CVE-2026-45380
Deferred Deferred - Pending Action

Symlink Escape in bit7z Archive Extraction

Vulnerability report for CVE-2026-45380, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-10

Last updated on: 2026-06-11

Assigner: GitHub, Inc.

Description

bit7z is a cross-platform C++ static library that allows the compression/extraction of archive files. Prior to version 4.0.12, a one-byte off-by-one error in SafeOutPathBuilder::restoreSymlink() allows an attacker to craft a .7z archive that, when extracted with bit7z on any non-Windows platform, creates a symlink escaping the intended output directory. Subsequent archive entries extracted through this symlink write arbitrary files outside the extraction directory with the permissions of the extracting process. This issue has been patched in version 4.0.12.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-10
Last Modified
2026-06-11
Generated
2026-07-01
AI Q&A
2026-06-11
EPSS Evaluated
2026-06-30
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
bit7z bit7z to 4.0.12 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-193 A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in bit7z, a cross-platform C++ static library used for compressing and extracting archive files. Before version 4.0.12, there was a one-byte off-by-one error in the function SafeOutPathBuilder::restoreSymlink(). This error allows an attacker to create a specially crafted .7z archive that, when extracted on any non-Windows platform, can create a symbolic link (symlink) that escapes the intended extraction directory.

Because of this symlink escape, subsequent files extracted from the archive can be written outside the designated extraction folder, potentially overwriting arbitrary files on the system with the permissions of the extracting process.

This issue was fixed in bit7z version 4.0.12.

Impact Analysis

This vulnerability can allow an attacker to write arbitrary files outside the intended extraction directory when you extract a malicious .7z archive using bit7z on a non-Windows platform.

The attacker could potentially overwrite important system or application files, leading to unauthorized modification of data, disruption of services, or execution of malicious code with the permissions of the user performing the extraction.

The impact depends on the permissions of the extracting process, but it can lead to integrity and availability issues on the affected system.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade bit7z to version 4.0.12 or later, where the issue has been patched.

Avoid extracting .7z archives from untrusted sources on non-Windows platforms until the upgrade is applied.

Detection Guidance

This vulnerability involves a crafted .7z archive that creates a symlink escaping the intended extraction directory on non-Windows systems. Detection involves identifying suspicious symlinks created during extraction that point outside the expected directory.

To detect exploitation attempts or presence of this vulnerability on your system, you can:

  • Monitor extracted directories for unexpected symlinks pointing outside the extraction path.
  • Use commands to find symlinks that point outside a given directory, for example:
  • find /path/to/extraction -type l -exec bash -c 'target=$(readlink -f "$0"); [[ "$target" != /path/to/extraction/* ]] && echo "$0 -> $target"' {} \;
  • Check for unexpected file modifications outside extraction directories that could indicate arbitrary file writes.

Additionally, ensure your bit7z library version is 4.0.12 or later, as this vulnerability is patched in that version.

Compliance Impact

The vulnerability allows an attacker to write arbitrary files outside the intended extraction directory, potentially overwriting sensitive files such as .bashrc, .ssh/authorized_keys, or crontab files. This could lead to unauthorized access, arbitrary code execution, or privilege escalation.

Such unauthorized file modifications and potential data breaches could impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized access.

However, the attack complexity is high, user interaction is required, and the impact is limited to one directory level above the extraction directory. Additionally, the vulnerability is patched in version 4.0.12.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45380. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart