7‑Zip for Windows, versions up to 26.02, fails to maintain the Mark‑of‑the‑Web (Zone.Identifier) when extracting a specially crafted RAR5 archive. The implementation only suppresses a data stream named exactly Zone.Identifier, but a RAR5 stream record whose name collapses to :Zone.Identifier:$DATA on NTFS is not blocked; NTFS canonicalizes it to the same stream and overwrites the Internet‑zone marker with ZoneId=0. A subsequent stream named :$DATA then overwrites the default data stream of the extracted file, enabling an attacker to defeat SmartScreen and Mark‑of‑the‑Web warnings and to replace the file’s content with malicious payloads. The flaw is classified as CWE‑693, a failure to preserve inter‑process security state.

All Windows installations of 7‑Zip version 26.02 or earlier are vulnerable. This includes the portable and installer editions of 7‑Zip 26.02 and earlier releases. The vulnerability is specific to the 7‑Zip extraction engine on Windows and does not affect other operating systems or other archive tools.

With a CVSS score of 4.8 the flaw is considered medium severity. Exploitation requires the victim to extract a malicious RAR5 archive with 7‑Zip, so it is not a remote code execution vulnerability but can lead to silent malicious file deployment. No EPSS information is available and the issue is not listed in CISA’s KEV catalog, but open‑source proof‑of‑concept code shows that the attack can be carried out manually. Because the denial of the Internet zone marker permits files to bypass Windows SmartScreen and other zone‑aware defenses, the risk to users who routinely extract untrusted archives is significant.