Description
bit7z is a cross-platform C++ static library that allows the compression/extraction of archive files. Prior to version 4.0.12, a one-byte off-by-one error in SafeOutPathBuilder::restoreSymlink() allows an attacker to craft a .7z archive that, when extracted with bit7z on any non-Windows platform, creates a symlink escaping the intended output directory. Subsequent archive entries extracted through this symlink write arbitrary files outside the extraction directory with the permissions of the extracting process. This issue has been patched in version 4.0.12.
Published: 2026-06-10
Score: 3.6 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A one‑byte off‑by‑one error in bit7z’s SafeOutPathBuilder::restoreSymlink() allows a malicious .7z archive to forge a symlink that escapes the intended extraction directory. When the archive is extracted on non‑Windows platforms, subsequent entries written through that symlink can create or overwrite arbitrary files with the permissions of the extracting process, enabling a compromise of confidentiality and integrity.

Affected Systems

The affected product is rikyoz:bit7z. All non‑Windows installations running any version prior to 4.0.12 are susceptible, while version 4.0.12 and later contain the fix.

Risk and Exploitability

The CVSS score of 3.6 indicates moderate severity and the EPSS score is not reported, suggesting limited publicly available exploitation data. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is local: an attacker who can supply an archive and trigger extraction on a vulnerable system can force the creation of files outside the intended directory.

Generated by OpenCVE AI on June 10, 2026 at 23:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade bit7z to version 4.0.12 or later.
  • If an upgrade is not immediately possible, configure your environment to disable symlink creation or strip symlinks from archives before extraction.
  • Ensure that only trusted archives are processed and audit extraction directories for unexpected file changes.

Generated by OpenCVE AI on June 10, 2026 at 23:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Rikyoz
Rikyoz bit7z
Vendors & Products Rikyoz
Rikyoz bit7z

Wed, 10 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description bit7z is a cross-platform C++ static library that allows the compression/extraction of archive files. Prior to version 4.0.12, a one-byte off-by-one error in SafeOutPathBuilder::restoreSymlink() allows an attacker to craft a .7z archive that, when extracted with bit7z on any non-Windows platform, creates a symlink escaping the intended output directory. Subsequent archive entries extracted through this symlink write arbitrary files outside the extraction directory with the permissions of the extracting process. This issue has been patched in version 4.0.12.
Title bit7z: Path Traversal via Null Byte Injection from `gcount()` Off-by-One in `restoreSymlink()`
Weaknesses CWE-193
CWE-22
References
Metrics cvssV3_1

{'score': 3.6, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L'}

Subscriptions

Rikyoz Bit7z
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T20:00:24.177Z

Reserved: 2026-05-12T00:51:29.086Z

Link: CVE-2026-45380

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T22:16:58.207

Modified: 2026-06-10T22:16:58.207

Link: CVE-2026-45380

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T23:15:28Z

Weaknesses