CVE-2026-23879
Received Received - Intake
Arbitrary File Write in py7zr via Malicious Symlink Chains

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: GitHub, Inc.

Description
py7zr is a Python-based library and utility to support 7zip archive compression, decompression, encryption and decryption. Versions 1.1.2 and below contain an an arbitrary file write vulnerability, which allows symbolic links to be recreated outside the destination directory via crafted malicious symbolic link chains. When using extractall to extract an archive, the library restores these symbolic links, linking them to arbitrary directories on the host file system. During extraction, the program only checks the link arcname within the destination directory, but ignores the combined symlink path resolution. Attackers can exploit this vulnerability by constructing malicious archives, thereby bypassing the directory boundary restrictions implemented by the extractor. Subsequent extraction of regular files through these symbolic links can result in arbitrary file writes. This vulnerability may lead to remote code execution, privilege escalation, data corruption, or denial of service. This issue has been fixed in version 1.1.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-25
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-23879
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
miurahr py7zr to 1.1.3 (exc)
miurahr py7zr From 1.1.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-23879 is an arbitrary file write vulnerability in the py7zr Python library, which handles 7zip archive compression and extraction. The issue arises because the library improperly validates symbolic links during archive extraction. Specifically, when extracting archives using the extractall function, py7zr only checks if the symbolic link's path is within the destination directory but fails to resolve the full symlink chain. This allows attackers to craft malicious archives containing symbolic link chains that point outside the intended extraction directory.

As a result, files can be written to arbitrary locations on the host system when extracted, bypassing directory boundary restrictions. This vulnerability affects py7zr versions 1.1.2 and below and was fixed in version 1.1.3.

Impact Analysis

This vulnerability can have severe impacts including remote code execution, privilege escalation, data corruption, and denial of service. By exploiting the symbolic link flaw, an attacker can write files to arbitrary locations on the system, potentially overwriting critical files or placing malicious executables.

Because the attack requires only the extraction of a specially crafted archive, it has low attack complexity and can be performed with minimal privileges. The vulnerability affects the confidentiality, integrity, and availability of the system.

Detection Guidance

Detection of this vulnerability involves identifying if py7zr versions 1.1.2 or below are in use, as these versions contain the arbitrary file write flaw via symbolic link extraction.

Since the vulnerability is triggered during extraction of malicious 7z archives containing crafted symbolic link chains, monitoring extraction activities and inspecting archive contents for suspicious symbolic links can help detect exploitation attempts.

Commands to check the installed py7zr version include:

  • python -m pip show py7zr
  • pip freeze | grep py7zr

To detect suspicious symbolic links in extracted directories, you can use commands like:

  • find /path/to/extracted/files -type l -ls
  • readlink -f /path/to/symlink

Network detection is limited since the exploit requires archive extraction locally, but monitoring for unexpected file writes outside intended extraction directories or unusual symbolic link creations may indicate exploitation.

Mitigation Strategies

The primary mitigation step is to upgrade py7zr to version 1.1.3 or later, where this arbitrary file write vulnerability has been fixed by hardening path traversal checks.

Until the upgrade can be applied, avoid extracting untrusted or suspicious 7z archives using vulnerable py7zr versions.

Additionally, implement strict file system permissions and monitor extraction directories for unexpected symbolic links or file writes outside the intended paths.

Consider applying other security best practices such as running extraction processes with least privilege to limit potential impact.

Compliance Impact

The vulnerability in py7zr allows arbitrary file writes outside the intended extraction directory, potentially leading to remote code execution, privilege escalation, data corruption, or denial of service.

Such impacts could compromise the confidentiality, integrity, and availability of data, which are core principles in standards and regulations like GDPR and HIPAA.

Therefore, exploitation of this vulnerability could lead to non-compliance with these regulations due to unauthorized data access or modification, data breaches, or system disruptions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23879. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart