Mark-of-the-Web Bypass in 7-Zip via RAR5 Archive Extraction

Executive Summary

CVE-2026-58052 is a vulnerability in 7-Zip for Windows versions up to 26.02 where the program fails to properly preserve the Mark-of-the-Web (MotW) when extracting a specially crafted RAR5 archive.

The issue arises because 7-Zip's protection mechanism only checks for an exact match of the 'Zone.Identifier' stream name to suppress archive-supplied MotW data. However, a RAR5 archive can include an alternate data stream named ':Zone.Identifier:$DATA', which NTFS treats as equivalent to 'Zone.Identifier'. This allows the attacker-controlled stream to overwrite the legitimate MotW marker, effectively removing the Internet-zone designation (ZoneId=0).

Additionally, a second alternate data stream named '::$DATA' can overwrite the extracted file's default data stream, enabling attackers to bypass SmartScreen and MotW warnings and spoof the file content.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to bypass Windows security features such as SmartScreen and Mark-of-the-Web warnings by manipulating alternate data streams in a crafted RAR5 archive.

By overwriting the MotW marker, the extracted files appear as if they are from a trusted source, removing warnings that would normally alert users to potentially unsafe files.

Furthermore, by overwriting the default data stream, attackers can spoof the visible content of the extracted file, potentially tricking users into opening malicious files disguised as benign ones.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves 7-Zip failing to preserve the Mark-of-the-Web (MotW) when extracting crafted RAR5 archives with specially named alternate data streams. Detection involves verifying whether extracted files have had their MotW markers overwritten or if their content has been spoofed via alternate data streams.

One approach is to inspect extracted files for the presence and integrity of the Zone.Identifier alternate data stream, which marks files as coming from the Internet zone. On Windows systems, you can use the following commands to check for alternate data streams and MotW presence:

• Use PowerShell to list alternate data streams of a file: Get-Item -Path <filename> -Stream *
• Use the command line to check Zone.Identifier stream content: more < <filename>:Zone.Identifier
• Compare the extracted file's content with the expected content to detect any spoofing caused by the '::$DATA' alternate stream.

Additionally, monitoring extraction operations of RAR5 archives with 7-Zip versions up to 26.02 and checking for suspicious alternate data streams named ':Zone.Identifier:$DATA' or '::$DATA' can help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, the immediate step is to avoid using vulnerable versions of 7-Zip (up to and including 26.02) for extracting RAR5 archives, especially from untrusted sources.

If possible, update 7-Zip to a version that addresses this issue once available.

As a workaround, consider manually verifying the Mark-of-the-Web (MotW) on extracted files and inspecting alternate data streams to ensure they have not been tampered with.

Restrict or monitor the use of RAR5 archives from untrusted sources and educate users about the risks of extracting such archives with vulnerable 7-Zip versions.

Useful 0 Not Useful 0