Description
bit7z is a cross-platform C++ static library that allows the compression/extraction of archive files. Prior to version 4.0.11, a path traversal vulnerability ("Zip Slip") exists in bit7z's archive extraction functionality. The library does not adequately validate file paths contained in archive entries, allowing files to be written outside the intended extraction directory through three distinct mechanisms: relative path traversal, absolute path traversal, and symbolic link traversal. An attacker can exploit this by providing a malicious archive to any application that uses bit7z to extract untrusted archives. Successful exploitation results in arbitrary file write with the privileges of the process performing the extraction. This could lead to overwriting of application binaries, configuration files, or other sensitive data. The vulnerability does not directly enable reading of file contents; the confidentiality impact is limited to the calling application's own behavior after extraction. However, applications that subsequently serve or display extracted files may face secondary confidentiality risks from attacker-created symlinks. Fixes have been released in version 4.0.11. If upgrading is not immediately possible, users can mitigate the vulnerability by validating each entry's destination path before writing. Other mitigations include running extraction with least privilege and extracting untrusted archives in a sandboxed directory.
Published: 2026-02-24
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Write
Action: Immediate Patch
AI Analysis

Impact

bit7z is a C++ static library for handling archive files. A path traversal flaw, also called Zip Slip, exists in versions before 4.0.11. The library fails to validate paths in archive entries, allowing an attacker to create relative, absolute, or symbolic‑link paths that cause files to be written outside the target extraction directory. The result is arbitrary overwrite of any file the process can reach, which can modify application binaries, configuration files, or other sensitive data. The vulnerability does not grant direct file read access; any confidentiality risk arises only from how the calling application later uses or displays the extracted files, such as via symlinked content.

Affected Systems

The flaw affects all installations of the rikyoz bit7z library version 4.0.10 and earlier, regardless of the operating system, including any custom applications that embed the library to extract archives. The specific update that removes the issue is version 4.0.11.

Risk and Exploitability

The score of 5.5 indicates a medium‑severity risk. Based on the description, it is inferred that the likely attack vector is an attacker supplying a crafted archive to an application that uses bit7z; this is typically possible in services that accept user‑uploaded archives. The EPSS value of less than 1% suggests a low probability of observed exploitation, and the flaw is not listed in the CISA KEV catalog. However, successful exploitation results in file write with the process’s privileges, allowing potential modification of critical system or application files. The absence of input validation remains the core weakness identified by CWE‑22, CWE‑23, and CWE‑36.

Generated by OpenCVE AI on April 18, 2026 at 17:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the bit7z library to version 4.0.11 or newer.
  • Validate each archive entry’s destination path before writing files during extraction.
  • Run the extraction process with the least privilege necessary, preferably in a sandboxed directory.

Generated by OpenCVE AI on April 18, 2026 at 17:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:rikyoz:bit7z:*:*:*:*:*:*:*:*

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Rikyoz
Rikyoz bit7z
Vendors & Products Rikyoz
Rikyoz bit7z

Tue, 24 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
Description bit7z is a cross-platform C++ static library that allows the compression/extraction of archive files. Prior to version 4.0.11, a path traversal vulnerability ("Zip Slip") exists in bit7z's archive extraction functionality. The library does not adequately validate file paths contained in archive entries, allowing files to be written outside the intended extraction directory through three distinct mechanisms: relative path traversal, absolute path traversal, and symbolic link traversal. An attacker can exploit this by providing a malicious archive to any application that uses bit7z to extract untrusted archives. Successful exploitation results in arbitrary file write with the privileges of the process performing the extraction. This could lead to overwriting of application binaries, configuration files, or other sensitive data. The vulnerability does not directly enable reading of file contents; the confidentiality impact is limited to the calling application's own behavior after extraction. However, applications that subsequently serve or display extracted files may face secondary confidentiality risks from attacker-created symlinks. Fixes have been released in version 4.0.11. If upgrading is not immediately possible, users can mitigate the vulnerability by validating each entry's destination path before writing. Other mitigations include running extraction with least privilege and extracting untrusted archives in a sandboxed directory.
Title bit7z has a path traversal vulnerability
Weaknesses CWE-22
CWE-23
CWE-36
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

Subscriptions

Rikyoz Bit7z
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T21:33:40.678Z

Reserved: 2026-02-17T18:42:27.043Z

Link: CVE-2026-27117

cve-icon Vulnrichment

Updated: 2026-02-26T21:06:50.449Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T22:16:32.053

Modified: 2026-02-25T20:29:27.743

Link: CVE-2026-27117

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:45:06Z

Weaknesses