unauthorized control over the affected system, data compromise, and further exploitation.

Mitigation Strategies

The vulnerability in SzafirHost was fixed in version 1.2.2.

To mitigate this vulnerability, you should immediately update SzafirHost to version 1.2.2 or later.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13165. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart