CVE-2026-45380
Deferred Deferred - Pending Action
Symlink Escape in bit7z Archive Extraction

Publication date: 2026-06-10

Last updated on: 2026-06-11

Assigner: GitHub, Inc.

Description
bit7z is a cross-platform C++ static library that allows the compression/extraction of archive files. Prior to version 4.0.12, a one-byte off-by-one error in SafeOutPathBuilder::restoreSymlink() allows an attacker to craft a .7z archive that, when extracted with bit7z on any non-Windows platform, creates a symlink escaping the intended output directory. Subsequent archive entries extracted through this symlink write arbitrary files outside the extraction directory with the permissions of the extracting process. This issue has been patched in version 4.0.12.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-11
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-45380
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bit7z bit7z to 4.0.12 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-193 A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in bit7z, a cross-platform C++ static library used for compressing and extracting archive files. Before version 4.0.12, there was a one-byte off-by-one error in the function SafeOutPathBuilder::restoreSymlink(). This error allows an attacker to create a specially crafted .7z archive that, when extracted on any non-Windows platform, can create a symbolic link (symlink) that escapes the intended extraction directory.

Because of this symlink escape, subsequent files extracted from the archive can be written outside the designated extraction folder, potentially overwriting arbitrary files on the system with the permissions of the extracting process.

This issue was fixed in bit7z version 4.0.12.

Impact Analysis

This vulnerability can allow an attacker to write arbitrary files outside the intended extraction directory when you extract a malicious .7z archive using bit7z on a non-Windows platform.

The attacker could potentially overwrite important system or application files, leading to unauthorized modification of data, disruption of services, or execution of malicious code with the permissions of the user performing the extraction.

The impact depends on the permissions of the extracting process, but it can lead to integrity and availability issues on the affected system.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade bit7z to version 4.0.12 or later, where the issue has been patched.

Avoid extracting .7z archives from untrusted sources on non-Windows platforms until the upgrade is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45380. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart