CVE-2026-44722
Received Received - Intake

AE-2 Encryption Bypass in pyzipper

Vulnerability report for CVE-2026-44722, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

pyzipper is a replacement for Python's zipfile that can read and write AES encrypted zip files. Prior to 0.4.0, a Python operator precedence bug in pyzipper/zipfile_aes.py caused the AE-2 format to never be automatically selected during encryption, causing encrypted entries to be written in AE-1 format and exposing the plaintext CRC32 checksum in the ZIP header and, for unseekable zip archives, in the datadescripter section, allowing an attacker who possesses the archive to brute-force candidate plaintexts for small or low-entropy files by comparing CRC32 values. This issue is fixed in version 0.4.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
danifus pyzipper to 0.4.0 (exc)
pyzipper pyzipper to 0.4.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-480 The product accidentally uses the wrong operator, which changes the logic in security-relevant ways.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is in pyzipper, a Python library for handling AES encrypted ZIP files. Due to a bug, encrypted files were always saved in the weaker AE-1 format instead of the more secure AE-2 format. This exposed the plaintext CRC32 checksum in the ZIP header and data descriptor, allowing attackers to brute-force small or low-entropy files by comparing CRC32 values.

Detection Guidance

To detect this vulnerability, check if your system uses pyzipper versions prior to 0.4.0. Run: pip show pyzipper. If the version is below 0.4.0, the system is vulnerable. Inspect ZIP archives created with pyzipper for unencrypted CRC32 checksums in headers or data descriptors.

Impact Analysis

If you use pyzipper versions before 0.4.0 to encrypt small or low-entropy files, an attacker who obtains the encrypted ZIP file could potentially recover the original plaintext by brute-forcing CRC32 checksums. This risks unauthorized access to sensitive data in those files.

Compliance Impact

This vulnerability exposes plaintext CRC32 checksums in encrypted ZIP archives, allowing brute-force attacks on small or low-entropy files. For compliance standards like GDPR or HIPAA, which require protection of sensitive data, this could lead to unauthorized access to encrypted content, violating confidentiality requirements and potentially resulting in non-compliance.

Mitigation Strategies

Upgrade pyzipper to version 0.4.0 or later using: pip install --upgrade pyzipper. Recreate any ZIP archives created with vulnerable versions to remove exposed CRC32 checksums. Avoid using vulnerable versions for encrypting sensitive files.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44722. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart