Description
bit7z is a cross-platform C++ static library that allows the compression/extraction of archive files. Prior to version 4.0.12, there is an arbitrary file overwrite vulnerability via symlink attack on predictable temp files during archive update. This issue has been patched in version 4.0.12.
Published: 2026-06-10
Score: 6.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

bit7z allows compression and extraction of archive files. A flaw in versions prior to 4.0.12 permits an attacker to overwrite arbitrary files by creating a symlink that points to a target file before the archive is updated, exploiting the predictable temporary file names. This results in the compromised file being replaced with data supplied by the attacker, thereby enabling data tampering, privilege escalation, or denial of service. The weakness corresponds to CWE‑377 and CWE‑59.

Affected Systems

The vulnerable code resides in the bit7z cross‑platform C++ library. Any application that links to bit7z and performs archive updates while running as a privileged user is susceptible. Versions earlier than 4.0.12 are impacted; the fix was introduced in release 4.0.12.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting no current widespread exploitation. The attack likely requires local file‑system access to place the symlink before the update process runs; if the library is used in a service with elevated privileges, a local attacker could coerce the service to perform the update and overwrite critical files. The threat level remains moderate but warrants prompt remediation.

Generated by OpenCVE AI on June 10, 2026 at 23:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade bit7z to version 4.0.12 or newer, as the fix resolves the predictable temporary file flaw.
  • If upgrading is not feasible, configure the application to write temporary files to a protected directory and validate file names to prevent symlink exploitation.
  • Run any processes that invoke the archive update with the minimum required privileges and enforce strict write permissions on the temporary directory to block unauthorized symlink creation.

Generated by OpenCVE AI on June 10, 2026 at 23:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Rikyoz
Rikyoz bit7z
Vendors & Products Rikyoz
Rikyoz bit7z

Wed, 10 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
Description bit7z is a cross-platform C++ static library that allows the compression/extraction of archive files. Prior to version 4.0.12, there is an arbitrary file overwrite vulnerability via symlink attack on predictable temp files during archive update. This issue has been patched in version 4.0.12.
Title bit7z: Arbitrary File Overwrite via Symlink Attack on Predictable Temp File During Archive Update
Weaknesses CWE-377
CWE-59
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L'}

Subscriptions

Rikyoz Bit7z
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T20:00:19.899Z

Reserved: 2026-05-12T00:51:29.087Z

Link: CVE-2026-45384

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T22:16:58.377

Modified: 2026-06-10T22:16:58.377

Link: CVE-2026-45384

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T23:15:28Z

Weaknesses