VYPR
← All advisories
Low severity3.6NVD Advisory· Published Jun 10, 2026

CVE-2026-45380

CVE-2026-45380

Description

bit7z versions prior to 4.0.12 allow path traversal via crafted symlinks in .7z archives, enabling arbitrary file writes on non-Windows platforms.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

bit7z versions prior to 4.0.12 allow path traversal via crafted symlinks in .7z archives, enabling arbitrary file writes on non-Windows platforms.

## Vulnerability bit7z, a C++ static library for archive compression/extraction, is vulnerable to path traversal in versions prior to 4.0.12. A one-byte off-by-one error in the SafeOutPathBuilder::restoreSymlink() function allows an attacker to craft a .7z archive. When extracted on any non-Windows platform, this archive can create a symlink that escapes the intended output directory. This occurs because std::istream::getline extracts characters including the delimiter, and resize(gcount()) results in an embedded null byte that bypasses path sanitization checks [1].

Exploitation

An attacker must provide a specially crafted .7z archive to a victim. The victim must then extract this archive using a vulnerable version of bit7z on a non-Windows operating system. The archive contains a symlink entry with a target path that includes a null byte, such as ..\0. This crafted symlink bypasses the filesystem::sanitize_path_join and filesystem::path_is_outside_base checks. Subsequent archive entries extracted through this symlink will be written to an arbitrary location outside the intended extraction directory [1, 2].

Impact

Successful exploitation allows an attacker to write arbitrary files to any location on the filesystem that the extracting process has write permissions for. On POSIX platforms, the traversal is limited to at most the parent directory of the extraction path. The attacker gains the ability to overwrite existing files or create new ones, potentially leading to system compromise depending on the target file's location and permissions [1, 2].

Mitigation

This vulnerability has been fixed in bit7z version 4.0.12, released on 2026-06-10. Updating to version 4.0.12 or later is strongly recommended. No workarounds are specified for older versions [2].

References
  1. Path Traversal via Null Byte Injection from `gcount()` Off-by-One in `restoreSymlink()`
  2. Release Bit7z v4.0.12 · rikyoz/bit7z

AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Rikyoz/Bit7zreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <4.0.12

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"A one-byte off-by-one error in SafeOutPathBuilder::restoreSymlink() allows an attacker to craft a .7z archive that creates a symlink escaping the intended output directory."

Attack vector

An attacker can craft a malicious .7z archive containing a symlink with a target path that escapes the extraction directory. When this archive is extracted by bit7z on a non-Windows platform, the crafted symlink is created. Subsequent archive entries intended for extraction through this symlink will be written outside the intended output directory, with the permissions of the extracting process [ref_id=1]. This allows for arbitrary file writes, potentially leading to code execution or privilege escalation [ref_id=1].

Affected code

The vulnerability resides in the `SafeOutPathBuilder::restoreSymlink()` function within `src/internal/fsutil.cpp`. Specifically, lines 606-616 are affected, where `std::istream::getline` and subsequent `resize(gcount())` lead to an off-by-one error and an embedded null byte in the target path string [ref_id=1]. This malformed path bypasses security checks in `filesystem::sanitize_path_join` and `filesystem::path_is_outside_base` [ref_id=1].

What the fix does

The patch modifies the way the target path for symlinks is read and resized. Instead of using `ifs.gcount()` which includes the delimiter and results in an oversized buffer with an embedded null byte, the fix uses `std::getline(ifs, targetPath)`. This free function correctly sizes the string without including the delimiter, preventing the null byte bypass of path safety checks and thus closing the vulnerability [ref_id=1].

Preconditions

  • inputThe attacker must be able to deliver a specially crafted .7z archive to the victim.
  • configThe extraction must occur on a non-Windows platform.

Reproduction

Step 1: Craft the malicious archive using the provided Python script. Step 2: Extract the crafted archive using a C++ harness that utilizes bit7z. Step 3: Observe that a symlink is created outside the extraction directory, and a subsequent file is written to an arbitrary location, overwriting a sensitive file like `.bashrc` [ref_id=1].

Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.