PatchSiren cyber security CVE debrief
CVE-2026-45380 rikyoz CVE debrief
CVE-2026-45380 is a LOW severity vulnerability in bit7z, a C++ static library for compressing and extracting archive files. An attacker can craft a malicious .7z archive that, when extracted with bit7z on non-Windows platforms, creates a symlink outside the intended output directory. This allows subsequent archive entries to write arbitrary files outside the extraction directory with the permissions of the extracting process. The issue was patched in version 4.0.12.
- Vendor
- rikyoz
- Product
- bit7z
- CVSS
- LOW 3.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-11
Who should care
Users of bit7z library, especially those extracting archives from untrusted sources, should update to version 4.0.12 or later to mitigate this vulnerability.
Technical summary
A one-byte off-by-one error in SafeOutPathBuilder::restoreSymlink() allows an attacker to craft a malicious .7z archive. When extracted on non-Windows platforms, this archive creates a symlink that escapes the intended output directory. Subsequent archive entries can then write arbitrary files outside the extraction directory.
Defensive priority
LOW
Recommended defensive actions
- Update bit7z to version 4.0.12 or later.
- Be cautious when extracting archives from untrusted sources.
Evidence notes
CVE-2026-45380 has a CVSS score of 3.6 and is classified as LOW severity. The vulnerability was published on 2026-06-10T22:16:58.207Z and last modified on 2026-06-11T16:16:23.210Z.
Official resources
CVE-2026-45380 was published on 2026-06-10T22:16:58.207Z and last modified on 2026-06-11T16:16:23.210Z.