CVE-2026-45384
Deferred Deferred - Pending Action

Arbitrary File Overwrite in bit7z via Symlink Attack

Vulnerability report for CVE-2026-45384, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-10

Last updated on: 2026-06-11

Assigner: GitHub, Inc.

Description

bit7z is a cross-platform C++ static library that allows the compression/extraction of archive files. Prior to version 4.0.12, there is an arbitrary file overwrite vulnerability via symlink attack on predictable temp files during archive update. This issue has been patched in version 4.0.12.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-10
Last Modified
2026-06-11
Generated
2026-07-01
AI Q&A
2026-06-11
EPSS Evaluated
2026-06-30
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
bit7z bit7z to 4.0.12 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-377 Creating and using insecure temporary files can leave application and system data vulnerable to attack.
CWE-59 The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in bit7z, a cross-platform C++ static library for compressing and extracting archive files, is an arbitrary file overwrite issue. It occurs via a symlink attack on predictable temporary files during the archive update process. This means an attacker could potentially overwrite files they should not have access to by exploiting the way temporary files are handled.

Impact Analysis

This vulnerability can lead to unauthorized modification of files due to arbitrary file overwrite. An attacker with local access and low privileges could exploit this to alter important files, potentially causing data integrity issues or system instability.

Mitigation Strategies

To mitigate this vulnerability, you should update bit7z to version 4.0.12 or later, as this version contains the patch that fixes the arbitrary file overwrite vulnerability via symlink attack.

Detection Guidance

This vulnerability can be detected by checking for the presence of predictable temporary files named <archive_path>.tmp in directories where bit7z archives are updated, especially if those directories are writable by multiple users.

You can look for suspicious symlinks named like these temporary files that point to sensitive or critical files, which could indicate an attempted or successful exploit.

Suggested commands to detect potential exploitation or presence of the vulnerability include:

  • Find symlinks named *.tmp in archive directories: find /path/to/archives -type l -name '*.tmp' -ls
  • Check if these symlinks point to sensitive files: ls -l /path/to/archives/*.tmp
  • Monitor file changes or overwrites in critical files that could be targets of the symlink attack using tools like inotifywait or auditd.
  • Verify the bit7z library version in use to ensure it is 4.0.12 or later, which contains the fix.
Compliance Impact

The vulnerability in bit7z allows arbitrary file overwrite via a symlink attack on predictable temporary files during archive update. This could potentially lead to unauthorized modification of files, which may impact data integrity.

However, there is no direct information provided about how this vulnerability specifically affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45384. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart