VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 14, 2005· Updated Jun 16, 2026

CVE-2005-3215

CVE-2005-3215

Description

Multiple interpretation error in unspecified versions of McAfee Antivirus allows remote attackers to bypass virus detection via a malicious executable in a specially crafted RAR file with malformed central and local headers, which can still be opened by products such as Winrar and PowerZip, even though they are rejected as corrupted by Winzip and BitZipper.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

1

Patches

Vulnerability mechanics

Root cause

"Multiple interpretation error: antivirus engines parse the RAR file differently than archivers like WinRAR and PowerZip, so malformed central/local headers cause the AV to reject the file while the archiver still extracts the malicious payload."

Attack vector

An attacker crafts a RAR archive with deliberately malformed central and local headers. Antivirus software (including McAfee) interprets the corruption as an invalid archive and skips scanning the embedded executable, while archivers such as WinRAR and PowerZip still open and extract the file [ref_id=1]. The malicious content (e.g., EICAR test file) is then delivered to the victim without detection. The attack requires no special privileges beyond the ability to deliver the crafted archive to the target.

Affected code

The advisory does not specify exact function names or file paths. The vulnerability lies in the RAR parsing logic of the affected antivirus products, specifically how they handle malformed central and local headers in RAR archives [ref_id=1].

What the fix does

No patch is included in the bundle. The advisory does not provide a fix; it only documents the bypass technique [ref_id=1]. Remediation would require antivirus vendors to align their RAR parser logic with the archivers that users actually employ (e.g., WinRAR, PowerZip), so that malformed headers are handled consistently and the embedded content is still scanned.

Preconditions

  • inputAttacker must deliver a specially crafted RAR file with malformed central and local headers.
  • configTarget must use an antivirus product (e.g., McAfee) that rejects the malformed archive instead of scanning its contents.
  • configTarget must use an archiver (e.g., WinRAR, PowerZip) that still opens and extracts the malformed archive.

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.