CVE-2026-27117

Name of the Vulnerable Software and Affected Versions bit7z versions prior to 4.0.11

Description bit7z is a cross-platform C++ static library used for archive compression and extraction. A path traversal flaw ("Zip Slip") exists in the archive extraction functionality prior to version 4.0.11. The library insufficiently validates file paths within archive entries, potentially allowing files to be written outside the intended extraction directory through relative path traversal, absolute path traversal, and symbolic link traversal. An attacker can exploit this by providing a malicious archive to an application using bit7z to extract untrusted archives, leading to arbitrary file write with the privileges of the process performing the extraction. This could result in overwriting application binaries, configuration files, or other sensitive data. The vulnerability does not directly enable reading of file contents, but applications that subsequently serve or display extracted files may face secondary confidentiality risks from attacker-created symlinks.

Recommendations Update to version 4.0.11 or later. As a temporary workaround, validate each archive entry's destination path before writing. Run extraction with least privilege. Extract untrusted archives in a sandboxed directory.